[Ralf Gesellensetter] > Any new insights for the LDAP side? Yes. I believe it would be enough to set the shadowLastChange attribute to zero (0) to get this behaviour. Suspect something similar could be set in Kerberos to get the same effect. See the updates on <URL: http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html > for more info. Happy hacking, -- Petter Reinholdtsen