Re: pwdChangedTime not defined when creating new entry

Thu, 05 Mar 2020 10:08:23 -0800 


Le 05/03/2020 à 18:55, Dieter Klünter a écrit :
> Am Thu, 5 Mar 2020 18:15:41 +0100
> schrieb Clément OUDOT <clement.ou...@worteks.com>:
>
>> Le 05/03/2020 à 10:10, Dieter Klünter a écrit :
>>> Am Wed, 04 Mar 2020 13:36:08 +0000
>>> schrieb Manuela Mandache <manuela.manda...@protonmail.com>:
>>>  
>>>> Hello all,
>>>>
>>>> We have a directory running on OpenLDAP 2.4.44 with the ppolicy
>>>> overlay on the main database. When a new entry with a userPassword
>>>> defined is created, pwdChangedTime is not defined, so this initial
>>>> userPassword never expires.
>>>>
>>>> The directory has been migrated from its OpenLDAP 2.3.34 instance
>>>> (yes, we missed some steps...), and there the pwdChangedTime is
>>>> set, and naturally equal to createTimestamp.
>>>>
>>>> The overlay is configured as follows:
>>>> dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config
>>>> objectClass: olcOverlayConfig
>>>> objectClass: olcPPolicyConfig
>>>> olcOverlay: {2}ppolicy
>>>> olcPPolicyDefault: ou=ppolicy,dc=example,dc=com
>>>> olcPPolicyHashCleartext: TRUE
>>>> olcPPolicyUseLockout: TRUE
>>>>
>>>> Is there a parameter I missed which would switch on setting
>>>> pwdChangedTime at entry creation? Do I have to provide some other
>>>> configuration elements?
>>>>
>>>> Or is it unreasonable to expect this initialisation of the
>>>> attribute this way, and only a password change can set it? I think
>>>> the setting at creation is rather handy... Using pwdMustChange
>>>> would be difficult, we have a lot of client apps which would be
>>>> forced to check and probably adapt their authentication
>>>> procedures.  
>>> [...]
>>> The password attribute value must be set by a password modify
>>> exented operation in order to set password policy in effect, see man
>>> slapo-ppolicy(5)   
>>
>> Are you sure? The password modify extended operation is required for
>> smbk5pwd overlay, but not for ppolicy overlay?
> From ldappasswd(1)
> ldappasswd
>   uses the LDAPv3 Password Modify (RFC 3062) extended operation.


Agree but the question was related to ppolicy overlay, not ldappasswd
command.

When you create an entry, you do it with a standard ADD operation. It
there is a password in the entry, the ppolicy overlay will do its job
and create the pwdChangedTime attribute.


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Reply via email to