Hi once again, So I have loaded the lastbind module and added the overlay, and I set: olcLastBind: TRUE olcLastBindPrecision: 21600 olcLastBindForwardUpdates: TRUE
However the result is that pwdLastSuccess is updates every time a user authenticates, so olcLastBindPrecision is being ignored. As I understand it I don't need to load the lastbind module/overlay to get the feature, but at the same time it seems I cannot get olcLastBindPrecision working. Is there a solution? Kind regards, Ulrich Windl From: Windl, Ulrich <u.wi...@ukr.de> Sent: Tuesday, May 6, 2025 2:09 PM To: Windl, Ulrich <u.wi...@ukr.de>; openldap-technical@openldap.org Subject: RE: Q: lastbind, pwdLastSuccess, and authTimestamp Hi! Digging a bit further into it, I found: # strings /usr/lib64/openldap/lastbind.so | grep authTimestamp ( 1.3.6.1.4.1.453.16.2.188 NAME 'authTimestamp' DESC 'last successful authentication using any method/mech' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation ) ( OLcfgCtAt:5.1 NAME 'olcLastBindPrecision' DESC 'Precision of authTimestamp attribute' EQUALITY integerMatch SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgAt:5.2 NAME 'olcLastBindForwardUpdates' DESC 'Allow authTimestamp updates to be forwarded via updateref' EQUALITY booleanMatch SYNTAX OMsBoolean SINGLE-VALUE ) # strings /usr/sbin/slapd | grep pwdLastSuccess pwdLastSuccess fe_op_lastbind: old pwdLastSuccess value=%s %lds ago ( 1.3.6.1.4.1.42.2.27.8.1.29 NAME 'pwdLastSuccess' DESC 'The timestamp of the last successful authentication' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) So the lastbind module offers delayed updates of authTimestamp, while slapd implements pwdLastSuccess directly, but does not allow delaying of updates. The other difference is that one claims directoryOperation, while the other claims dsaOperation. I only found that dsaOperation attributes should not be replicated. Kind regards, Ulrich Windl From: Windl, Ulrich <u.wi...@ukr.de> Sent: Tuesday, April 29, 2025 1:52 PM To: openldap-technical@openldap.org Subject: [EXT] Q: lastbind, pwdLastSuccess, and authTimestamp Hi! Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed. But the latter sets authTimestamp. Slapo-policy documents that authTimestamp (provided by lastbind module) is set when lastbind is enabled. At it seems pwdLastSuccess and authTimestamp are set to the same value. Can someone explain the logic behind? I'm confused; do I really need the lastbind overlay? I'm using OpenLDAP 2.5.X Kind regards, Ulrich Windl
