Hi! I was playing with olcLastBind and pwdMaxIdle, setting up a test user and a test policy. However when the account should have been expired, nothing happened, i.e.: the user still could log in and change the password.
Here are some details from the sample (variables have a different name, but you should be able to correlate them): ACCT_CHANGED = "20250728081545Z" ACCT_MAX_IDLE = "250000" AUTH_TIMESTAMP = "20250728081545Z" CURRENT_TIME_T = "1754049116" POLICY_CHANGED = "20250716131620Z" POLICY_NAME = "PP-Testing" SOURCE_NAME = "LDAP Password Policy" USER_ID = "testuser" I'm using the lastbind overlay and these settings: olcLastBindPrecision: 432000 olcLastBindForwardUpdates: TRUE My program calculated that the account had expired 1.256 days ago. Am I missing something, or is it a bug? Should there be an index on the authTimestamp attribute? Do I have to set olcLastbind to TRUE also? (I avoided that, because in 2.5 I cannot delay updates to the attribute, and some periodic automated logins flood the syncrepl changelog that way.) Kind regards, Ulrich Windl
