On Fri, Aug 01, 2025 at 12:22:49PM +0000, Windl, Ulrich wrote: > Hi! > > I was playing with olcLastBind and pwdMaxIdle, setting up a test user > and a test policy. However when the account should have been expired, > nothing happened, i.e.: the user still could log in and change the > password. > > Here are some details from the sample (variables have a different > name, but you should be able to correlate them): > > [...] > > I'm using the lastbind overlay and these settings: > olcLastBindPrecision: 432000 > olcLastBindForwardUpdates: TRUE > > My program calculated that the account had expired 1.256 days ago. > Am I missing something, or is it a bug? > Should there be an index on the authTimestamp attribute? > > Do I have to set olcLastbind to TRUE also? (I avoided that, because in > 2.5 I cannot delay updates to the attribute, and some periodic > automated logins flood the syncrepl changelog that way.)
Hi Ulrich, yes, you should not be using the lastbind overlay at all (it sets authTimestamp) but the core functionality which exists for this purpose: pwdLastSuccess attribute it manages is the one ppolicy decisions are meant to use. It was moved from the overlay exactly for this reason. If the 2.5 lastbind functionality is inadequate for you, you have no choice but to move to 2.6. After all, 2.6 is the current LTS stream and 2.5 will only receive critical fixes at this point. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
