> -----Original Message----- > From: Ondřej Kuzník <on...@mistotebe.net> > Sent: Friday, August 1, 2025 2:39 PM > To: Windl, Ulrich <u.wi...@ukr.de> > Cc: openldap-technical@openldap.org > Subject: [EXT] Re: pwdMaxIdle does not work as described in OpenLDAP 2.5 > > On Fri, Aug 01, 2025 at 12:22:49PM +0000, Windl, Ulrich wrote: > > Hi! > > > > I was playing with olcLastBind and pwdMaxIdle, setting up a test user > > and a test policy. However when the account should have been expired, > > nothing happened, i.e.: the user still could log in and change the > > password. > > > > Here are some details from the sample (variables have a different > > name, but you should be able to correlate them): > > > > [...] > > > > I'm using the lastbind overlay and these settings: > > olcLastBindPrecision: 432000 > > olcLastBindForwardUpdates: TRUE > > > > My program calculated that the account had expired 1.256 days ago. > > Am I missing something, or is it a bug? > > Should there be an index on the authTimestamp attribute? > > > > Do I have to set olcLastbind to TRUE also? (I avoided that, because in > > 2.5 I cannot delay updates to the attribute, and some periodic > > automated logins flood the syncrepl changelog that way.) > > Hi Ulrich, > yes, you should not be using the lastbind overlay at all (it sets > authTimestamp) but the core functionality which exists for this purpose: > pwdLastSuccess attribute it manages is the one ppolicy decisions are > meant to use. It was moved from the overlay exactly for this reason. > > If the 2.5 lastbind functionality is inadequate for you, you have no > choice but to move to 2.6. After all, 2.6 is the current LTS stream and > 2.5 will only receive critical fixes at this point.
[Windl, Ulrich] In which aspect will version 2.6 be different from 2.5? Is it mostly a problem of the attribute name, or is it a problem of who sets the attribute? In the code I wrote I query both, then use the maximum of both values, then add the maxidle and subtract the current time to decide when the account will expire. I'm also using the password expiration warning to warn users (and admins) about account expiration. It all works, just the account isn't disabled when it should. So the purpose of the lastbind overlay is for providing information only, while the built-in auth success can actually expire accounts (according to password policy)? Regards, Ulrich
