On Mon, Aug 04, 2025 at 07:42:15AM +0000, Windl, Ulrich wrote: >> Hi Ulrich, >> yes, you should not be using the lastbind overlay at all (it sets >> authTimestamp) but the core functionality which exists for this purpose: >> pwdLastSuccess attribute it manages is the one ppolicy decisions are >> meant to use. It was moved from the overlay exactly for this reason. >> >> If the 2.5 lastbind functionality is inadequate for you, you have no >> choice but to move to 2.6. After all, 2.6 is the current LTS stream and >> 2.5 will only receive critical fixes at this point. > > In which aspect will version 2.6 be different from 2.5?
Hi Ulrich, not sure what you're asking about here. You complained about the core lastbind feature not having some capabilities (and exactly those that appeared in 2.6, e.g. setting lastbind precision.) > Is it mostly a problem of the attribute name, or is it a problem of > who sets the attribute? > In the code I wrote I query both, then use the maximum of both values, > then add the maxidle and subtract the current time to decide when the > account will expire. I'm also using the password expiration warning to > warn users (and admins) about account expiration. > It all works, just the account isn't disabled when it should. Yes, ppolicy checks account status against their policy, pwdLastSuccess is the attribute stored with the account that matters whether an account is considered idle. That is not the attribute set by the lastbind overlay. > So the purpose of the lastbind overlay is for providing information > only, while the built-in auth success can actually expire accounts > (according to password policy)? The lastbind overlay existed (for a long time), then ppolicy needed to support the Behera ppolicy draft 10+ including pwdMaxIdle. It turned out the lastbind overlay couldn't be used for this (don't remember exact reason(s)) so the functionality needed to be moved. This happened in 2.5. So since the same functionality is now in two places, one is unnecessary, you can guess which one. Long story short: if you need to enforce pwdMaxIdle, you need to move away from the lastbind overlay. If you find the documentation lacking, you can help the people getting in a similar situation in the future by suggesting improvements (i.e. new wording) based on what's been discussed. Indeed I think you're in the best position to do so. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
