Re: (ITS#5040) modifyTimestamp being updated on login (bind) failure
by dan.cushing@netideasinc.com
I'd defer to those with more expertise, but my vote is to avoid changing
the modifyTimestamp attribute. That attribute should be updated only
when an ldapmodify operation is performed.
I'm not familiar with the specifications, and perhaps this isn't
addressed there. My intuition suggests that it shouldn't be modified by
operations that are not directly under the control of the user or
administrator.
Dan
Howard Chu wrote:
> dan.cushing(a)netideasinc.com wrote:
>> Full_Name: Dan Cushing
>> Version: 2.3.36
>> OS: Solaris 9
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (71.76.187.82)
>>
>>
>> When running OpenLDAP with the ppolicy overlay, the modifyTimestamp
>> for a user
>> entry is updated if the user attempts to login (bind) with an incorrect
>> password. This is happening because the password lockout feature is
>> enabled and
>> the operational attribute 'pwdFailureTime' is being updated. It
>> seems like this
>> results in a misleading modifyTimestamp. Is it intended that the
>> modifyTimestamp attribute be updated when operational attributes are
>> updated?
>
> Hadn't really thought about it before. We can certainly avoid this
> though.
--
This electronic transmission is strictly confidential to NetIDEAS, Inc.
and intended solely for the addressee. It may contain information, which
is covered by legal, professional, or other privilege. If you are not
the intended addressee, or someone authorized by the intended addressee
to receive transmissions on the behalf of the addressee, you must not
retain, disclose in any form, copy or take any action in reliance on
this transmission. If you have received this transmission in error,
please notify us as soon as possible and destroy this message.