Re: (ITS#5040) modifyTimestamp being updated on login (bind) failure - openldap-bugs

22 Jul 2007


      I'd defer to those with more expertise, but my vote is to avoid changing 
the modifyTimestamp attribute.  That attribute should be updated only 
when an ldapmodify operation is performed.
I'm not familiar with the specifications, and perhaps this isn't 
addressed there.  My intuition suggests that it shouldn't be modified by 
operations that are not directly under the control of the user or 
administrator.
Dan
Howard Chu wrote:
...
dan.cushing@netideasinc.com wrote:
...
Full_Name: Dan Cushing
Version: 2.3.36
OS: Solaris 9
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (71.76.187.82)
When running OpenLDAP with the ppolicy overlay, the modifyTimestamp 
for a user
entry is updated if the user attempts to login (bind) with an incorrect
password.  This is happening because the password lockout feature is 
enabled and
the operational attribute 'pwdFailureTime' is being updated.  It 
seems like this
results in a misleading modifyTimestamp.  Is it intended that the
modifyTimestamp attribute be updated when operational attributes are 
updated?
Hadn't really thought about it before. We can certainly avoid this 
though.
-- 
This electronic transmission is strictly confidential to NetIDEAS, Inc. 
and intended solely for the addressee. It may contain information, which 
is covered by legal, professional, or other privilege. If you are not 
the intended addressee, or someone authorized by the intended addressee 
to receive transmissions on the behalf of the addressee, you must not 
retain, disclose in any form, copy or take any action in reliance on 
this transmission. If you have received this transmission in error, 
please notify us as soon as possible and destroy this message.