https://bugs.openldap.org/show_bug.cgi?id=9794
Issue ID: 9794 Summary: Define behaviour for pwdChangedTime modifications Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: david.coutadeur@gmail.com Target Milestone: ---
This issue applies to: - draft-behera-ldap-password-policy - openldap 2.5 - openldap 2.6
It is a proposition of behaviour for pwdChangedTime modifications.
modification of the draft: --------------------------
In section: "8.2.7. Policy State Updates", change this paragraph:
If the value of either pwdMaxAge or pwdMinAge is non-zero, the server updates the pwdChangedTime attribute on the entry to the current time.
into:
If the value of either pwdMaxAge or pwdMinAge is non-zero, the server MUST update the pwdChangedTime attribute on the entry according to this workflow:
Then insert a new paragraph:
- if the current operation (add or modify) on the password includes adding or modifying a valid pwdChangedTime attribute, then use this pwdChangedTime. A "Valid" pwdChangedTime means a syntactically correct value, compliant with the schema, approved by access rules, and MAY require a relax control according to the schema defined in section 5.3.2. See Relax control RFC for more information: https://datatracker.ietf.org/doc/html/draft-zeilenga-ldap-relax
- an invalid pwdChangedTime value MUST result in an error, and the pwdChangedTime MUST NOT be stored
- in any other case, compute the current date and store it in a GeneralizedTime format
Feel free to comment or propose other ideas.
modification of the code: --------------------------
If this behaviour makes a consensus, it would be useful to patch both OpenLDAP 2.5 and 2.6.
NOTE: current OpenLDAP 2.5 allows modifying pwdChangedTime alone, but fails to add a user with both userPassword and pwdChangedTime (it results in a duplicated pwdChangedTime error)
modification of the documentation: ----------------------------------
In slapo-ppolicy, it can be useful to add a comment in "OPERATIONAL ATTRIBUTES" section:
Every attribute defined as "NO-USER-MODIFICATION" SHOULD not be written by standard users. If needed, an administrator MAY modify them with the relax control. See Relax control RFC for more information: https://datatracker.ietf.org/doc/html/draft-zeilenga-ldap-relax
https://bugs.openldap.org/show_bug.cgi?id=9794
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- This sounds too complicated, why not just acknowledge the change and leave it at that?
""" If the value of either pwdMaxAge or pwdMinAge is non-zero and the change does not include a pwdChangedTime update already, the server updates the pwdChangedTime attribute on the entry to the current time. """
https://bugs.openldap.org/show_bug.cgi?id=9794
--- Comment #2 from David Coutadeur david.coutadeur@gmail.com --- Seems a good summary.
It does not describe the behaviour when a pwdChangedTime is sent and the user does not have the right to change it. But as it is the same behaviour as in a LDAP standard operation, maybe it is not so useful.
And it may be interesting to have a reminder of the relax rule, but maybe it is more appropriate in documentation than in draft.
https://bugs.openldap.org/show_bug.cgi?id=9794
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |ondra@mistotebe.net Target Milestone|--- |2.5.12 Keywords|needs_review | Status|UNCONFIRMED |CONFIRMED Ever confirmed|0 |1
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- Code changes to go in 2.5 and 2.6
An updated version of draft-behera-ldap-password-policy should be submitted to the IETF.
https://bugs.openldap.org/show_bug.cgi?id=9794
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |IN_PROGRESS
--- Comment #4 from Ondřej Kuzník ondra@mistotebe.net --- https://git.openldap.org/openldap/openldap/-/merge_requests/497 for IETF prep
https://bugs.openldap.org/show_bug.cgi?id=9794
--- Comment #5 from Quanah Gibson-Mount quanah@openldap.org --- head:
Commits: • 1800a1f1 by Ondřej Kuzník at 2022-02-08T17:04:40+00:00 ITS#9794 Synchronise how Adds and Modifies are handled
• d4fbbe5a by Ondřej Kuzník at 2022-02-08T17:11:33+00:00 ITS#9794 Update behera draft wording
https://bugs.openldap.org/show_bug.cgi?id=9794
--- Comment #6 from Quanah Gibson-Mount quanah@openldap.org --- RE26:
• 9d4b1aec by Ondřej Kuzník at 2022-02-17T19:22:33+00:00 ITS#9794 Synchronise how Adds and Modifies are handled
• 50daac8f by Ondřej Kuzník at 2022-02-17T19:22:44+00:00 ITS#9794 Update behera draft wording
https://bugs.openldap.org/show_bug.cgi?id=9794
--- Comment #7 from Quanah Gibson-Mount quanah@openldap.org --- RE25:
• 7a34f46d by Ondřej Kuzník at 2022-02-17T19:25:45+00:00 ITS#9794 Synchronise how Adds and Modifies are handled
• 13f0618d by Ondřej Kuzník at 2022-02-17T19:25:48+00:00 ITS#9794 Update behera draft wording
https://bugs.openldap.org/show_bug.cgi?id=9794
--- Comment #8 from Quanah Gibson-Mount quanah@openldap.org --- https://git.openldap.org/openldap/openldap/-/merge_requests/497
https://bugs.openldap.org/show_bug.cgi?id=9794
--- Comment #9 from Quanah Gibson-Mount quanah@openldap.org --- head:
• fb736b01 by Ondřej Kuzník at 2022-02-15T12:45:56+00:00 ITS#9794 Update behera draft for submission to IETF
https://bugs.openldap.org/show_bug.cgi?id=9794
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED
--- Comment #10 from Quanah Gibson-Mount quanah@openldap.org --- RE26:
• 27a7a6f7 by Ondřej Kuzník at 2022-02-22T19:39:15+00:00 ITS#9794 Update behera draft for submission to IETF
RE25:
• 4d414e0c by Ondřej Kuzník at 2022-02-22T19:39:43+00:00 ITS#9794 Update behera draft for submission to IETF
https://bugs.openldap.org/show_bug.cgi?id=9794
--- Comment #11 from Ondřej Kuzník ondra@mistotebe.net --- Updated draft has now been published: https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-11
https://bugs.openldap.org/show_bug.cgi?id=9794
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org