Hi!
I was playing with olcLastBind and pwdMaxIdle, setting up a test user and a test policy.
However when the account should have been expired, nothing happened, i.e.: the user still could log in and change the password.
Here are some details from the sample (variables have a different name, but you should be able to correlate them):
ACCT_CHANGED = "20250728081545Z"
ACCT_MAX_IDLE = "250000"
AUTH_TIMESTAMP = "20250728081545Z"
CURRENT_TIME_T = "1754049116"
POLICY_CHANGED = "20250716131620Z"
POLICY_NAME = "PP-Testing"
SOURCE_NAME = "LDAP Password Policy"
USER_ID = "testuser"
I'm using the lastbind overlay and these settings:
olcLastBindPrecision: 432000
olcLastBindForwardUpdates: TRUE
My program calculated that the account had expired 1.256 days ago.
Am I missing something, or is it a bug?
Should there be an index on the authTimestamp attribute?
Do I have to set olcLastbind to TRUE also? (I avoided that, because in 2.5 I cannot delay updates to the attribute, and some periodic automated logins flood the syncrepl changelog that way.)
Kind regards,
Ulrich Windl
