Hello Ondřej,
pwdStartTime+pwdEndTime are completely independent of pwdMaxAge. And if
set on an account, they are meant to be managed by the password administrator, not OpenLDAP.
this is very interesting, where I can read information about this to prove okta support that okta ldap daemon must respect pwdChangedTime or pwdReset, because pwdStartTime+pwdEndTime isn't managed by OpenLDAP security policy.
Not sure what you mean.
I mean that we post the same, that slapd doesn't ignore pwdMaxAge
I can't speak for Okta and whether they even support ppolicy at all. From
what you're describing they probably don't?
anyway they need to somehow get the user password expiration date, but what you post about pwdStartTime+pwdEndTime (managed by the password administrator), seem like the only way is use pwdChangedTime user attribute + pwdMaxAge policy attribute or rely on pwdReset. But this just additional thoughts, which I will forward to them after confirmation that pwdStartTime+pwdEndTime is meant to be managed by the password administrator. Also, password administrator related to slapd means that a human (some script) add/remove/update pwdStartTime+pwdEndTime for each user and this can not be done by overlay/policy or other standard slapd functional.
On Wed, Oct 11, 2023 at 1:02 PM Ondřej Kuzník ondra@mistotebe.net wrote:
On Wed, Oct 11, 2023 at 12:41:21PM +0300, Volodymyr Lisnyi wrote:
Hello Ondřej,
Most often you need pwdMaxAge and react to password expiry accordingly.
can you then explain why I have pwdMaxAge in the policy but users don't have pwdStartTime+pwdEndTime, that's what I am trying to achieve, but can not find any way to do this for now.
Hi Volodymyr, pwdStartTime+pwdEndTime are completely independent of pwdMaxAge. And if set on an account, they are meant to be managed by the password administrator, not OpenLDAP.
slapd doesn't ignore pwdMaxAge if a policy is in effect (check!) and doesn't need to store anything except pwdChangedTime to do this[0], also pwdReset is independent of pwdMaxAge and you might want to check whether
Maybe I was not clear, but I say the same that pwdMaxAge is not ignored
by
slapd and pwdChangedTime changed for the user during password change,
same
as pwdReset: True set after password expires confirm this.
Not sure what you mean.
Okta has/should have manage permissions on userPassword attribute: depending on its understanding of ppolicy, that might/not be
appropriate -
having manage permissions on userPassword makes one "password administrator" and affects ppolicy behaviour (again read man
slapo-ppolicy
and the latest draft[1] for more information).
there is no problem with Okta managing users' passwords, the problem is that Okta ignores pwdReset and doesn't ask users to change expired passwords.
They should either implement ppolicy themselves or let slapd do this (e.g. by letting it handle Binds). Not much OpenLDAP can do if they ignore important parts of the spec (especially those that have been around for more than a decade).
Per the ppolicy drafts, a password is expired if
pwdChangedTime+pwdMaxAge
is in the past
does this mean that pwdEndTime must be used to understand user password expiration? And if yes, how I can enable it, because as I posted above I don't see
any
flags for this not in "cn=passwordDefault,ou=Policies,dc=domain,dc=net"
not
in "dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config"
I can't speak for Okta and whether they even support ppolicy at all. From what you're describing they probably don't?
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP