Hello Ondřej,

> pwdStartTime+pwdEndTime are completely independent of pwdMaxAge. And if set on an account, they are meant to be managed by the password administrator, not OpenLDAP.

this is very interesting, where I can read information about this to prove okta support that okta ldap daemon must respect pwdChangedTime or pwdReset, because pwdStartTime+pwdEndTime isn't managed by OpenLDAP security policy.

> Not sure what you mean.

I mean that we post the same, that slapd doesn't ignore pwdMaxAge

> I can't speak for Okta and whether they even support ppolicy at all. From what you're describing they probably don't?

anyway they need to somehow get the user password expiration date, but what you post about pwdStartTime+pwdEndTime (managed by the password administrator), seem like the only way is use pwdChangedTime user attribute + pwdMaxAge policy attribute or rely on pwdReset. But this just additional thoughts, which I will forward to them after confirmation that pwdStartTime+pwdEndTime is meant to be managed by the password administrator.
Also, password administrator related to slapd means that a human (some script) add/remove/update pwdStartTime+pwdEndTime for each user and this can not be done by overlay/policy or other standard slapd functional.

On Wed, Oct 11, 2023 at 1:02 PM Ondřej Kuzník <ondra@mistotebe.net> wrote:
On Wed, Oct 11, 2023 at 12:41:21PM +0300, Volodymyr Lisnyi wrote:
> Hello Ondřej,
>
>> Most often you need pwdMaxAge and react to password expiry accordingly.
>
> can you then explain why I have pwdMaxAge in the policy but users don't
> have pwdStartTime+pwdEndTime, that's what I am trying to achieve, but can
> not find any way to do this for now.

Hi Volodymyr,
pwdStartTime+pwdEndTime are completely independent of pwdMaxAge. And
if set on an account, they are meant to be managed by the password
administrator, not OpenLDAP.

>> slapd doesn't ignore pwdMaxAge if a policy is in effect (check!) and
>> doesn't need to store anything except pwdChangedTime to do this[0], also
>> pwdReset is independent of pwdMaxAge and you might want to check whether
>
> Maybe I was not clear, but I say the same that pwdMaxAge is not ignored by
> slapd and pwdChangedTime changed for the user during password change, same
> as pwdReset: True set after password expires confirm this.

Not sure what you mean.

>> Okta has/should have manage permissions on userPassword attribute:
>> depending on its understanding of ppolicy, that might/not be appropriate -
>> having manage permissions on userPassword makes one "password
>> administrator" and affects ppolicy behaviour (again read man slapo-ppolicy
>> and the latest draft[1] for more information).
>
> there is no problem with Okta managing users' passwords, the problem is
> that Okta ignores pwdReset and doesn't ask users to change expired
> passwords.

They should either implement ppolicy themselves or let slapd do this
(e.g. by letting it handle Binds). Not much OpenLDAP can do if they
ignore important parts of the spec (especially those that have been
around for more than a decade).

>> Per the ppolicy drafts, a password is expired if pwdChangedTime+pwdMaxAge
>> is in the past
>
> does this mean that pwdEndTime must be used to understand user password
> expiration?
> And if yes, how I can enable it, because as I posted above I don't see any
> flags for this not in "cn=passwordDefault,ou=Policies,dc=domain,dc=net" not
> in "dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config"

I can't speak for Okta and whether they even support ppolicy at all.
From what you're describing they probably don't?

Regards,

--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP