Am Wed, 04 Mar 2020 13:36:08 +0000
schrieb Manuela Mandache <manuela.mandache(a)protonmail.com>:
Hello all,
We have a directory running on OpenLDAP 2.4.44 with the ppolicy
overlay on the main database. When a new entry with a userPassword
defined is created, pwdChangedTime is not defined, so this initial
userPassword never expires.
The directory has been migrated from its OpenLDAP 2.3.34 instance
(yes, we missed some steps...), and there the pwdChangedTime is set,
and naturally equal to createTimestamp.
The overlay is configured as follows:
dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {2}ppolicy
olcPPolicyDefault: ou=ppolicy,dc=example,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
Is there a parameter I missed which would switch on setting
pwdChangedTime at entry creation? Do I have to provide some other
configuration elements?
Or is it unreasonable to expect this initialisation of the attribute
this way, and only a password change can set it? I think the setting
at creation is rather handy... Using pwdMustChange would be
difficult, we have a lot of client apps which would be forced to
check and probably adapt their authentication procedures.
[...]
The password attribute value must be set by a password modify exented
operation in order to set password policy in effect, see man
slapo-ppolicy(5)
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E