Hi!

 

I was playing with olcLastBind and pwdMaxIdle, setting up a test user and a test policy.

However when the account should have been expired, nothing happened, i.e.: the user still could log in and change the password.

 

Here are some details from the sample (variables have a different name, but you should be able to correlate them):

ACCT_CHANGED        = "20250728081545Z"

ACCT_MAX_IDLE       = "250000"

AUTH_TIMESTAMP      = "20250728081545Z"

CURRENT_TIME_T      = "1754049116"

POLICY_CHANGED      = "20250716131620Z"

POLICY_NAME         = "PP-Testing"

SOURCE_NAME         = "LDAP Password Policy"

USER_ID             = "testuser"

 

I’m using the lastbind overlay and these settings:

olcLastBindPrecision: 432000

olcLastBindForwardUpdates: TRUE

 

My program calculated that the account had expired 1.256 days ago.

Am I missing something, or is it a bug?

Should there be an index on the authTimestamp attribute?

 

Do I have to set olcLastbind to TRUE also? (I avoided that, because in 2.5 I cannot delay updates to the attribute, and some periodic automated logins flood the syncrepl changelog that way.)

 

Kind regards,

Ulrich Windl