Good morning,

May I suggest trying to import the backup.ldif with the default ppolicy with MaxAge=0:

>> dn: cn=default,ou=ppolicies,dc=example,dc=com
>> pwdMaxAge: 0

So that it maybe will not add pwdChangedTime operational attribute automatically, and it does not conflict when importing the account objects.
Afterwards, you can change pwdMaxAge of the default policy to your desire value.

Regards,

PS: I am not sure if it will work, but I guess it could be tried.


On Wed, Jan 12, 2022 at 10:35 AM David Coutadeur <david.coutadeur@gmail.com> wrote:
Hello,

Le 11/01/2022 à 16:27, Howard Chu a écrit :
> David Coutadeur wrote:
>> Hi,
>>
>>
>> When doing a backup / restore on my OpenLDAP 2.5.9 instance, I faced a behaviour that I think must be defined explicitely, in draft-behera-ldap-password-policy,
>> or at least in OpenLDAP documentation.
>>
>>
>> My backup contains an entry like this:
>>
>> dn: uid=test,ou=people,ou=branch,dc=example,dc=com
>> cn: test
>> sn: test
>> givenName: test
>> uid: test
>> userPassword: secret
>> pwdChangedTime: 20220110153431Z
>> mail: test@domain.com
>> objectClass: inetOrgPerson
>> objectClass: organizationalPerson
>> objectClass: person
>>
>>
>> There is also a valid default password policy: (which must be defined before the users in the backup file)
>>
>> dn: cn=default,ou=ppolicies,dc=example,dc=com
>> objectClass: pwdPolicy
>> objectClass: pwdPolicyChecker
>> objectClass: organizationalRole
>> cn: default
>> pwdMaxAge: 7776000
>> pwdAttribute: userPassword
>> pwdCheckQuality: 2
>> pwdLockout: TRUE
>> pwdMaxFailure: 5
>> pwdMinLength: 6
>> pwdMustChange: TRUE
>> pwdCheckModule: /usr/local/openldap/lib64/ppm.so
>>
>>
>> When restoring the backup with this command:
>>
>> ldapadd -x -h '127.0.0.1:389' -D 'cn=Manager,dc=example,dc=com' -w 'secret' -f backup.ldif -e relax
>>
>> I have an error showing that the attribute pwdChangedTime is duplicated and must not be defined twice.
> Backups should be restored with slapadd. Or you should strip all operational attributes when using ldapadd.

As you can see in the entry above, there is no operational attributes
except pwdChangedTime.

I need to include pwdChangedTime, else the password won't expire at the
desired date.
>> I assume that the password policy does not replace my pwdChangedTime value with the current date, but duplicates the attribute.
> The ppolicy overlay sets the attribute to the current time if you have an aging policy defined. Probably
> it should check that pwdChangedTime does not already exist, but it is not expected for normal users to be
> LDAPadding entries with this operational attribute included.

I suppose an admin changing the pwdChangedTime of an entry with the
relax rule is a valid use case.

Thus, if it is a valid use case, we should be able to combine it with
other operations, like changing the userPassword.

So we should define the behaviour in such case.

I agree with your suggestion: it seems more interresting for the given
pwdChangedTime to take precedence over the one computed by the password
policy.

If it is ok for you, I can create an issue.

>
>> Could you define this behaviour somewhere?
>>
>> 1/ Is it possible to update the pwdChangedTime attribute along with the userPassword ?
>>
>> 2/ If so, what value should be stored? (the given value or the current date?)
>>
>> 3/ Optionally, update OpenLDAP code according to the defined behaviour
>>
>>
>> Thanks in advance for your answer.
>>
>>
>> Regards,
>>
>> David
>>
>>
>
--
David Coutadeur | IAM integrator

david.coutadeur@worteks.com
+33 7 88 46 85 34
137 boulevard de Magenta, Paris 75010

Worteks | https://www.worteks.com


--

Oscar Remírez de Ganuza Satrústegui
Technology and IT Operations
IT Services

T: +34 948425600 x803130
oscarrdg@unav.es

Universidad de Navarra


Este mensaje puede contener información confidencial. Si usted no es el destinatario del mismo o lo ha recibido por error, por favor, bórrelo de sus sistemas y comuníquelo a la mayor brevedad al remitente. Los datos personales incluidos en los correos electrónicos que intercambie con el personal de la Universidad de Navarra podrán ser almacenados en la libreta de direcciones de su interlocutor y/o en los servidores de la Universidad durante el tiempo fijado en su política interna de conservación de información. La Universidad de Navarra gestiona dichos datos con fines meramente operativos, para permitir el contacto por email entre sus trabajadores/colaboradores y terceros. Puede consultar la Política de Privacidad de la Universidad de Navarra en la dirección: https://www.unav.edu/aviso-legal

 

This email message may contain confidential information. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments.  The personal information included in email messages exchanged with employees of the University of Navarra may be stored in the database of your interlocutor and/or the servers of the University for the time-period stipulated by its internal information storage policy. The University stores such data for purely administrative purposes, to facilitate e-mail contact between its employees and third parties. The University of Navarra Privacy Policy may be accessed at https://www.unav.edu/aviso-legal      

 

Antes de imprimir este mensaje o sus documentos anexos, asegúrese de que es necesario. Proteger el medio ambiente está en nuestras manos.
Before printing this e-mail or attachments, be sure it is necessary. 
It is in our hands to protect the environment.