>> Dieter Klünter <dieter(a)dkluenter.de> schrieb am
05.03.2020 um 10:10 in
Nachricht
<25580_1583399661_5E60C2EC_25580_1796_1_20200305101027.4c15a1d1(a)pink.fritz.box>:
Am Wed, 04 Mar 2020 13:36:08 +0000
schrieb Manuela Mandache <manuela.mandache(a)protonmail.com>:
> Hello all,
>
> We have a directory running on OpenLDAP 2.4.44 with the ppolicy
> overlay on the main database. When a new entry with a userPassword
> defined is created, pwdChangedTime is not defined, so this initial
> userPassword never expires.
>
> The directory has been migrated from its OpenLDAP 2.3.34 instance
> (yes, we missed some steps...), and there the pwdChangedTime is set,
> and naturally equal to createTimestamp.
>
> The overlay is configured as follows:
> dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config
> objectClass: olcOverlayConfig
> objectClass: olcPPolicyConfig
> olcOverlay: {2}ppolicy
> olcPPolicyDefault: ou=ppolicy,dc=example,dc=com
> olcPPolicyHashCleartext: TRUE
> olcPPolicyUseLockout: TRUE
>
> Is there a parameter I missed which would switch on setting
> pwdChangedTime at entry creation? Do I have to provide some other
> configuration elements?
>
> Or is it unreasonable to expect this initialisation of the attribute
> this way, and only a password change can set it? I think the setting
> at creation is rather handy... Using pwdMustChange would be
> difficult, we have a lot of client apps which would be forced to
> check and probably adapt their authentication procedures.
[...]
The password attribute value must be set by a password modify exented
operation in order to set password policy in effect, see man
slapo-ppolicy(5)
Yes, but shouldn't there be some magic to add it to all existing passweords
when enabling it? Without having each user to change the password...
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E