Hi,
When doing a backup / restore on my OpenLDAP 2.5.9 instance, I faced a behaviour that I think must be defined explicitely, in draft-behera-ldap-password-policy, or at least in OpenLDAP documentation.
My backup contains an entry like this:
dn: uid=test,ou=people,ou=branch,dc=example,dc=com cn: test sn: test givenName: test uid: test userPassword: secret pwdChangedTime: 20220110153431Z mail: test@domain.com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person
There is also a valid default password policy: (which must be defined before the users in the backup file)
dn: cn=default,ou=ppolicies,dc=example,dc=com objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: organizationalRole cn: default pwdMaxAge: 7776000 pwdAttribute: userPassword pwdCheckQuality: 2 pwdLockout: TRUE pwdMaxFailure: 5 pwdMinLength: 6 pwdMustChange: TRUE pwdCheckModule: /usr/local/openldap/lib64/ppm.so
When restoring the backup with this command:
ldapadd -x -h '127.0.0.1:389' -D 'cn=Manager,dc=example,dc=com' -w 'secret' -f backup.ldif -e relax
I have an error showing that the attribute pwdChangedTime is duplicated and must not be defined twice.
I assume that the password policy does not replace my pwdChangedTime value with the current date, but duplicates the attribute.
Could you define this behaviour somewhere?
1/ Is it possible to update the pwdChangedTime attribute along with the userPassword ?
2/ If so, what value should be stored? (the given value or the current date?)
3/ Optionally, update OpenLDAP code according to the defined behaviour
Thanks in advance for your answer.
Regards,
David