Hi!

 

Digging a bit further into it, I found:

 

# strings /usr/lib64/openldap/lastbind.so | grep authTimestamp

( 1.3.6.1.4.1.453.16.2.188 NAME 'authTimestamp' DESC 'last successful authentication using any method/mech' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )

( OLcfgCtAt:5.1 NAME 'olcLastBindPrecision' DESC 'Precision of authTimestamp attribute' EQUALITY integerMatch SYNTAX OMsInteger SINGLE-VALUE )

( OLcfgAt:5.2 NAME 'olcLastBindForwardUpdates' DESC 'Allow authTimestamp updates to be forwarded via updateref' EQUALITY booleanMatch SYNTAX OMsBoolean SINGLE-VALUE )

 

# strings /usr/sbin/slapd | grep pwdLastSuccess

pwdLastSuccess

fe_op_lastbind: old pwdLastSuccess value=%s %lds ago

( 1.3.6.1.4.1.42.2.27.8.1.29 NAME 'pwdLastSuccess' DESC 'The timestamp of the last successful authentication' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )

 

So the lastbind module offers delayed updates of authTimestamp, while slapd implements pwdLastSuccess directly, but does not allow delaying of updates.

 

The other difference is that one claims directoryOperation, while the other claims dsaOperation. I only found that dsaOperation attributes should not be replicated.

 

Kind regards,

Ulrich Windl

 

From: Windl, Ulrich <u.windl@ukr.de>
Sent: Tuesday, April 29, 2025 1:52 PM
To: openldap-technical@openldap.org
Subject: [EXT] Q: lastbind, pwdLastSuccess, and authTimestamp

 

Hi!

 

Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed.

But the latter sets authTimestamp.

Slapo-policy documents that authTimestamp (provided by lastbind module) is set when lastbind is enabled.

 

At it seems pwdLastSuccess and authTimestamp are set to the same value.

 

Can someone explain the logic behind? I’m confused; do I really need the lastbind overlay?

 

I’m using OpenLDAP 2.5.X

 

Kind regards,

Ulrich Windl