Hello,
Happy Friday!
I have a script that defaults the password to the user's username and then it sets the pwdChangedTime so far back that pwdMaxAge: 62208000 triggers.
In 2.5.7 before I change the pwdChangedTime i MUST do a simple bind with dn/password before I can apply the new pwdChangedTime. I say in 2.5.7 bc in 2.4.59 i dont see this behavior.
So my flow goes as follows:
ldappasswd <newpass> ldapmodify <newPwdChangedTime> (pwdChangedTime: 20191008133434Z) ssh with new <newpass>
Oct 8 09:17:06 localhost slapd[1380194]: conn=1199 op=2 BIND dn="uid=davetest,ou=People,dc=domain,dc=net" method=128 Oct 8 09:17:06 localhost slapd[1380194]: conn=1199 op=2 RESULT tag=97 err=49 qtime=0.000026 etime=0.000262 text=
Flow i have to do so that bind works:
ldappasswd <newpass> ldapsearch -D userdn -w <newpass> &/dev/null ldapmodify <newPwdChangedTime> (pwdChangedTime: 20191008133434Z) ssh with new <newpass>
Oct 8 09:29:11 localhost slapd[1380194]: conn=1264 op=2 BIND dn="uid=davetest,ou=People,dc=domain,dc=net" mech=SIMPLE bind_ssf=0 ssf=256 Oct 8 09:29:11 localhost slapd[1380194]: fe_op_lastbind: old pwdLastSuccess value=20211008132909Z 2s ago Oct 8 09:29:11 localhost slapd[1380194]: ppolicy_bind: Entry uid=davetest,ou=People,dc=domain,dc=net has an expired password: 0 grace logins Oct 8 09:29:11 localhost slapd[1380194]: conn=1264 op=2 RESULT tag=97 err=49 qtime=0.000016 etime=0.002915 text= Oct 8 09:29:11 localhost slapd[1380194]: conn=1264 op=3 UNBIND Oct 8 09:29:11 localhost slapd[1380194]: conn=1264 fd=15 closed Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 fd=15 ACCEPT from IP= 127.0.0.1:34044 (IP=0.0.0.0:389) Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=0 STARTTLS Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=0 RESULT oid= err=0 qtime=0.000029 etime=0.000113 text= Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 fd=15 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=1 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000016 etime=0.000228 nentries=1 text= Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=2 BIND dn="uid=davetest,ou=People,dc=domain,dc=net" method=128 Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=2 BIND dn="uid=davetest,ou=People,dc=domain,dc=net" mech=SIMPLE bind_ssf=0 ssf=256 Oct 8 09:29:14 localhost slapd[1380194]: fe_op_lastbind: old pwdLastSuccess value=20211008132911Z 3s ago Oct 8 09:29:14 localhost slapd[1380194]: ppolicy_bind: Entry uid=davetest,ou=People,dc=domain,dc=net has an expired password: 0 grace logins Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=2 RESULT tag=97 err=49 qtime=0.000016 etime=0.002904 text= Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=3 EXT oid=1.3.6.1.4.1.4203.1.11.1 Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=3 PASSMOD id="uid=davetest,ou=People,dc=domain,dc=net" old new Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=3 RESULT oid= err=0 qtime=0.000016 etime=0.002618 text= Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=4 UNBIND
Is this expected behavior?
Thank you, Dave