Hello,

Happy Friday!

I have a script that defaults the password to the user's username and then it sets the pwdChangedTime so far back that pwdMaxAge: 62208000 triggers.

In 2.5.7 before I change the pwdChangedTime i MUST do a simple bind with dn/password before I can apply the new pwdChangedTime. I say in 2.5.7 bc in 2.4.59 i dont see this behavior.

So my flow goes as follows:

ldappasswd <newpass>
ldapmodify <newPwdChangedTime> (pwdChangedTime: 20191008133434Z)
ssh with new <newpass> 

Oct  8 09:17:06 localhost slapd[1380194]: conn=1199 op=2 BIND dn="uid=davetest,ou=People,dc=domain,dc=net" method=128
Oct  8 09:17:06 localhost slapd[1380194]: conn=1199 op=2 RESULT tag=97 err=49 qtime=0.000026 etime=0.000262 text=


Flow i have to do so that bind works:

ldappasswd <newpass>
ldapsearch -D userdn -w <newpass> &/dev/null
ldapmodify <newPwdChangedTime> (pwdChangedTime: 20191008133434Z)
ssh with new <newpass>

Oct  8 09:29:11 localhost slapd[1380194]: conn=1264 op=2 BIND dn="uid=davetest,ou=People,dc=domain,dc=net" mech=SIMPLE bind_ssf=0 ssf=256
Oct  8 09:29:11 localhost slapd[1380194]: fe_op_lastbind: old pwdLastSuccess value=20211008132909Z 2s ago
Oct  8 09:29:11 localhost slapd[1380194]: ppolicy_bind: Entry uid=davetest,ou=People,dc=domain,dc=net has an expired password: 0 grace logins
Oct  8 09:29:11 localhost slapd[1380194]: conn=1264 op=2 RESULT tag=97 err=49 qtime=0.000016 etime=0.002915 text=
Oct  8 09:29:11 localhost slapd[1380194]: conn=1264 op=3 UNBIND
Oct  8 09:29:11 localhost slapd[1380194]: conn=1264 fd=15 closed
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 fd=15 ACCEPT from IP=127.0.0.1:34044 (IP=0.0.0.0:389)
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=0 STARTTLS
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=0 RESULT oid= err=0 qtime=0.000029 etime=0.000113 text=
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 fd=15 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=1 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000016 etime=0.000228 nentries=1 text=
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=2 BIND dn="uid=davetest,ou=People,dc=domain,dc=net" method=128
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=2 BIND dn="uid=davetest,ou=People,dc=domain,dc=net" mech=SIMPLE bind_ssf=0 ssf=256
Oct  8 09:29:14 localhost slapd[1380194]: fe_op_lastbind: old pwdLastSuccess value=20211008132911Z 3s ago
Oct  8 09:29:14 localhost slapd[1380194]: ppolicy_bind: Entry uid=davetest,ou=People,dc=domain,dc=net has an expired password: 0 grace logins
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=2 RESULT tag=97 err=49 qtime=0.000016 etime=0.002904 text=
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=3 EXT oid=1.3.6.1.4.1.4203.1.11.1
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=3 PASSMOD id="uid=davetest,ou=People,dc=domain,dc=net" old new
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=3 RESULT oid= err=0 qtime=0.000016 etime=0.002618 text=
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=4 UNBIND

Is this expected behavior?

Thank you,
Dave