On 1/12/22 10:35, David Coutadeur wrote:
Le 11/01/2022 à 16:27, Howard Chu a écrit :
The ppolicy overlay sets the attribute to the current time if you have an aging policy defined. Probably it should check that pwdChangedTime does not already exist, but it is not expected for normal users to be LDAPadding entries with this operational attribute included.
I suppose an admin changing the pwdChangedTime of an entry with the relax rule is a valid use case.
This is IMO indeed a tricky one:
I find arguments for the current behaviour but also for accepting submitted pwdChangedTime value in case relax rules control is used.
One could argue that the distinction between the two use-cases
"admin restores userPassword/pwdChangedTime"
and
"admin sets new userPassword"
can be deferred to ACL validation. The admin must have manage privilege on pwdChangedTime for the restore to succeed.
(There's still no authz for control usage...)
Ciao, Michael.