Hi!

I’ve done little testing so far, but after having posted the message below, I realized that authTimestamp and

20250429131132Z may be different even. So I’m confused even more.

Example:

My user had:

pwdLastSuccess: 20250425054456Z

authTimestamp: 20250425054456Z

A manager user had:

authTimestamp: 20250429130353Z

pwdLastSuccess: 20250429131132Z

So the manager user had a pwdLastSuccess, newer than authTimestamp. What could that mean?

Or (asked differently): What is the exact definition of each of the attributes?

Kind regards,

Ulrich Windl

From: Windl, Ulrich <u.windl@ukr.de>
Sent: Tuesday, April 29, 2025 1:52 PM
To: openldap-technical@openldap.org
Subject: [EXT] Q: lastbind, pwdLastSuccess, and authTimestamp

Hi!

Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed.

But the latter sets authTimestamp.

Slapo-policy documents that authTimestamp (provided by lastbind module) is set when lastbind is enabled.

At it seems pwdLastSuccess and authTimestamp are set to the same value.

Can someone explain the logic behind? I’m confused; do I really need the lastbind overlay?

I’m using OpenLDAP 2.5.X

Kind regards,

Ulrich Windl