We have a directory running on OpenLDAP 2.4.44 with the ppolicy overlay on the main
database. When a new entry with a userPassword defined is created, pwdChangedTime is not
defined, so this initial userPassword never expires.
The directory has been migrated from its OpenLDAP 2.3.34 instance (yes, we missed some
steps...), and there the pwdChangedTime is set, and naturally equal to createTimestamp.
The overlay is configured as follows:
Is there a parameter I missed which would switch on setting pwdChangedTime at entry
creation? Do I have to provide some other configuration elements?
Or is it unreasonable to expect this initialisation of the attribute this way, and only a
password change can set it? I think the setting at creation is rather handy... Using
pwdMustChange would be difficult, we have a lot of client apps which would be forced to
check and probably adapt their authentication procedures.
Thank you and regards,
Sent with [ProtonMail](https://protonmail.com) Secure Email.