Hello Ondřej,

> Most often you need pwdMaxAge and react to password expiry accordingly.

can you then explain why I have pwdMaxAge in the policy but users don't have pwdStartTime+pwdEndTime, that's what I am trying to achieve, but can not find any way to do this for now.

> slapd doesn't ignore pwdMaxAge if a policy is in effect (check!) and doesn't need to store anything except pwdChangedTime to do this[0], also pwdReset is independent of pwdMaxAge and you might want to check whether

Maybe I was not clear, but I say the same that pwdMaxAge is not ignored by slapd and pwdChangedTime changed for the user during password change, same as pwdReset: True set after password expires confirm this.

> Okta has/should have manage permissions on userPassword attribute: depending on its understanding of ppolicy, that might/not be appropriate - having manage permissions on userPassword makes one "password administrator" and affects ppolicy behaviour (again read man slapo-ppolicy and the latest draft[1] for more information).

there is no problem with Okta managing users' passwords, the problem is that Okta ignores pwdReset and doesn't ask users to change expired passwords.

> Per the ppolicy drafts, a password is expired if pwdChangedTime+pwdMaxAge
     is in the past
[1]. https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy

does this mean that pwdEndTime must be used to understand user password expiration?
And if yes, how I can enable it, because as I posted above I don't see any flags for this not in "cn=passwordDefault,ou=Policies,dc=domain,dc=net" not in "dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config"

On Wed, Oct 11, 2023 at 11:48 AM Ondřej Kuzník <ondra@mistotebe.net> wrote:
On Tue, Oct 10, 2023 at 09:09:52PM +0300, Volodymyr Lisnyi wrote:
>> In this case it might be just another attribute, which can be used for
>> example for a temp. guest account. In that case, a function to add it to
>> all existing users would be pointless, because it is not designed for that.
>
> This attribute is needed for regular accounts, we don't have guest
> accounts. That is why we need it on a regular basis and also need to
> propagate it to existing users.

pwdStartTime+pwdEndTime are used to set explicit password validity,
regardless of password changes. Most often you need pwdMaxAge and react
to password expiry accordingly.

>> Why do zou want to use it, does the pwdMaxAge stopped working after the
>> update?
>
> Some time ago (not sure when) okta ldap agent started ignoring "pwdReset:
> TRUE", slapd daemon doesn't ignore pwdMaxAge and correctly set "pwdReset:
> TRUE"  for accounts with expired passwords. Okta support tested this on
> their end and asked us to add pwdEndTime to users and test if this helps.
> That's why I am trying to find a way add pwdEndTime to password policy and
> propagate it to the users.

slapd doesn't ignore pwdMaxAge if a policy is in effect (check!) and
doesn't need to store anything except pwdChangedTime to do this[0], also
pwdReset is independent of pwdMaxAge and you might want to check whether
Okta has/should have manage permissions on userPassword attribute:
depending on its understanding of ppolicy, that might/not be
appropriate - having manage permissions on userPassword makes one
"password administrator" and affects ppolicy behaviour (again read man
slapo-ppolicy and the latest draft[1] for more information).

[0]. Per the ppolicy drafts, a password is expired if pwdChangedTime+pwdMaxAge
     is in the past
[1]. https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy

--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP