Ondřej,
that's correct for modern systems, but older systems may deal with the shadow attributes only.
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Tuesday, May 6, 2025 11:37 AM To: Windl, Ulrich u.windl@ukr.de Cc: Stefan Kania stefan@kania-online.de; openldap- technical@openldap.org Subject: [EXT] Re: Re: changing password with otp active
On Tue, May 06, 2025 at 07:36:24AM +0000, Windl, Ulrich wrote:
The issue I see with ldappasswd and shadow password attributes being used (in 2.4) is that after a password change the shadow attributes aren't updated (causing inconsistencies between password policy and shadow attributes regarding the time of password expiration). But most likely it does not affect you...
Hi Ulrich, assuming you mean rfc2307(bis) attributes here:
With ppolicy in effect, you shouldn't need to manage the shadow attributes since all the ppolicy tracking can and should be done either in the server or by entities who understand how to process and enforce them.
This is why slapo-ppolicy doesn't deal with them in the first place.
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP