> In this case it might be just another attribute, which can be used for example for a temp. guest account. In that case, a function to add it to all existing users would be pointless, because it is not designed for that.

This attribute is needed for regular accounts, we don't have guest accounts. That is why we need it on a regular basis and also need to propagate it to existing users.

> Why do zou want to use it, does the pwdMaxAge stopped working after the update?

Some time ago (not sure when) okta ldap agent started ignoring "pwdReset: TRUE", slapd daemon doesn't ignore pwdMaxAge and correctly set "pwdReset: TRUE"  for accounts with expired passwords. Okta support tested this on their end and asked us to add pwdEndTime to users and test if this helps. That's why I am trying to find a way add pwdEndTime to password policy and propagate it to the users. 

On Tue, Oct 10, 2023 at 7:39 PM Souji Thenria <mail@souji-thenria.net> wrote:
On 10/10/23 16:31, Volodymyr Lisnyi wrote:
> Hello Souji,
>
>> The attribute might be automatically added if you have defined the
> pwdMaxAge in your policy.
>
> we have it in the policy (and it was there before the upgrade from 2.4
> to 2.5)
> dn: cn=passwordDefault,ou=Policies,dc=domain,dc=net
> ...
> pwdMaxAge: 31536000
>
> but users don't have pwdEndTime, they have only
> pwdChangedTime: 20221219200631Z
> and in case the password expires in a year they also get
> pwdReset: TRUE
>
> That is why I am not sure how to enable this pwdEndTime operation
> attribute (because I can not find any flag for "dn:
> cn=passwordDefault,ou=Policies,dc=domain,dc=net" or "dn:
> olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config")

In this case it might be just another attribute, which can be used for
example for a temp. guest account. In that case, a function to add it to
all existing users would be pointless, because it is not designed for that.
Why do zou want to use it, does the pwdMaxAge stopped working after the
update?

> Sorry, I missed that "If this attribute does not exist, then no
> restriction applies.", so pwdStartTime can be absent without any problems.

No worries.

--
Souji Thenria