On Wed, Oct 11, 2023 at 02:42:06PM +0300, Volodymyr Lisnyi wrote:
Hello Ondřej,
pwdStartTime+pwdEndTime are completely independent of pwdMaxAge. And if set on an account, they are meant to be managed by the password administrator, not OpenLDAP.
this is very interesting, where I can read information about this to prove okta support that okta ldap daemon must respect pwdChangedTime or pwdReset, because pwdStartTime+pwdEndTime isn't managed by OpenLDAP security policy.
Hi you should read the latest ppolicy draft[0] and ppolicy manpage[1]. Also depends what kind of service Okta is meant to provide for you.
I can't speak for Okta and whether they even support ppolicy at all. From what you're describing they probably don't?
anyway they need to somehow get the user password expiration date, but what you post about pwdStartTime+pwdEndTime (managed by the password administrator), seem like the only way is use pwdChangedTime user attribute
- pwdMaxAge policy attribute or rely on pwdReset. But this just additional
thoughts, which I will forward to them after confirmation that pwdStartTime+pwdEndTime is meant to be managed by the password administrator. Also, password administrator related to slapd means that a human (some script) add/remove/update pwdStartTime+pwdEndTime for each user and this can not be done by overlay/policy or other standard slapd functional.
Password administrator is defined in the draft[0]. Okta can be it, just affects how certain features are (not) triggered.
To find out when a password expires, you can follow the spec[2]. The ppolicy overlay also implements the old Netscape password usability control and advertises itself as such in rootDSE, just use the control (oid 1.3.6.1.4.1.42.2.27.9.5.8) and with the right privileges you will be given feedback about the account's validity.
[0]. https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy [1]. https://openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&... [2]. https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-11#n...
Regards,