Re: pwdChangedTime not defined when creating new entry

Am Wed, 04 Mar 2020 13:36:08 +0000 schrieb Manuela Mandache <manuela.mandache(a)protonmail.com&gt;: > Hello all, > > We have a directory running on OpenLDAP 2.4.44 with the ppolicy > overlay on the main database. When a new entry with a userPassword > defined is created, pwdChangedTime is not defined, so this initial > userPassword never expires. > > The directory has been migrated from its OpenLDAP 2.3.34 instance > (yes, we missed some steps...), and there the pwdChangedTime is set, > and naturally equal to createTimestamp. > > The overlay is configured as follows: > dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config > objectClass: olcOverlayConfig > objectClass: olcPPolicyConfig > olcOverlay: {2}ppolicy > olcPPolicyDefault: ou=ppolicy,dc=example,dc=com > olcPPolicyHashCleartext: TRUE > olcPPolicyUseLockout: TRUE > > Is there a parameter I missed which would switch on setting > pwdChangedTime at entry creation? Do I have to provide some other > configuration elements? > > Or is it unreasonable to expect this initialisation of the attribute > this way, and only a password change can set it? I think the setting > at creation is rather handy... Using pwdMustChange would be > difficult, we have a lot of client apps which would be forced to > check and probably adapt their authentication procedures. [...] The password attribute value must be set by a password modify exented operation in order to set password policy in effect, see man slapo-ppolicy(5)