Hello Souji,
The attribute might be automatically added if you have defined the
pwdMaxAge in your policy.
we have it in the policy (and it was there before the upgrade from 2.4 to 2.5) dn: cn=passwordDefault,ou=Policies,dc=domain,dc=net ... pwdMaxAge: 31536000
but users don't have pwdEndTime, they have only pwdChangedTime: 20221219200631Z and in case the password expires in a year they also get pwdReset: TRUE
That is why I am not sure how to enable this pwdEndTime operation attribute (because I can not find any flag for "dn: cn=passwordDefault,ou=Policies,dc=domain,dc=net" or "dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config")
Sorry, I missed that "If this attribute does not exist, then no restriction applies.", so pwdStartTime can be absent without any problems.
On Tue, Oct 10, 2023 at 5:58 PM Souji Thenria mail@souji-thenria.net wrote:
On 10/10/23 14:46, Volodymyr Lisnyi wrote:
Ok, I can add it to the user entries, but what I see is that new users also don't have this attribute. So what is the procedure (also can not find this in the manual) to enable it by default because I can not add it to the new users manually on a regular basis?
What are you trying to archive? The attribute might be automatically added if you have defined the pwdMaxAge in your policy.
Also from docs not clear if both pwdStartTime and pwdEndTime are needed or if I can use only the last pwdEndTime.
In my opinion the man page (slapo_ppolicy(5)) is quite clear about this:
tl;dr pwdStartTime defines when the becomes valid and pwdEndTime defines when the password becomes invalid for a user.
pwdStartTime: This attribute specifies the time the entry's password becomes valid for authentication. Authentication attempts made before this time will fail. If this attribute does not exist, then no restriction applies.
pwdEndTime: This attribute specifies the time the entry's password becomes invalid for authentication. Authentication attempts made after this time will fail, regardless of expiration or grace settings. If this attribute does not exist, then this restriction does not apply.
In case pwdStartTime is greater than pwdEndTime: Note that pwdStartTime may be set to a time greater than or equal to pwdEndTime; this simply disables the account.
-- Souji Thenria