On 10/10/23 14:46, Volodymyr Lisnyi wrote:
> Ok, I can add it to the user entries, but what I see is that new users
> also don't have this attribute.
> So what is the procedure (also can not find this in the manual) to
> enable it by default because I can not add it to the new users manually
> on a regular basis? 

What are you trying to archive?
The attribute might be automatically added if you have defined the
pwdMaxAge in your policy.

> Also from docs not clear if both pwdStartTime and pwdEndTime are
> needed or if I can use only the last pwdEndTime.

In my opinion the man page (slapo_ppolicy(5)) is quite clear about this:

tl;dr
pwdStartTime defines when the becomes valid and pwdEndTime defines when
the password becomes invalid for a user.

pwdStartTime:
        This attribute specifies the time the entry's password becomes valid
for authentication. Authentication attempts made before this time will
fail. If this attribute does not exist, then no restriction applies.

pwdEndTime:
        This attribute specifies the time the entry's password becomes invalid
for authentication. Authentication attempts made after this time will
fail, regardless of expiration or grace settings. If this attribute does
not exist, then this restriction does not apply.

In case pwdStartTime is greater than pwdEndTime:
Note that pwdStartTime may be set to a time greater than or equal to
pwdEndTime; this simply disables the account.

--
Souji Thenria