--On Monday, August 19, 2019 12:31 PM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:

I don't understand: Doesn't the pwdGraceUseTime record how long/often the user may login despite of an expired password? For the example given, I assume the user has changed the password a few time since the inital grace login. So aren't the older pwdGraceUseTime attributes removed after the password was changed? Or can this happen if some admin chnages the password using some plain replace operation?

As noted in the slapo-ppolicy(5) man page, pwdGraceUseTime records *when* an expired password was /last/ used to authenticate as a DN. The number of times they can do that is controlled by the pwdGraceAuthnLimit attribute. What is your pwdGraceAuthnLimit setting?

And yes, the pwdGraceUseTime is cleared when the password is changed. From the slapo-ppolicy code:

/* If we're resetting the password, make sure grace, accountlock, * and failure also get removed. */ if ( got_pw ) { if ( a_grace && !got_del_grace ) { ml = (Modifications *) ch_malloc( sizeof( Modifications ) ); ml->sml_op = LDAP_MOD_DELETE; ml->sml_flags = SLAP_MOD_INTERNAL; ml->sml_type.bv_val = NULL; ml->sml_desc = ad_pwdGraceUseTime; ml->sml_numvals = 0; ml->sml_values = NULL; ml->sml_nvalues = NULL; ml->sml_next = NULL; *prev = ml; prev = &ml->sml_next; }

--Quanah

--

Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com