On Fri, Aug 01, 2025 at 12:22:49PM +0000, Windl, Ulrich wrote:

Hi!

I was playing with olcLastBind and pwdMaxIdle, setting up a test user and a test policy. However when the account should have been expired, nothing happened, i.e.: the user still could log in and change the password.

Here are some details from the sample (variables have a different name, but you should be able to correlate them):

[...]

I'm using the lastbind overlay and these settings: olcLastBindPrecision: 432000 olcLastBindForwardUpdates: TRUE

My program calculated that the account had expired 1.256 days ago. Am I missing something, or is it a bug? Should there be an index on the authTimestamp attribute?

Do I have to set olcLastbind to TRUE also? (I avoided that, because in 2.5 I cannot delay updates to the attribute, and some periodic automated logins flood the syncrepl changelog that way.)

Hi Ulrich, yes, you should not be using the lastbind overlay at all (it sets authTimestamp) but the core functionality which exists for this purpose: pwdLastSuccess attribute it manages is the one ppolicy decisions are meant to use. It was moved from the overlay exactly for this reason.

If the 2.5 lastbind functionality is inadequate for you, you have no choice but to move to 2.6. After all, 2.6 is the current LTS stream and 2.5 will only receive critical fixes at this point.

Regards,