Dieter Klünter dieter@dkluenter.de schrieb am 05.03.2020 um 10:10 in
Nachricht 25580_1583399661_5E60C2EC_25580_1796_1_20200305101027.4c15a1d1@pink.fritz.box:
Am Wed, 04 Mar 2020 13:36:08 +0000 schrieb Manuela Mandache manuela.mandache@protonmail.com:
Hello all,
We have a directory running on OpenLDAP 2.4.44 with the ppolicy overlay on the main database. When a new entry with a userPassword defined is created, pwdChangedTime is not defined, so this initial userPassword never expires.
The directory has been migrated from its OpenLDAP 2.3.34 instance (yes, we missed some steps...), and there the pwdChangedTime is set, and naturally equal to createTimestamp.
The overlay is configured as follows: dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {2}ppolicy olcPPolicyDefault: ou=ppolicy,dc=example,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE
Is there a parameter I missed which would switch on setting pwdChangedTime at entry creation? Do I have to provide some other configuration elements?
Or is it unreasonable to expect this initialisation of the attribute this way, and only a password change can set it? I think the setting at creation is rather handy... Using pwdMustChange would be difficult, we have a lot of client apps which would be forced to check and probably adapt their authentication procedures.
[...] The password attribute value must be set by a password modify exented operation in order to set password policy in effect, see man slapo-ppolicy(5)
Yes, but shouldn't there be some magic to add it to all existing passweords when enabling it? Without having each user to change the password...
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Am Thu, 05 Mar 2020 12:22:28 +0100 schrieb "Ulrich Windl" Ulrich.Windl@rz.uni-regensburg.de:
Dieter Klünter dieter@dkluenter.de schrieb am 05.03.2020 um 10:10 in
Nachricht 25580_1583399661_5E60C2EC_25580_1796_1_20200305101027.4c15a1d1@pink.fritz.box:
Am Wed, 04 Mar 2020 13:36:08 +0000 schrieb Manuela Mandache manuela.mandache@protonmail.com:
Hello all,
We have a directory running on OpenLDAP 2.4.44 with the ppolicy overlay on the main database. When a new entry with a userPassword defined is created, pwdChangedTime is not defined, so this initial userPassword never expires.
The directory has been migrated from its OpenLDAP 2.3.34 instance (yes, we missed some steps...), and there the pwdChangedTime is set, and naturally equal to createTimestamp.
The overlay is configured as follows: dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {2}ppolicy olcPPolicyDefault: ou=ppolicy,dc=example,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE
Is there a parameter I missed which would switch on setting pwdChangedTime at entry creation? Do I have to provide some other configuration elements?
Or is it unreasonable to expect this initialisation of the attribute this way, and only a password change can set it? I think the setting at creation is rather handy... Using pwdMustChange would be difficult, we have a lot of client apps which would be forced to check and probably adapt their authentication procedures.
[...] The password attribute value must be set by a password modify exented operation in order to set password policy in effect, see man slapo-ppolicy(5)
Yes, but shouldn't there be some magic to add it to all existing passweords when enabling it? Without having each user to change the password...
Sure, man ldappasswd(1) points to some solutions, in conjunction with postread ext. Note that ldappasswd doesn't require a password string, as slapd will generate a password which can be echoed to stdout. Some magic Perl5 or Python may do all the workload. :-)
-Dieter
openldap-technical@openldap.org
-
Dieter Klünter -
Ulrich Windl