>>> Dieter Klünter <dieter(a)dkluenter.de&gt; schrieb am 05.03.2020 um >>> 10:10 in Nachricht <25580_1583399661_5E60C2EC_25580_1796_1_20200305101027.4c15a1d1(a)pink.fritz.box&gt;: > Am Wed, 04 Mar 2020 13:36:08 +0000 > schrieb Manuela Mandache <manuela.mandache(a)protonmail.com&gt;: > >> Hello all, >> >> We have a directory running on OpenLDAP 2.4.44 with the ppolicy >> overlay on the main database. When a new entry with a userPassword >> defined is created, pwdChangedTime is not defined, so this initial >> userPassword never expires. >> >> The directory has been migrated from its OpenLDAP 2.3.34 instance >> (yes, we missed some steps...), and there the pwdChangedTime is >> set, and naturally equal to createTimestamp. >> >> The overlay is configured as follows: >> dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config >> objectClass: olcOverlayConfig >> objectClass: olcPPolicyConfig >> olcOverlay: {2}ppolicy >> olcPPolicyDefault: ou=ppolicy,dc=example,dc=com >> olcPPolicyHashCleartext: TRUE >> olcPPolicyUseLockout: TRUE >> >> Is there a parameter I missed which would switch on setting >> pwdChangedTime at entry creation? Do I have to provide some other >> configuration elements? >> >> Or is it unreasonable to expect this initialisation of the >> attribute this way, and only a password change can set it? I think >> the setting at creation is rather handy... Using pwdMustChange >> would be difficult, we have a lot of client apps which would be >> forced to check and probably adapt their authentication >> procedures. > [...] > The password attribute value must be set by a password modify > exented operation in order to set password policy in effect, see man > slapo-ppolicy(5) Yes, but shouldn't there be some magic to add it to all existing passweords when enabling it? Without having each user to change the password...