Am Thu, 05 Mar 2020 12:22:28 +0100
schrieb "Ulrich Windl" <Ulrich.Windl(a)rz.uni-regensburg.de>:
>>> Dieter Klünter <dieter(a)dkluenter.de> schrieb am
05.03.2020 um
>>> 10:10 in
Nachricht
<25580_1583399661_5E60C2EC_25580_1796_1_20200305101027.4c15a1d1(a)pink.fritz.box>:
> Am Wed, 04 Mar 2020 13:36:08 +0000
> schrieb Manuela Mandache <manuela.mandache(a)protonmail.com>:
>
>> Hello all,
>>
>> We have a directory running on OpenLDAP 2.4.44 with the ppolicy
>> overlay on the main database. When a new entry with a userPassword
>> defined is created, pwdChangedTime is not defined, so this initial
>> userPassword never expires.
>>
>> The directory has been migrated from its OpenLDAP 2.3.34 instance
>> (yes, we missed some steps...), and there the pwdChangedTime is
>> set, and naturally equal to createTimestamp.
>>
>> The overlay is configured as follows:
>> dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config
>> objectClass: olcOverlayConfig
>> objectClass: olcPPolicyConfig
>> olcOverlay: {2}ppolicy
>> olcPPolicyDefault: ou=ppolicy,dc=example,dc=com
>> olcPPolicyHashCleartext: TRUE
>> olcPPolicyUseLockout: TRUE
>>
>> Is there a parameter I missed which would switch on setting
>> pwdChangedTime at entry creation? Do I have to provide some other
>> configuration elements?
>>
>> Or is it unreasonable to expect this initialisation of the
>> attribute this way, and only a password change can set it? I think
>> the setting at creation is rather handy... Using pwdMustChange
>> would be difficult, we have a lot of client apps which would be
>> forced to check and probably adapt their authentication
>> procedures.
> [...]
> The password attribute value must be set by a password modify
> exented operation in order to set password policy in effect, see man
> slapo-ppolicy(5)
Yes, but shouldn't there be some magic to add it to all existing
passweords when enabling it? Without having each user to change the
password...
Sure, man ldappasswd(1) points to some solutions, in conjunction with
postread ext.
Note that ldappasswd doesn't require a password string, as slapd will
generate a password which can be echoed to stdout.
Some magic Perl5 or Python may do all the workload. :-)
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E