Hi!
Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed. But the latter sets authTimestamp. Slapo-policy documents that authTimestamp (provided by lastbind module) is set when lastbind is enabled.
At it seems pwdLastSuccess and authTimestamp are set to the same value.
Can someone explain the logic behind? I'm confused; do I really need the lastbind overlay?
I'm using OpenLDAP 2.5.X
Kind regards, Ulrich Windl
On Tue, Apr 29, 2025 at 11:51:47AM +0000, Windl, Ulrich wrote:
Hi!
Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed.
Hi Ulrich, it doesn't say that you need the overlay, does it? Can you point me to where if that's still the case?
But the latter sets authTimestamp. Slapo-policy documents that authTimestamp (provided by lastbind module) is set when lastbind is enabled.
At it seems pwdLastSuccess and authTimestamp are set to the same value.
Can someone explain the logic behind? I'm confused; do I really need the lastbind overlay?
pwdLastSuccess comes from ppolicy and as such when porting the lastbind functionality to core it was changed to support the draft v10+.
Regards,
--On Tuesday, April 29, 2025 5:06 PM +0200 Ondřej Kuzník ondra@mistotebe.net wrote:
On Tue, Apr 29, 2025 at 11:51:47AM +0000, Windl, Ulrich wrote:
Hi!
Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed.
Hi Ulrich, it doesn't say that you need the overlay, does it? Can you point me to where if that's still the case?
IIRC Ulrich is using 2.5 where that is the case, instead of 2.6?
--Quanah
On Tue, Apr 29, 2025 at 04:35:18PM -0700, Quanah Gibson-Mount wrote:
--On Tuesday, April 29, 2025 5:06 PM +0200 Ondřej Kuzník ondra@mistotebe.net wrote:
On Tue, Apr 29, 2025 at 11:51:47AM +0000, Windl, Ulrich wrote:
Hi!
Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed.
Hi Ulrich, it doesn't say that you need the overlay, does it? Can you point me to where if that's still the case?
IIRC Ulrich is using 2.5 where that is the case, instead of 2.6?
Yes, and 2.5 has lastbind, it just doesn't have lastbind_precision which was not the question here.
And AFAIK if you want to use pwdMaxIdle in ppolicy, you can't use the overlay, you have to use core lastbind which was the point of moving at least the minimal required functionality over from contrib/. Sure, it got more complete by the time 2.6 came around.
Regards,
Hi!
I've done little testing so far, but after having posted the message below, I realized that authTimestamp and 20250429131132Z may be different even. So I'm confused even more.
Example: My user had: pwdLastSuccess: 20250425054456Z authTimestamp: 20250425054456Z
A manager user had: authTimestamp: 20250429130353Z pwdLastSuccess: 20250429131132Z
So the manager user had a pwdLastSuccess, newer than authTimestamp. What could that mean? Or (asked differently): What is the exact definition of each of the attributes?
Kind regards, Ulrich Windl
From: Windl, Ulrich u.windl@ukr.de Sent: Tuesday, April 29, 2025 1:52 PM To: openldap-technical@openldap.org Subject: [EXT] Q: lastbind, pwdLastSuccess, and authTimestamp
Hi!
Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed. But the latter sets authTimestamp. Slapo-policy documents that authTimestamp (provided by lastbind module) is set when lastbind is enabled.
At it seems pwdLastSuccess and authTimestamp are set to the same value.
Can someone explain the logic behind? I'm confused; do I really need the lastbind overlay?
I'm using OpenLDAP 2.5.X
Kind regards, Ulrich Windl
Probably answering the question myself: I had set "olcLastBindPrecision: 21600", so it seems to affect only one of the timestamps; will the other one be updated each time, or is there a different setting?
Kind regards, Ulrich Windl
From: Windl, Ulrich u.windl@ukr.de Sent: Monday, May 5, 2025 9:56 AM To: Windl, Ulrich u.windl@ukr.de; openldap-technical@openldap.org Subject: RE: Q: lastbind, pwdLastSuccess, and authTimestamp
Hi!
I've done little testing so far, but after having posted the message below, I realized that authTimestamp and 20250429131132Z may be different even. So I'm confused even more.
Example: My user had: pwdLastSuccess: 20250425054456Z authTimestamp: 20250425054456Z
A manager user had: authTimestamp: 20250429130353Z pwdLastSuccess: 20250429131132Z
So the manager user had a pwdLastSuccess, newer than authTimestamp. What could that mean? Or (asked differently): What is the exact definition of each of the attributes?
Kind regards, Ulrich Windl
From: Windl, Ulrich u.windl@ukr.de Sent: Tuesday, April 29, 2025 1:52 PM To: openldap-technical@openldap.org Subject: [EXT] Q: lastbind, pwdLastSuccess, and authTimestamp
Hi!
Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed. But the latter sets authTimestamp. Slapo-policy documents that authTimestamp (provided by lastbind module) is set when lastbind is enabled.
At it seems pwdLastSuccess and authTimestamp are set to the same value.
Can someone explain the logic behind? I'm confused; do I really need the lastbind overlay?
I'm using OpenLDAP 2.5.X
Kind regards, Ulrich Windl
openldap-technical@openldap.org