Hi!
Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed. But the latter sets authTimestamp. Slapo-policy documents that authTimestamp (provided by lastbind module) is set when lastbind is enabled.
At it seems pwdLastSuccess and authTimestamp are set to the same value.
Can someone explain the logic behind? I'm confused; do I really need the lastbind overlay?
I'm using OpenLDAP 2.5.X
Kind regards, Ulrich Windl
On Tue, Apr 29, 2025 at 11:51:47AM +0000, Windl, Ulrich wrote:
Hi!
Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed.
Hi Ulrich, it doesn't say that you need the overlay, does it? Can you point me to where if that's still the case?
But the latter sets authTimestamp. Slapo-policy documents that authTimestamp (provided by lastbind module) is set when lastbind is enabled.
At it seems pwdLastSuccess and authTimestamp are set to the same value.
Can someone explain the logic behind? I'm confused; do I really need the lastbind overlay?
pwdLastSuccess comes from ppolicy and as such when porting the lastbind functionality to core it was changed to support the draft v10+.
Regards,
--On Tuesday, April 29, 2025 5:06 PM +0200 Ondřej Kuzník ondra@mistotebe.net wrote:
On Tue, Apr 29, 2025 at 11:51:47AM +0000, Windl, Ulrich wrote:
Hi!
Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed.
Hi Ulrich, it doesn't say that you need the overlay, does it? Can you point me to where if that's still the case?
IIRC Ulrich is using 2.5 where that is the case, instead of 2.6?
--Quanah
On Tue, Apr 29, 2025 at 04:35:18PM -0700, Quanah Gibson-Mount wrote:
--On Tuesday, April 29, 2025 5:06 PM +0200 Ondřej Kuzník ondra@mistotebe.net wrote:
On Tue, Apr 29, 2025 at 11:51:47AM +0000, Windl, Ulrich wrote:
Hi!
Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed.
Hi Ulrich, it doesn't say that you need the overlay, does it? Can you point me to where if that's still the case?
IIRC Ulrich is using 2.5 where that is the case, instead of 2.6?
Yes, and 2.5 has lastbind, it just doesn't have lastbind_precision which was not the question here.
And AFAIK if you want to use pwdMaxIdle in ppolicy, you can't use the overlay, you have to use core lastbind which was the point of moving at least the minimal required functionality over from contrib/. Sure, it got more complete by the time 2.6 came around.
Regards,
Hi!
I've done little testing so far, but after having posted the message below, I realized that authTimestamp and 20250429131132Z may be different even. So I'm confused even more.
Example: My user had: pwdLastSuccess: 20250425054456Z authTimestamp: 20250425054456Z
A manager user had: authTimestamp: 20250429130353Z pwdLastSuccess: 20250429131132Z
So the manager user had a pwdLastSuccess, newer than authTimestamp. What could that mean? Or (asked differently): What is the exact definition of each of the attributes?
Kind regards, Ulrich Windl
From: Windl, Ulrich u.windl@ukr.de Sent: Tuesday, April 29, 2025 1:52 PM To: openldap-technical@openldap.org Subject: [EXT] Q: lastbind, pwdLastSuccess, and authTimestamp
Hi!
Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed. But the latter sets authTimestamp. Slapo-policy documents that authTimestamp (provided by lastbind module) is set when lastbind is enabled.
At it seems pwdLastSuccess and authTimestamp are set to the same value.
Can someone explain the logic behind? I'm confused; do I really need the lastbind overlay?
I'm using OpenLDAP 2.5.X
Kind regards, Ulrich Windl
Probably answering the question myself: I had set "olcLastBindPrecision: 21600", so it seems to affect only one of the timestamps; will the other one be updated each time, or is there a different setting?
Kind regards, Ulrich Windl
From: Windl, Ulrich u.windl@ukr.de Sent: Monday, May 5, 2025 9:56 AM To: Windl, Ulrich u.windl@ukr.de; openldap-technical@openldap.org Subject: RE: Q: lastbind, pwdLastSuccess, and authTimestamp
Hi!
I've done little testing so far, but after having posted the message below, I realized that authTimestamp and 20250429131132Z may be different even. So I'm confused even more.
Example: My user had: pwdLastSuccess: 20250425054456Z authTimestamp: 20250425054456Z
A manager user had: authTimestamp: 20250429130353Z pwdLastSuccess: 20250429131132Z
So the manager user had a pwdLastSuccess, newer than authTimestamp. What could that mean? Or (asked differently): What is the exact definition of each of the attributes?
Kind regards, Ulrich Windl
From: Windl, Ulrich u.windl@ukr.de Sent: Tuesday, April 29, 2025 1:52 PM To: openldap-technical@openldap.org Subject: [EXT] Q: lastbind, pwdLastSuccess, and authTimestamp
Hi!
Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed. But the latter sets authTimestamp. Slapo-policy documents that authTimestamp (provided by lastbind module) is set when lastbind is enabled.
At it seems pwdLastSuccess and authTimestamp are set to the same value.
Can someone explain the logic behind? I'm confused; do I really need the lastbind overlay?
I'm using OpenLDAP 2.5.X
Kind regards, Ulrich Windl
Hi!
Digging a bit further into it, I found:
# strings /usr/lib64/openldap/lastbind.so | grep authTimestamp ( 1.3.6.1.4.1.453.16.2.188 NAME 'authTimestamp' DESC 'last successful authentication using any method/mech' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation ) ( OLcfgCtAt:5.1 NAME 'olcLastBindPrecision' DESC 'Precision of authTimestamp attribute' EQUALITY integerMatch SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgAt:5.2 NAME 'olcLastBindForwardUpdates' DESC 'Allow authTimestamp updates to be forwarded via updateref' EQUALITY booleanMatch SYNTAX OMsBoolean SINGLE-VALUE )
# strings /usr/sbin/slapd | grep pwdLastSuccess pwdLastSuccess fe_op_lastbind: old pwdLastSuccess value=%s %lds ago ( 1.3.6.1.4.1.42.2.27.8.1.29 NAME 'pwdLastSuccess' DESC 'The timestamp of the last successful authentication' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
So the lastbind module offers delayed updates of authTimestamp, while slapd implements pwdLastSuccess directly, but does not allow delaying of updates.
The other difference is that one claims directoryOperation, while the other claims dsaOperation. I only found that dsaOperation attributes should not be replicated.
Kind regards, Ulrich Windl
From: Windl, Ulrich u.windl@ukr.de Sent: Tuesday, April 29, 2025 1:52 PM To: openldap-technical@openldap.org Subject: [EXT] Q: lastbind, pwdLastSuccess, and authTimestamp
Hi!
Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed. But the latter sets authTimestamp. Slapo-policy documents that authTimestamp (provided by lastbind module) is set when lastbind is enabled.
At it seems pwdLastSuccess and authTimestamp are set to the same value.
Can someone explain the logic behind? I'm confused; do I really need the lastbind overlay?
I'm using OpenLDAP 2.5.X
Kind regards, Ulrich Windl
Hi once again,
So I have loaded the lastbind module and added the overlay, and I set: olcLastBind: TRUE olcLastBindPrecision: 21600 olcLastBindForwardUpdates: TRUE
However the result is that pwdLastSuccess is updates every time a user authenticates, so olcLastBindPrecision is being ignored. As I understand it I don't need to load the lastbind module/overlay to get the feature, but at the same time it seems I cannot get olcLastBindPrecision working. Is there a solution?
Kind regards, Ulrich Windl
From: Windl, Ulrich u.windl@ukr.de Sent: Tuesday, May 6, 2025 2:09 PM To: Windl, Ulrich u.windl@ukr.de; openldap-technical@openldap.org Subject: RE: Q: lastbind, pwdLastSuccess, and authTimestamp
Hi!
Digging a bit further into it, I found:
# strings /usr/lib64/openldap/lastbind.so | grep authTimestamp ( 1.3.6.1.4.1.453.16.2.188 NAME 'authTimestamp' DESC 'last successful authentication using any method/mech' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation ) ( OLcfgCtAt:5.1 NAME 'olcLastBindPrecision' DESC 'Precision of authTimestamp attribute' EQUALITY integerMatch SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgAt:5.2 NAME 'olcLastBindForwardUpdates' DESC 'Allow authTimestamp updates to be forwarded via updateref' EQUALITY booleanMatch SYNTAX OMsBoolean SINGLE-VALUE )
# strings /usr/sbin/slapd | grep pwdLastSuccess pwdLastSuccess fe_op_lastbind: old pwdLastSuccess value=%s %lds ago ( 1.3.6.1.4.1.42.2.27.8.1.29 NAME 'pwdLastSuccess' DESC 'The timestamp of the last successful authentication' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
So the lastbind module offers delayed updates of authTimestamp, while slapd implements pwdLastSuccess directly, but does not allow delaying of updates.
The other difference is that one claims directoryOperation, while the other claims dsaOperation. I only found that dsaOperation attributes should not be replicated.
Kind regards, Ulrich Windl
From: Windl, Ulrich u.windl@ukr.de Sent: Tuesday, April 29, 2025 1:52 PM To: openldap-technical@openldap.org Subject: [EXT] Q: lastbind, pwdLastSuccess, and authTimestamp
Hi!
Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed. But the latter sets authTimestamp. Slapo-policy documents that authTimestamp (provided by lastbind module) is set when lastbind is enabled.
At it seems pwdLastSuccess and authTimestamp are set to the same value.
Can someone explain the logic behind? I'm confused; do I really need the lastbind overlay?
I'm using OpenLDAP 2.5.X
Kind regards, Ulrich Windl
openldap-technical@openldap.org
-
Ondřej Kuzník -
Quanah Gibson-Mount -
Windl, Ulrich