All,
The "ppolicy" overlay has been loaded to my bdb. The cn=default,ou=pwpolicies,dc=group,dc=ldap has been defined.
The pwdPolicySubentry operational attribute was added to uid=jdoe,ou=Users,dc=group,dc=ldap, as well.
Now, trying to add the pwdChangedTime attribute to the jdoe UID.
Ran "ldapadd" from the command-line:
# ldapmodify -d 4 -x -W -H ldap://ldapsrvr.group.ldap -D cn=ldapadmin,dc=group,dc=ldap
Enter LDAP Password: ############
dn: uid=jdoe,ou=Users,dc=group,dc=ldap
changetype: add
add: pwdChangedTime
pwdChangedTime: 201512231458Z
adding new entry "uid=jdoe,ou=Users,dc=group,dc=ldap"
ldap_add: Undefined attribute type (17)
additional info: add: attribute type undefined
From my reading, this should be an Operational Attribute that isn't
constrained or defined by an ObjectClass.
Thanks for the help in advance. Btw, I am running OpenLDAP 2.4.40.
John D. Borresen (Dave)
Linux/Unix Systems Administrator
MIT Lincoln Laboratory
Humanitarian Assistance and Disaster Relief (HADR) Systems
244 Wood St
Lexington, MA 02420
Email: mailto:john.borresen@ll.mit.edu john.borresen@ll.mit.edu
Borresen, John - 0444 - MITLL wrote:
Now, trying to add the pwdChangedTime attribute to the jdoe UID.
This attribute is automatically added when userPassword is (re)set. No need to set it yourself. Therefore the attribute type description contains NO-USER-MODIFICATION.
Ciao, Michael.
Thanks, I just read a post from 2007 stating that.
So, the "jdoe" account changed his password, is the attribute there in the background somewhere? The ldapsearch is not showing the pwdChangedTime attribute:
# ldapsearch -x -W -H ldap://ldapsrvr.group.ldap -D cn=ldapadmin,dc=group,dc=ldap -s base -b uid=jdoe,ou=Users,dc=group,dc=ldap + ... dn: uid=jdoe,ou=Users,dc=group,dc=ldap structuralObjectClass: inetOrgPerson entryUUID: 4b5def70-1ce2-4688-8c12-f1ce4bf401b1 creatorsName: cn=ldapadmin,dc=group,dc=ldap createTimestamp: 20140124143716Z pwdPolicySubentry: cn=default,ou=pwpolicies,dc=group,dc=ldap entryCSN: 20151223153502.001325Z#000000#003#000000 modifiersName: uid=jdoe,ou=Users,dc=group,dc=ldap modifyTimestamp: 20151223153502Z entryDN: uid=jdoe,ou=Users,dc=group,dc=ldap subschemaSubentry: cn=Subschema hasSubordinates: FALSE
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
John D. Borresen (Dave) Email: john.borresen@ll.mit.edu
-----Original Message----- From: Michael Ströder [mailto:michael@stroeder.com] Sent: Wednesday, December 23, 2015 10:31 AM To: Borresen, John - 0444 - MITLL; openldap-technical@openldap.org Subject: Re: pwdChangedTime Undefined Attribute
Borresen, John - 0444 - MITLL wrote:
Now, trying to add the pwdChangedTime attribute to the jdoe UID.
This attribute is automatically added when userPassword is (re)set. No need to set it yourself. Therefore the attribute type description contains NO-USER-MODIFICATION.
Ciao, Michael.
Thanks again Michael...
If the userPassword was changed via command-line (such as via the passwd command) the attribute pwdChangedTime does not get updated. It is only updated if the userPassword attribute is updated via either the ldapmodify or, in our case, Apache Directory Studio "Edit Value".
Is that how it should work? Of did I miss something else somewhere?
Thanks in advance.
John D. Borresen (Dave) Email: john.borresen@ll.mit.edu
-----Original Message----- From: Michael Ströder [mailto:michael@stroeder.com] Sent: Wednesday, December 23, 2015 10:31 AM To: Borresen, John - 0444 - MITLL; openldap-technical@openldap.org Subject: Re: pwdChangedTime Undefined Attribute
Borresen, John - 0444 - MITLL wrote:
Now, trying to add the pwdChangedTime attribute to the jdoe UID.
This attribute is automatically added when userPassword is (re)set. No need to set it yourself. Therefore the attribute type description contains NO-USER-MODIFICATION.
Ciao, Michael.
Borresen, John - 0444 - MITLL wrote:
If the userPassword was changed via command-line (such as via the passwd command) the attribute pwdChangedTime does not get updated.
If you really mean 'passwd' then it's entirely a matter of your PAM installation/configuration what it sends.
It is only updated if the userPassword attribute is updated via either the ldapmodify or, in our case, Apache Directory Studio "Edit Value".
Is that how it should work? Of did I miss something else somewhere?
Regarding LDAP the modify operation on 'userPassword' and the LDAP Password Modify Extended Operation (see RFC 3062) will make slapo-ppolicy intercept the request and set 'pwdChangedTime'.
You have to configure whatever PAM client you're using to send appropriate LDAP requests.
Ciao, Michael.
openldap-technical@openldap.org
-
Borresen, John - 0444 - MITLL -
Michael Ströder