2.5.7 - bind err=49 after a userPassword and pwdChangedTime update - openldap-technical

8 Oct 2021


      Hello,
Happy Friday!
I have a script that defaults the password to the user's username and then
it sets the pwdChangedTime so far back that pwdMaxAge: 62208000 triggers.
In 2.5.7 before I change the pwdChangedTime i MUST do a simple bind with
dn/password before I can apply the new pwdChangedTime. I say in 2.5.7 bc in
2.4.59 i dont see this behavior.
So my flow goes as follows:
ldappasswd <newpass>
ldapmodify <newPwdChangedTime> (pwdChangedTime: 20191008133434Z)
ssh with new <newpass>
Oct  8 09:17:06 localhost slapd[1380194]: conn=1199 op=2 BIND
dn="uid=davetest,ou=People,dc=domain,dc=net" method=128
Oct  8 09:17:06 localhost slapd[1380194]: conn=1199 op=2 RESULT tag=97
err=49 qtime=0.000026 etime=0.000262 text=
Flow i have to do so that bind works:
ldappasswd <newpass>
ldapsearch -D userdn -w <newpass> &/dev/null
ldapmodify <newPwdChangedTime> (pwdChangedTime: 20191008133434Z)
ssh with new <newpass>
Oct  8 09:29:11 localhost slapd[1380194]: conn=1264 op=2 BIND
dn="uid=davetest,ou=People,dc=domain,dc=net" mech=SIMPLE bind_ssf=0 ssf=256
Oct  8 09:29:11 localhost slapd[1380194]: fe_op_lastbind: old
pwdLastSuccess value=20211008132909Z 2s ago
Oct  8 09:29:11 localhost slapd[1380194]: ppolicy_bind: Entry
uid=davetest,ou=People,dc=domain,dc=net has an expired password: 0 grace
logins
Oct  8 09:29:11 localhost slapd[1380194]: conn=1264 op=2 RESULT tag=97
err=49 qtime=0.000016 etime=0.002915 text=
Oct  8 09:29:11 localhost slapd[1380194]: conn=1264 op=3 UNBIND
Oct  8 09:29:11 localhost slapd[1380194]: conn=1264 fd=15 closed
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 fd=15 ACCEPT from IP=
127.0.0.1:34044 (IP=0.0.0.0:389)
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=0 STARTTLS
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=0 RESULT oid= err=0
qtime=0.000029 etime=0.000113 text=
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 fd=15 TLS established
tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=1 SRCH base=""
scope=0 deref=0 filter="(objectClass=*)"
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=1 SRCH attr=*
altServer namingContexts supportedControl supportedExtension
supportedFeatures supportedLDAPVersion supportedSASLMechanisms
domainControllerFunctionality defaultNamingContext lastUSN
highestCommittedUSN
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=1 SEARCH RESULT
tag=101 err=0 qtime=0.000016 etime=0.000228 nentries=1 text=
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=2 BIND
dn="uid=davetest,ou=People,dc=domain,dc=net" method=128
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=2 BIND
dn="uid=davetest,ou=People,dc=domain,dc=net" mech=SIMPLE bind_ssf=0 ssf=256
Oct  8 09:29:14 localhost slapd[1380194]: fe_op_lastbind: old
pwdLastSuccess value=20211008132911Z 3s ago
Oct  8 09:29:14 localhost slapd[1380194]: ppolicy_bind: Entry
uid=davetest,ou=People,dc=domain,dc=net has an expired password: 0 grace
logins
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=2 RESULT tag=97
err=49 qtime=0.000016 etime=0.002904 text=
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=3 EXT
oid=1.3.6.1.4.1.4203.1.11.1
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=3 PASSMOD
id="uid=davetest,ou=People,dc=domain,dc=net" old new
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=3 RESULT oid= err=0
qtime=0.000016 etime=0.002618 text=
Oct  8 09:29:14 localhost slapd[1380194]: conn=1265 op=4 UNBIND
Is this expected behavior?
Thank you,
Dave