Hello,
Happy Friday!
I have a script that defaults the password to the user's username and then it sets the pwdChangedTime so far back that pwdMaxAge: 62208000 triggers.
In 2.5.7 before I change the pwdChangedTime i MUST do a simple bind with dn/password before I can apply the new pwdChangedTime. I say in 2.5.7 bc in 2.4.59 i dont see this behavior.
So my flow goes as follows:
ldappasswd <newpass> ldapmodify <newPwdChangedTime> (pwdChangedTime: 20191008133434Z) ssh with new <newpass>
Oct 8 09:17:06 localhost slapd[1380194]: conn=1199 op=2 BIND dn="uid=davetest,ou=People,dc=domain,dc=net" method=128 Oct 8 09:17:06 localhost slapd[1380194]: conn=1199 op=2 RESULT tag=97 err=49 qtime=0.000026 etime=0.000262 text=
Flow i have to do so that bind works:
ldappasswd <newpass> ldapsearch -D userdn -w <newpass> &/dev/null ldapmodify <newPwdChangedTime> (pwdChangedTime: 20191008133434Z) ssh with new <newpass>
Oct 8 09:29:11 localhost slapd[1380194]: conn=1264 op=2 BIND dn="uid=davetest,ou=People,dc=domain,dc=net" mech=SIMPLE bind_ssf=0 ssf=256 Oct 8 09:29:11 localhost slapd[1380194]: fe_op_lastbind: old pwdLastSuccess value=20211008132909Z 2s ago Oct 8 09:29:11 localhost slapd[1380194]: ppolicy_bind: Entry uid=davetest,ou=People,dc=domain,dc=net has an expired password: 0 grace logins Oct 8 09:29:11 localhost slapd[1380194]: conn=1264 op=2 RESULT tag=97 err=49 qtime=0.000016 etime=0.002915 text= Oct 8 09:29:11 localhost slapd[1380194]: conn=1264 op=3 UNBIND Oct 8 09:29:11 localhost slapd[1380194]: conn=1264 fd=15 closed Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 fd=15 ACCEPT from IP= 127.0.0.1:34044 (IP=0.0.0.0:389) Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=0 STARTTLS Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=0 RESULT oid= err=0 qtime=0.000029 etime=0.000113 text= Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 fd=15 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=1 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000016 etime=0.000228 nentries=1 text= Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=2 BIND dn="uid=davetest,ou=People,dc=domain,dc=net" method=128 Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=2 BIND dn="uid=davetest,ou=People,dc=domain,dc=net" mech=SIMPLE bind_ssf=0 ssf=256 Oct 8 09:29:14 localhost slapd[1380194]: fe_op_lastbind: old pwdLastSuccess value=20211008132911Z 3s ago Oct 8 09:29:14 localhost slapd[1380194]: ppolicy_bind: Entry uid=davetest,ou=People,dc=domain,dc=net has an expired password: 0 grace logins Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=2 RESULT tag=97 err=49 qtime=0.000016 etime=0.002904 text= Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=3 EXT oid=1.3.6.1.4.1.4203.1.11.1 Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=3 PASSMOD id="uid=davetest,ou=People,dc=domain,dc=net" old new Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=3 RESULT oid= err=0 qtime=0.000016 etime=0.002618 text= Oct 8 09:29:14 localhost slapd[1380194]: conn=1265 op=4 UNBIND
Is this expected behavior?
Thank you, Dave
On Fri, Oct 08, 2021 at 09:35:31AM -0400, Dave Macias wrote:
Hello,
Happy Friday!
I have a script that defaults the password to the user's username and then it sets the pwdChangedTime so far back that pwdMaxAge: 62208000 triggers.
In 2.5.7 before I change the pwdChangedTime i MUST do a simple bind with dn/password before I can apply the new pwdChangedTime. I say in 2.5.7 bc in 2.4.59 i dont see this behavior.
So my flow goes as follows:
ldappasswd <newpass> ldapmodify <newPwdChangedTime> (pwdChangedTime: 20191008133434Z) ssh with new <newpass>
Oct 8 09:17:06 localhost slapd[1380194]: conn=1199 op=2 BIND dn="uid=davetest,ou=People,dc=domain,dc=net" method=128 Oct 8 09:17:06 localhost slapd[1380194]: conn=1199 op=2 RESULT tag=97 err=49 qtime=0.000026 etime=0.000262 text=
Hi Dave, I'm not sure which is the operation that fails? Who are you binding as, if "uid=davetest,ou=People,dc=domain,dc=net", why should the user have write access to its own pwdChangedTime?
Flow i have to do so that bind works:
Again, not sure from the logs what that corresponds to (there is no MODify operation logged, etc.).
Also what are you actually trying to achieve? Is it to force the user to change their password? Shouldn't you just rely on the pwdReset attribute then?
Regards,
openldap-technical@openldap.org