Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday 5 March 2020 18:15, Clément OUDOT <clement.ou...@worteks.com> wrote:
> Le 05/03/2020 à 10:10, Dieter Klünter a écrit :
>
> > Am Wed, 04 Mar 2020 13:36:08 +0000
> > schrieb Manuela Mandache manuela.manda...@protonmail.com:
> >
> > > Hello all,
> > > We have a directory running on OpenLDAP 2.4.44 with the ppolicy
> > > overlay on the main database. When a new entry with a userPassword
> > > defined is created, pwdChangedTime is not defined, so this initial
> > > userPassword never expires.
> > > The directory has been migrated from its OpenLDAP 2.3.34 instance
> > > (yes, we missed some steps...), and there the pwdChangedTime is set,
> > > and naturally equal to createTimestamp.
> > > The overlay is configured as follows:
> > > dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config
> > > objectClass: olcOverlayConfig
> > > objectClass: olcPPolicyConfig
> > > olcOverlay: {2}ppolicy
> > > olcPPolicyDefault: ou=ppolicy,dc=example,dc=com
> > > olcPPolicyHashCleartext: TRUE
> > > olcPPolicyUseLockout: TRUE
> > > Is there a parameter I missed which would switch on setting
> > > pwdChangedTime at entry creation? Do I have to provide some other
> > > configuration elements?
> > > Or is it unreasonable to expect this initialisation of the attribute
> > > this way, and only a password change can set it? I think the setting
> > > at creation is rather handy... Using pwdMustChange would be
> > > difficult, we have a lot of client apps which would be forced to
> > > check and probably adapt their authentication procedures.
> > > [...]
> > > The password attribute value must be set by a password modify exented
> > > operation in order to set password policy in effect, see man
> > > slapo-ppolicy(5)
>
> Are you sure? The password modify extended operation is required for
> smbk5pwd overlay, but not for ppolicy overlay?
>
> I just test a creation of an entry with a password when ppolicy overlay
> is configured, and the pwdChangedTime is well created.
>
> You may have a configuration issue.
Hello Clément,
Thanks for your answer. Well, if you don't get the same behavior as I do, it
does seem I have a configuration issue. But what configuration issue can that
be? Where should I look for it?
The present dynamic configuration of the directory running on 2.4.44 was
obtained through direct conversion of the static configuration of the directory
running on 2.3.34 - where the pwdChangedTime is set when I add a new entry with
ldapadd.
Regards,
Manuela
>
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Clément Oudot | Identity Solutions Manager
>
> clement.ou...@worteks.com
>
> Worteks | https://www.worteks.com
