Hi,
When doing a backup / restore on my OpenLDAP 2.5.9 instance, I faced a
behaviour that I think must be defined explicitely, in
draft-behera-ldap-password-policy, or at least in OpenLDAP documentation.
My backup contains an entry like this:
dn: uid=test,ou=people,ou=branch,dc=example,dc=com
cn: test
sn: test
givenName: test
uid: test
userPassword: secret
pwdChangedTime: 20220110153431Z
mail: t...@domain.com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
There is also a valid default password policy: (which must be defined
before the users in the backup file)
dn: cn=default,ou=ppolicies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: organizationalRole
cn: default
pwdMaxAge: 7776000
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdLockout: TRUE
pwdMaxFailure: 5
pwdMinLength: 6
pwdMustChange: TRUE
pwdCheckModule: /usr/local/openldap/lib64/ppm.so
When restoring the backup with this command:
ldapadd -x -h '127.0.0.1:389' -D 'cn=Manager,dc=example,dc=com' -w
'secret' -f backup.ldif -e relax
I have an error showing that the attribute pwdChangedTime is duplicated
and must not be defined twice.
I assume that the password policy does not replace my pwdChangedTime
value with the current date, but duplicates the attribute.
Could you define this behaviour somewhere?
1/ Is it possible to update the pwdChangedTime attribute along with the
userPassword ?
2/ If so, what value should be stored? (the given value or the current
date?)
3/ Optionally, update OpenLDAP code according to the defined behaviour
Thanks in advance for your answer.
Regards,
David
