[Date Prev][Date Next]
Re: (ITS#6620) ppolicy: pwdChangedTime/userPassword delete issue.
Howard Chu writes:
>> Thanks. Applied a similar patch to cvs HEAD, after fixing a memory leak.
>> Reproducing the bug:
>> userPassword can exist without pwdChangedTime if you bypass
>> ppolicy: Use slapadd to add an entry with userPassword, or add
>> it to a subtree with no policy and then configure a policy.
>> Then set up ppolicy and use ldapmodify to delete userPassword.
> In that case the correct fix is to skip the pwdChangedTime attribute
Well, that's what this fix does in this particular code chunk:
Don't try to delete pwdChangedTime if it isn't there.
> The ppolicy spec says that entries without pwdChangedTime are not
> subject to password expiration at all.
Sounds like a different issue, but I don't see where it says that.
What I did find is
8.2.7. Policy State Updates
If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
updates the pwdChangedTime attribute on the entry to the current