[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6620) ppolicy: pwdChangedTime/userPassword delete issue.

Howard Chu writes:
>h.b.furuseth@usit.uio.no wrote:
>> Thanks. Applied a similar patch to cvs HEAD, after fixing a memory leak.
>> Reproducing the bug:
>>    userPassword can exist without pwdChangedTime if you bypass
>>    ppolicy: Use slapadd to add an entry with userPassword, or add
>>    it to a subtree with no policy and then configure a policy.
>>    Then set up ppolicy and use ldapmodify to delete userPassword.
> In that case the correct fix is to skip the pwdChangedTime attribute 
> completely.

Well, that's what this fix does in this particular code chunk:
Don't try to delete pwdChangedTime if it isn't there.

> The ppolicy spec says that entries without pwdChangedTime are not 
> subject to password expiration at all.

Sounds like a different issue, but I don't see where it says that.
What I did find is

8.2.7.  Policy State Updates

   If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
   updates the pwdChangedTime attribute on the entry to the current