[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6620) ppolicy: pwdChangedTime/userPassword delete issue.

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6620) ppolicy: pwdChangedTime/userPassword delete issue.
From: hyc@symas.com
Date: Fri, 3 Dec 2010 18:36:00 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Hallvard B Furuseth wrote:
> Howard Chu writes:
>> h.b.furuseth@usit.uio.no wrote:
>>> Thanks. Applied a similar patch to cvs HEAD, after fixing a memory leak.
>>>
>>> Reproducing the bug:
>>>
>>>     userPassword can exist without pwdChangedTime if you bypass
>>>     ppolicy: Use slapadd to add an entry with userPassword, or add
>>>     it to a subtree with no policy and then configure a policy.
>>>
>>>     Then set up ppolicy and use ldapmodify to delete userPassword.
>>
>> In that case the correct fix is to skip the pwdChangedTime attribute
>> completely.
>
> Well, that's what this fix does in this particular code chunk:
> Don't try to delete pwdChangedTime if it isn't there.
>
>> The ppolicy spec says that entries without pwdChangedTime are not
>> subject to password expiration at all.
>
> Sounds like a different issue, but I don't see where it says that.
> What I did find is
>
> 8.2.7.  Policy State Updates
>
>     If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
>     updates the pwdChangedTime attribute on the entry to the current
>     time.
>
See the definition of pwdChangedTime, section 5.3.2:

5.3.2.  pwdChangedTime

    This attribute specifies the last time the entry's password was
    changed.  This is used by the password expiration policy.  If this
    attribute does not exist, the password will never expire.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: MemberOf out of sync on consumer[s]
Next by Date: (ITS#6734) Implment delta-sync based MMR
Index(es):
- Chronological
- Thread