[Date Prev][Date Next]
Re: (ITS#6620) ppolicy: pwdChangedTime/userPassword delete issue.
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6620) ppolicy: pwdChangedTime/userPassword delete issue.
- From: firstname.lastname@example.org
- Date: Fri, 3 Dec 2010 18:36:00 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Hallvard B Furuseth wrote:
> Howard Chu writes:
>> email@example.com wrote:
>>> Thanks. Applied a similar patch to cvs HEAD, after fixing a memory leak.
>>> Reproducing the bug:
>>> userPassword can exist without pwdChangedTime if you bypass
>>> ppolicy: Use slapadd to add an entry with userPassword, or add
>>> it to a subtree with no policy and then configure a policy.
>>> Then set up ppolicy and use ldapmodify to delete userPassword.
>> In that case the correct fix is to skip the pwdChangedTime attribute
> Well, that's what this fix does in this particular code chunk:
> Don't try to delete pwdChangedTime if it isn't there.
>> The ppolicy spec says that entries without pwdChangedTime are not
>> subject to password expiration at all.
> Sounds like a different issue, but I don't see where it says that.
> What I did find is
> 8.2.7. Policy State Updates
> If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
> updates the pwdChangedTime attribute on the entry to the current
See the definition of pwdChangedTime, section 5.3.2:
This attribute specifies the last time the entry's password was
changed. This is used by the password expiration policy. If this
attribute does not exist, the password will never expire.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/