[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7788) pwdFailureTime and pwdChangedTime registered in user entry even if no ppolicy associated with the entry

Full_Name: Clement OUDOT
Version: 2.4.38
OS: GNU/Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (


I have configured a ppolicy overlay without olcPPolicyDefault value. So I use
pwdPolicySubentry in user entries to bind them to their policy configuration

Overlay ppolicy is compiled in slapd, not as module. I use LTB package.

If I create an account without pwdPolicySubentry, the attributes pwdChangedTime
and pwdFailureTime are generated for this entry. And as the entry is never
locked (which is a normal behavior, fixed in
http://www.openldap.org/its/index.cgi?findid=6168), the number of values in
pwdFailureTime can grow indefinitely.

IMHO, no ppolicy operational attributes should be present in an entry not linked
to a password policy.