[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7788) pwdFailureTime and pwdChangedTime registered in user entry even if no ppolicy associated with the entry

To: openldap-its@OpenLDAP.org
Subject: (ITS#7788) pwdFailureTime and pwdChangedTime registered in user entry even if no ppolicy associated with the entry
From: coudot@linagora.com
Date: Thu, 16 Jan 2014 16:53:46 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Clement OUDOT
Version: 2.4.38
OS: GNU/Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (83.145.72.122)


Hi,

I have configured a ppolicy overlay without olcPPolicyDefault value. So I use
pwdPolicySubentry in user entries to bind them to their policy configuration
entry.

Overlay ppolicy is compiled in slapd, not as module. I use LTB package.

If I create an account without pwdPolicySubentry, the attributes pwdChangedTime
and pwdFailureTime are generated for this entry. And as the entry is never
locked (which is a normal behavior, fixed in
http://www.openldap.org/its/index.cgi?findid=6168), the number of values in
pwdFailureTime can grow indefinitely.

IMHO, no ppolicy operational attributes should be present in an entry not linked
to a password policy.

Prev by Date: Re: (ITS#7787) Authentication success if password is expired and password must be changed
Next by Date: (ITS#7789) Unreliable mdb_env_set_mapsize()
Index(es):
- Chronological
- Thread