Re: Antw: Re: Meaning of "ppolicy_bind: Setting warning for password expiry for ... = 0 seconds"?

["Michael Ströder" <michael@stroeder.com>]

"Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de> wrote
> >>> Michael Ströder <michael@stroeder.com> schrieb am 06.11.2014 um 09:16 in
> Nachricht <545B2E53.7070404@stroeder.com>:
> > Which OpenLDAP version?
> > 
> > You can search for the message in source file
> > servers/slapd/overlays/ppolicy.c
> > 
> > Reading the comment setting warn = 0 should not happen.
> > 
> > Does uid=testuser,ou=domain,dc=org really have a correct 'pwdChanged'
> > attribute value?
> 
> Hi!
> 
> You are on the right track: None of our users has a 'pwdChanged' attribute!
> Which is also not surprising, because I could not find that attribute in the
> objectclasses being used:
> objectClass: top
> objectClass: posixAccount
> objectClass: inetOrgPerson
> objectClass: shadowAccount
> 
> However I see these attributes being modified since ppolicy is active:
> pwdChangedTime
> pwdFailureTime
> pwdGraceUseTime
> pwdHistory
> 
> Could it be you meant "pwdChangedTime" instead?

Yes, I meant pwdChangedTime. Sorry for the typo.

> If so, could the problem be
> that that attribute is created only after ppolicy is active _and_ the user
> actually changed the password?

Yes.

Just look into this particular entry mentioned in the log message.

> If so, an heuristic would be to assume the password is not older than
> createTimestamp if pwdChangedTime is missing.

It's up to you whether you set pwdChangedTime in existing entries. It will be
set when the user changes the password.

You can set it with a LDAP client using the Relax Rules Control with an
identity which has manage privilege.

Ciao, Michael.