Hello all,
We have a directory running on OpenLDAP 2.4.44 with the ppolicy overlay on the
main database. When a new entry with a userPassword defined is created,
pwdChangedTime is not defined, so this initial userPassword never expires.
The directory has been migrated from its OpenLDAP 2.3.34 instance (yes, we
missed some steps...), and there the pwdChangedTime is set, and naturally equal
to createTimestamp.
The overlay is configured as follows:
dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {2}ppolicy
olcPPolicyDefault: ou=ppolicy,dc=example,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
Is there a parameter I missed which would switch on setting pwdChangedTime at
entry creation? Do I have to provide some other configuration elements?
Or is it unreasonable to expect this initialisation of the attribute this way,
and only a password change can set it? I think the setting at creation is
rather handy... Using pwdMustChange would be difficult, we have a lot of client
apps which would be forced to check and probably adapt their authentication
procedures.
Thank you and regards,
Manuela
Sent with [ProtonMail](https://protonmail.com) Secure Email.
