Hello Ondřej,
> Most often you need pwdMaxAge and react to password expiry accordingly.
can you then explain why I have pwdMaxAge in the policy but users don't
have pwdStartTime+pwdEndTime, that's what I am trying to achieve, but can
not find any way to do this for now.
> slapd doesn't ignore pwdMaxAge if a policy is in effect (check!) and
doesn't need to store anything except pwdChangedTime to do this[0], also
pwdReset is independent of pwdMaxAge and you might want to check whether
Maybe I was not clear, but I say the same that pwdMaxAge is not ignored by
slapd and pwdChangedTime changed for the user during password change, same
as pwdReset: True set after password expires confirm this.
> Okta has/should have manage permissions on userPassword attribute:
depending on its understanding of ppolicy, that might/not be appropriate -
having manage permissions on userPassword makes one "password
administrator" and affects ppolicy behaviour (again read man slapo-ppolicy
and the latest draft[1] for more information).
there is no problem with Okta managing users' passwords, the problem is
that Okta ignores pwdReset and doesn't ask users to change expired
passwords.
> Per the ppolicy drafts, a password is expired if pwdChangedTime+pwdMaxAge
is in the past
[1]. https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy
does this mean that pwdEndTime must be used to understand user password
expiration?
And if yes, how I can enable it, because as I posted above I don't see any
flags for this not in "cn=passwordDefault,ou=Policies,dc=domain,dc=net" not
in "dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config"
On Wed, Oct 11, 2023 at 11:48 AM Ondřej Kuzník <[email protected]> wrote:
> On Tue, Oct 10, 2023 at 09:09:52PM +0300, Volodymyr Lisnyi wrote:
> >> In this case it might be just another attribute, which can be used for
> >> example for a temp. guest account. In that case, a function to add it to
> >> all existing users would be pointless, because it is not designed for
> that.
> >
> > This attribute is needed for regular accounts, we don't have guest
> > accounts. That is why we need it on a regular basis and also need to
> > propagate it to existing users.
>
> pwdStartTime+pwdEndTime are used to set explicit password validity,
> regardless of password changes. Most often you need pwdMaxAge and react
> to password expiry accordingly.
>
> >> Why do zou want to use it, does the pwdMaxAge stopped working after the
> >> update?
> >
> > Some time ago (not sure when) okta ldap agent started ignoring "pwdReset:
> > TRUE", slapd daemon doesn't ignore pwdMaxAge and correctly set "pwdReset:
> > TRUE" for accounts with expired passwords. Okta support tested this on
> > their end and asked us to add pwdEndTime to users and test if this helps.
> > That's why I am trying to find a way add pwdEndTime to password policy
> and
> > propagate it to the users.
>
> slapd doesn't ignore pwdMaxAge if a policy is in effect (check!) and
> doesn't need to store anything except pwdChangedTime to do this[0], also
> pwdReset is independent of pwdMaxAge and you might want to check whether
> Okta has/should have manage permissions on userPassword attribute:
> depending on its understanding of ppolicy, that might/not be
> appropriate - having manage permissions on userPassword makes one
> "password administrator" and affects ppolicy behaviour (again read man
> slapo-ppolicy and the latest draft[1] for more information).
>
> [0]. Per the ppolicy drafts, a password is expired if
> pwdChangedTime+pwdMaxAge
> is in the past
> [1].
> https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy
>
> --
> Ondřej Kuzník
> Senior Software Engineer
> Symas Corporation http://www.symas.com
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP
>
