Ondřej, that's correct for modern systems, but older systems may deal with the shadow attributes only.
Kind regards, Ulrich Windl > -----Original Message----- > From: Ondřej Kuzník <[email protected]> > Sent: Tuesday, May 6, 2025 11:37 AM > To: Windl, Ulrich <[email protected]> > Cc: Stefan Kania <[email protected]>; openldap- > [email protected] > Subject: [EXT] Re: Re: changing password with otp active > > On Tue, May 06, 2025 at 07:36:24AM +0000, Windl, Ulrich wrote: > > The issue I see with ldappasswd and shadow password attributes being > > used (in 2.4) is that after a password change the shadow attributes > > aren't updated (causing inconsistencies between password policy and > > shadow attributes regarding the time of password expiration). But most > > likely it does not affect you... > > Hi Ulrich, > assuming you mean rfc2307(bis) attributes here: > > With ppolicy in effect, you shouldn't need to manage the shadow > attributes since all the ppolicy tracking can and should be done either > in the server or by entities who understand how to process and enforce > them. > > This is why slapo-ppolicy doesn't deal with them in the first place. > > Regards, > > -- > Ondřej Kuzník > Senior Software Engineer > Symas Corporation http://www.symas.com > Packaged, certified, and supported LDAP solutions powered by OpenLDAP
