[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PPolicy: Multiple pwdGraceUseTime attributes



--On Monday, August 19, 2019 12:31 PM +0200 Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> wrote:


I don't understand: Doesn't the pwdGraceUseTime record how long/often the
user may login despite of an expired password? For the example given, I
assume the user has changed the password a few time since the inital
grace login. So aren't the older pwdGraceUseTime attributes removed after
the password was changed? Or can this happen if some admin chnages the
password using some plain replace operation?

As noted in the slapo-ppolicy(5) man page, pwdGraceUseTime records *when* an expired password was /last/ used to authenticate as a DN. The number of times they can do that is controlled by the pwdGraceAuthnLimit attribute. What is your pwdGraceAuthnLimit setting?

And yes, the pwdGraceUseTime is cleared when the password is changed. From the slapo-ppolicy code:

       /* If we're resetting the password, make sure grace, accountlock,
        * and failure also get removed.
        */
       if ( got_pw ) {
           if ( a_grace && !got_del_grace ) {
               ml = (Modifications *) ch_malloc( sizeof( Modifications ) );
               ml->sml_op = LDAP_MOD_DELETE;
               ml->sml_flags = SLAP_MOD_INTERNAL;
               ml->sml_type.bv_val = NULL;
               ml->sml_desc = ad_pwdGraceUseTime;
               ml->sml_numvals = 0;
               ml->sml_values = NULL;
               ml->sml_nvalues = NULL;
               ml->sml_next = NULL;
               *prev = ml;
               prev = &ml->sml_next;
           }


--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>