Wednesday, March 16, 2022

[389-users] Re: passwordExpirationTime vs password admin

On 3/16/22 2:28 PM, Mike Wohlgemuth wrote:
> Here's a test performed with Apache Directory Studio to bind as a user with ACI access to change the password, as logged within our audit log (I sanitized his hashes) which shows only that the pwdUpdateTime attribute is updated but not the passwordExpirationTime, before replication of the change happens:
>
>
> time: 20220314160259
> dn: uid=woogie,ou=facultyandstaff,dc=neu,dc=edu
> result: 0
> changetype: modify
> delete: userPassword
> userPassword:: DELETED HASH
> -
> add: userPassword
> userPassword:: DELETED HASH
> -
> replace: modifiersName
> modifiersName: uid=jesidm.admin,ou=special users,dc=neu,dc=edu
> -
> replace: modifyTimestamp
> modifyTimestamp: 20220314200259Z
> -
>
>
>
> time: 20220314160301
> dn: uid=woogie,ou=facultyandstaff,dc=neu,dc=edu
> result: 0
> changetype: modify
> replace: pwdUpdateTime
> pwdUpdateTime: 20220314200259Z
> -
>
>
>
> time: 20220314161119
> dn: cn=repl keep alive 2,dc=neu,dc=edu
> result: 0
> changetype: modify
> replace: keepalivetimestamp
> keepalivetimestamp: 20220314201119Z
> -
> replace: modifiersName
> modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config
> -
> replace: modifyTimestamp
> modifyTimestamp: 20220314201119Z
> -
>
>
>
> When the same transaction is performed as Directory Manager, we see the following in our audit logs:
>
>
>
> time: 20220314161734
> dn: uid=woogie,ou=facultyandstaff,dc=neu,dc=edu
> result: 0
> changetype: modify
> delete: userPassword
> userPassword:: DELETED HASH
> -
> add: userPassword
> userPassword:: DELETED HASH
> -
> replace: modifiersname
> modifiersname: cn=directory manager
> -
> replace: modifytimestamp
> modifytimestamp: 20220314201734Z
> -
>
>
>
> time: 20220314161734
> dn: uid=woogie,ou=facultyandstaff,dc=neu,dc=edu
> result: 0
> changetype: modify
> replace: passwordExpirationTime
> passwordExpirationTime: 20230314201734Z
> -
> replace: passwordExpWarned
> passwordExpWarned: 0
> -
>
>
>
> time: 20220314161939
> dn: cn=repl keep alive 2,dc=neu,dc=edu
> result: 0
> changetype: modify
> replace: keepalivetimestamp
> keepalivetimestamp: 20220314201939Z
> -
> replace: modifiersName
> modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config
> -
> replace: modifyTimestamp
> modifyTimestamp: 20220314201939Z
> -
>
>
>
> I do find it unusual that in this last case, the pwdUpdateTime isn't updated...

It is odd.  I don't see this behavior in our latest version, but once I
get your settings I'll try and reproduce it again.

Can you share the output from the following commands?

# dsconf slapd-YOUR_INSTANCE pwpolicy get

# dsconf slapd-YOUR_INSTANCE localpwp list

Then for each DN (if any) run:

# dsconf slapd-YOUR_INSTANCE localpwp get <DN>


Thanks,

Mark

>
> Thanks!
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

No comments:

Post a Comment