On 3/16/22 2:28 PM, Mike Wohlgemuth wrote:
Here's a test performed with Apache Directory Studio to bind as a user with ACI access to change the password, as logged within our audit log (I sanitized his hashes) which shows only that the pwdUpdateTime attribute is updated but not the passwordExpirationTime, before replication of the change happens: time: 20220314160259 dn: uid=woogie,ou=facultyandstaff,dc=neu,dc=edu result: 0 changetype: modify delete: userPassword userPassword:: DELETED HASH - add: userPassword userPassword:: DELETED HASH - replace: modifiersName modifiersName: uid=jesidm.admin,ou=special users,dc=neu,dc=edu - replace: modifyTimestamp modifyTimestamp: 20220314200259Z - time: 20220314160301 dn: uid=woogie,ou=facultyandstaff,dc=neu,dc=edu result: 0 changetype: modify replace: pwdUpdateTime pwdUpdateTime: 20220314200259Z - time: 20220314161119 dn: cn=repl keep alive 2,dc=neu,dc=edu result: 0 changetype: modify replace: keepalivetimestamp keepalivetimestamp: 20220314201119Z - replace: modifiersName modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config - replace: modifyTimestamp modifyTimestamp: 20220314201119Z - When the same transaction is performed as Directory Manager, we see the following in our audit logs: time: 20220314161734 dn: uid=woogie,ou=facultyandstaff,dc=neu,dc=edu result: 0 changetype: modify delete: userPassword userPassword:: DELETED HASH - add: userPassword userPassword:: DELETED HASH - replace: modifiersname modifiersname: cn=directory manager - replace: modifytimestamp modifytimestamp: 20220314201734Z - time: 20220314161734 dn: uid=woogie,ou=facultyandstaff,dc=neu,dc=edu result: 0 changetype: modify replace: passwordExpirationTime passwordExpirationTime: 20230314201734Z - replace: passwordExpWarned passwordExpWarned: 0 - time: 20220314161939 dn: cn=repl keep alive 2,dc=neu,dc=edu result: 0 changetype: modify replace: keepalivetimestamp keepalivetimestamp: 20220314201939Z - replace: modifiersName modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config - replace: modifyTimestamp modifyTimestamp: 20220314201939Z - I do find it unusual that in this last case, the pwdUpdateTime isn't updated...
It is odd. I don't see this behavior in our latest version, but once I get your settings I'll try and reproduce it again.
Can you share the output from the following commands? # dsconf slapd-YOUR_INSTANCE pwpolicy get # dsconf slapd-YOUR_INSTANCE localpwp list Then for each DN (if any) run: # dsconf slapd-YOUR_INSTANCE localpwp get <DN> Thanks, Mark
Thanks! _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Directory Server Development Team _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
