389-ds-base passwordExpirationTime is changed to the time of bind

Solution Verified - Updated -

Issue

  • 389-ds-base passwordExpirationTime is changed to the time of bind
  • Reproducer sample:
1. Set pwpolicy as follows:
dsconf... pwpolicy set --pwdmustchange on --pwdwarning 864000 --pwdmaxage 2592000 --pwdexpire on

2. Create a sample user dn: uid=testuser1,ou=people,dc=example,dc=com

3. Rsest userPassword
ldapmodify -x -h localhost -D "cn=Directory Manager" -w <passord> << 'EOF'
dn: uid=testuser1,ou=people,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: password
EOF

4. Set passwordExpirationTime to "current date +10 days"
VALUE=$(date -u -d '10days' +"%Y%m%d%H%M%S")Z
ldapmodify -x -h localhost -D "cn=Directory Manager" -w <passord> << EOF
dn: uid=testuser1,ou=people,dc=example,dc=com
changetype: modify
replace: passwordExpirationTime
passwordExpirationTime: $VALUE
EOF
ldapsearch -xLLL -h localhost -D "cn=Directory Manager" -w <passord> uid=<password> passwordExpirationTime

5. BIND with the user
ldapsearch -xLLL -h localhost -D "uid=testuser1,ou=people,dc=example,dc=com" -w password uid=testuser1 -e ppolicy cn
ldapsearch -xLLL -h localhost -D "cn=Directory Manager" -w <password> uid=testuser1 passwordExpirationTime

Output sample:

$ ldapsearch -xLLL -h localhost -D "cn=Directory Manager" -w <password> uid=testuser1 passwordExpirationTime
dn: uid=testuser1,ou=people,dc=example,dc=com
passwordExpirationTime: 20240426024422Z

$ date -u; ldapsearch -xLLL -h localhost -D "uid=testuser1,ou=people,dc=example,dc=com" -w password uid=testuser1 -e ppolicy cn
Tue Apr 16 02:44:30 UTC 2024
ldap_bind: Success (0) (Password expires in 864000 seconds)
$ ldapsearch -xLLL -h localhost -D "cn=Directory Manager" -w uid=<password> uid=testuser1 passwordExpirationTime
dn: uid=testuser1,ou=people,dc=example,dc=com
passwordExpirationTime: 20240426024430Z

$

passwordExpirationTime is changed from 20240426024422Z to 20240426024430Z, the time part of which is the same as bind time. Note the day part(20240426) is not changed.

Environment

  • Red Hat Directory Server 11 and 12
  • Red Hat Enterprise Linux 8 and 9
  • 389-ds-base

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content