Here's a test performed with Apache Directory Studio to bind as a user with ACI access
to change the password, as logged within our audit log (I sanitized his hashes) which
shows only that the pwdUpdateTime attribute is updated but not the passwordExpirationTime,
before replication of the change happens:
time: 20220314160259
dn: uid=woogie,ou=facultyandstaff,dc=neu,dc=edu
result: 0
changetype: modify
delete: userPassword
userPassword:: DELETED HASH
-
add: userPassword
userPassword:: DELETED HASH
-
replace: modifiersName
modifiersName: uid=jesidm.admin,ou=special users,dc=neu,dc=edu
-
replace: modifyTimestamp
modifyTimestamp: 20220314200259Z
-
time: 20220314160301
dn: uid=woogie,ou=facultyandstaff,dc=neu,dc=edu
result: 0
changetype: modify
replace: pwdUpdateTime
pwdUpdateTime: 20220314200259Z
-
time: 20220314161119
dn: cn=repl keep alive 2,dc=neu,dc=edu
result: 0
changetype: modify
replace: keepalivetimestamp
keepalivetimestamp: 20220314201119Z
-
replace: modifiersName
modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config
-
replace: modifyTimestamp
modifyTimestamp: 20220314201119Z
-
When the same transaction is performed as Directory Manager, we see the following in our
audit logs:
time: 20220314161734
dn: uid=woogie,ou=facultyandstaff,dc=neu,dc=edu
result: 0
changetype: modify
delete: userPassword
userPassword:: DELETED HASH
-
add: userPassword
userPassword:: DELETED HASH
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20220314201734Z
-
time: 20220314161734
dn: uid=woogie,ou=facultyandstaff,dc=neu,dc=edu
result: 0
changetype: modify
replace: passwordExpirationTime
passwordExpirationTime: 20230314201734Z
-
replace: passwordExpWarned
passwordExpWarned: 0
-
time: 20220314161939
dn: cn=repl keep alive 2,dc=neu,dc=edu
result: 0
changetype: modify
replace: keepalivetimestamp
keepalivetimestamp: 20220314201939Z
-
replace: modifiersName
modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config
-
replace: modifyTimestamp
modifyTimestamp: 20220314201939Z
-
I do find it unusual that in this last case, the pwdUpdateTime isn't updated...
Thanks!