TechQA.

DateTime "invalid per syntax" in LDAP pwdLastSet attribute

650 views Asked by At

I'm trying to add a pwdLastSet attribute to my LDAP test user. I've created this ldif file:

dn: cn=test,dc=example,dc=com
changetype: add
objectClass: passwordLastSet
add: pwdLastSet
pwdLastSet: 199412161032Z

When I try to ldapmodify

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f add-pwdlastset.ldif

I get a error message:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=test,dc=example,dc=com"
ldap_add: Invalid syntax (21)
   additional info: objectClass: value #0 invalid per syntax

I've looked up chapter 3.3.13 "Generalized Time" in RFC4517 which provides the following examples:

  Examples:
     199412161032Z
     199412160532-0500

Both example values represent the same coordinated universal time:
10:32 AM, December 16, 1994.

As you might notice, I even copy-pasted the first example to my ldif file, to no avail. Could someone enlighten me what's wrong with this syntax?

Forgot to mention that I also tried with a unix timestamp

pwdlastset: 1643988710

which yields the same error message.

Update:

When I change the changetype from add to modify and remove the objectClass (as suggested in EricLavault's answer) like this:

dn: cn=test,dc=example,dc=com
changetype: modify
add: pwdLastSet
pwdLastSet: 1643988710

I get the following error:

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f add-field.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=test,dc=example,dc=com"
ldap_modify: Undefined attribute type (17)
    additional info: pwdlastset: attribute type undefined

When I then add the objectClass definition again like this

dn: cn=test,dc=example,dc=com
changetype: modify
objectClass: passwordLastSet
add: pwdLastSet
pwdLastSet: 1643988710

I get the following error:

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f add-field.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapmodify: modify operation type is missing at line 3, entry "cn=test,dc=example,dc=com"

I tried some other modify operation types (replace), but nothing worked. Still stuck here.

datetime ldap openldap ldif
Original Q&A
1

There are 1 answers

4
EricLavault On BEST ANSWER

The thing (which is not obvious at first glance) is that ldapmodify allows to add entries, in which case you set changetype: add.

You want to modify an existing entry, so you should set changetype: modify in order to add: pwdLastSet or (replace|delete).

If you also need to add objectClass: passwordLastSet to the entry or other changes, note that every operation (add|replace|delete) must be separated, eg.

dn: cn=test,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: passwordLastSet
-
add: pwdLastSet
pwdLastSet: 199412161032Z

Also if I'm not wrong, the PwdLastSet attribute is only implemented in Active Directory.

If you are using OpenLDAP you should probably use the PwdPolicy auxiliary class (ppolicy overlay).

Related Questions in DATETIME

Related Questions in LDAP

Related Questions in OPENLDAP

Related Questions in LDIF

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions