-
Story
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
rhel-idm-ds
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
Goal
Add a shadowLastChange fixup task to correct or populate the shadowLastChange attribute for entries with the shadowAccount objectclass. This is needed because the automatic shadowLastChange update is only applied during password changes or online imports, not during LDIF imports.
Background
389DS implements shadow account support per RFC 2307 (see https://www.port389.org/docs/389ds/design/shadow-account-support.html, https://github.com/389ds/389-ds-base/issues/548). The shadowLastChange attribute is automatically updated when a password is changed or an entry without shadowLastChange is imported online (via ldapadd).
However, shadowLastChange is not calculated during LDIF import (ldif2db).
After migrating data from ODSEE or performing offline LDIF imports, entries may have:
- Missing shadowLastChange values
- Incorrect/stale shadowLastChange values
- Random placeholder values that break password expiration logic
This causes password expiration validation failures on some clients, e.g., AIX.
Acceptance criteria
- New shadowLastChange-fixup task implemented
- Task accessible via dsconf CLI
- Task correctly calculates shadowLastChange