Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-141480

[RFE] Add shadowLastChange fixup task

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-10.3
    • None
    • 389-ds-base
    • None
    • None
    • rhel-idm-ds
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Goal

      Add a shadowLastChange fixup task to correct or populate the shadowLastChange attribute for entries with the shadowAccount objectclass. This is needed because the automatic shadowLastChange update is only applied during password changes or online imports, not during LDIF imports.

      Background

      389DS implements shadow account support per RFC 2307 (see https://www.port389.org/docs/389ds/design/shadow-account-support.html, https://github.com/389ds/389-ds-base/issues/548). The shadowLastChange attribute is automatically updated when a password is changed or an entry without shadowLastChange is imported online (via ldapadd).
      However, shadowLastChange is not calculated during LDIF import (ldif2db).

      After migrating data from ODSEE or performing offline LDIF imports, entries may have:

      • Missing shadowLastChange values
      • Incorrect/stale shadowLastChange values
      • Random placeholder values that break password expiration logic

      This causes password expiration validation failures on some clients, e.g., AIX.

      Acceptance criteria

      • New shadowLastChange-fixup task implemented
      • Task accessible via dsconf CLI
      • Task correctly calculates shadowLastChange

              idm-ds-dev-bugs IdM DS Dev
              vashirov@redhat.com Viktor Ashirov
              IdM DS Dev IdM DS Dev
              IdM DS QE IdM DS QE
              Evgenia Martyniuk Evgenia Martyniuk
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: