Search code examples
datetimeldapopenldapldif

DateTime "invalid per syntax" in LDAP pwdLastSet attribute

I'm trying to add a pwdLastSet attribute to my LDAP test user. I've created this ldif file:

dn: cn=test,dc=example,dc=com
changetype: add
objectClass: passwordLastSet
add: pwdLastSet
pwdLastSet: 199412161032Z

When I try to ldapmodify

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f add-pwdlastset.ldif

I get a error message:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=test,dc=example,dc=com"
ldap_add: Invalid syntax (21)
   additional info: objectClass: value #0 invalid per syntax

I've looked up chapter 3.3.13 "Generalized Time" in RFC4517 which provides the following examples:

  Examples:
     199412161032Z
     199412160532-0500

Both example values represent the same coordinated universal time:
10:32 AM, December 16, 1994.

As you might notice, I even copy-pasted the first example to my ldif file, to no avail. Could someone enlighten me what's wrong with this syntax?

Forgot to mention that I also tried with a unix timestamp

pwdlastset: 1643988710

which yields the same error message.

Update:

When I change the changetype from add to modify and remove the objectClass (as suggested in EricLavault's answer) like this:

dn: cn=test,dc=example,dc=com
changetype: modify
add: pwdLastSet
pwdLastSet: 1643988710

I get the following error:

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f add-field.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=test,dc=example,dc=com"
ldap_modify: Undefined attribute type (17)
    additional info: pwdlastset: attribute type undefined

When I then add the objectClass definition again like this

dn: cn=test,dc=example,dc=com
changetype: modify
objectClass: passwordLastSet
add: pwdLastSet
pwdLastSet: 1643988710

I get the following error:

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f add-field.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapmodify: modify operation type is missing at line 3, entry "cn=test,dc=example,dc=com"

I tried some other modify operation types (replace), but nothing worked. Still stuck here.

Solution

  • The thing (which is not obvious at first glance) is that ldapmodify allows to add entries, in which case you set changetype: add.

    You want to modify an existing entry, so you should set changetype: modify in order to add: pwdLastSet or (replace|delete).

    If you also need to add objectClass: passwordLastSet to the entry or other changes, note that every operation (add|replace|delete) must be separated, eg.

    dn: cn=test,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: passwordLastSet
-
add: pwdLastSet
pwdLastSet: 199412161032Z

    Also if I'm not wrong, the PwdLastSet attribute is only implemented in Active Directory.

    If you are using OpenLDAP you should probably use the PwdPolicy auxiliary class (ppolicy overlay).