I'm trying to add a pwdLastSet attribute to my LDAP test user. I've created this ldif file:
dn: cn=test,dc=example,dc=com
changetype: add
objectClass: passwordLastSet
add: pwdLastSet
pwdLastSet: 199412161032Z
When I try to ldapmodify
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f add-pwdlastset.ldif
I get a error message:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=test,dc=example,dc=com"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax
I've looked up chapter 3.3.13 "Generalized Time" in RFC4517 which provides the following examples:
Examples:
199412161032Z
199412160532-0500
Both example values represent the same coordinated universal time:
10:32 AM, December 16, 1994.
As you might notice, I even copy-pasted the first example to my ldif file, to no avail. Could someone enlighten me what's wrong with this syntax?
Forgot to mention that I also tried with a unix timestamp
pwdlastset: 1643988710
which yields the same error message.
Update:
When I change the changetype from add to modify and remove the objectClass (as suggested in EricLavault's answer) like this:
dn: cn=test,dc=example,dc=com
changetype: modify
add: pwdLastSet
pwdLastSet: 1643988710
I get the following error:
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f add-field.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=test,dc=example,dc=com"
ldap_modify: Undefined attribute type (17)
additional info: pwdlastset: attribute type undefined
When I then add the objectClass definition again like this
dn: cn=test,dc=example,dc=com
changetype: modify
objectClass: passwordLastSet
add: pwdLastSet
pwdLastSet: 1643988710
I get the following error:
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f add-field.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapmodify: modify operation type is missing at line 3, entry "cn=test,dc=example,dc=com"
I tried some other modify operation types (replace), but nothing worked. Still stuck here.
The thing (which is not obvious at first glance) is that ldapmodify allows to add entries, in which case you set changetype: add.
You want to modify an existing entry, so you should set changetype: modify in order to add: pwdLastSet or (replace|delete).
If you also need to add objectClass: passwordLastSet to the entry or other changes, note that every operation (add|replace|delete) must be separated, eg.
dn: cn=test,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: passwordLastSet
-
add: pwdLastSet
pwdLastSet: 199412161032Z
Also if I'm not wrong, the PwdLastSet attribute is only implemented in Active Directory.
If you are using OpenLDAP you should probably use the PwdPolicy auxiliary class (ppolicy overlay).