title: It's pwdchangedtime link: https://onemoretech.wordpress.com/2009/09/23/its-pwdchangetime/ author: lembobro description: post_id: 241 created: 2009/09/23 16:50:46 created_gmt: 2009/09/23 16:50:46 comment_status: open post_name: its-pwdchangetime status: publish post_type: post

It's pwdchangedtime

That is, the attribute that Oracle Internet Directory (OID) looks at when applying a password expiration policy is pwdchangedtime. This is a hidden, system attribute that must be explicitly requested on a search. The value will be formatted thusly:

yyyymmddhhmmssZ

for example

20090923113238Z

That last “Z” is for “Zulu”, or Universal (UT) time, which is what the directory server writes all its timestamps in. Some other directory servers will let the root user modify this value, but OID will not. In fact, OID won’t let you even delete the attribute entirely. This is due to a restriction on the attribute in the OID schema. “But this is unacceptable”, you say. Yes, I agree. Here’s how to push this affront to all directory admins back into the developer’s faces (OK, maybe that’s a little harsh…): 1. Fire up the oidadmin tool and connect to the offending directory as the root admin (”cn=orcladmin”). 2. Go to Schema Management, click on the Attributes tab, highlight pwdchangedtime and click Edit, Advanced. 3. Change Usage from directoryOperation to userApplications. The attribute will now be modifiable by orcladmin. The only drawback is that you will no longer be able to actually query for pwdchangedtime! This is something I would consider A Bad Thing ® and so would strongly recommend not routinely running your directory with the attribute configured this way. Unless you like getting calls from panicky Help Desk personnel about how no one is able to log on (this particular schema change will break authentication as long as it’s in place). So we all know why things are set up this way, right? The idea is that a password expiration policy that can be gotten around by an admin just whacking an attribute or changing its value isn’t very “secure”. Of course one has to wonder if the developers have considered all the other evil things someone with the root orcladmin credentials can do. I’m thinking they haven’t. Otherwise they wouldn’t have put the realm orcladmin account in a location where unprivileged users can see it. I mean, would it have been that hard to put the realm admin in a special place like under, say, “cn=Special Users, dc=example, dc=com” rather than “cn=Users” with all the other user entries? Sometimes people really do amaze me.

Copyright 2004-2019 Phil Lembo