Ondřej Kuzník · Quanah Gibson-Mount · Ondřej Kuzník · Quanah Gibson-Mount · 6327f45d · 6327f45d
--- a/contrib/slapd-modules/lastbind/lastbind.c
+++ b/contrib/slapd-modules/lastbind/lastbind.c
@@ -23,8 +23,9 @@
 * last successful bind operation in a directory entry.
 *
 * Optimization: to avoid performing a write on each bind,
- * a precision for this timestamp may be configured, causing it to
- * only be updated if it is older than a given number of seconds.
+ * a precision for this timestamp may be configured on the database,
+ * causing it to only be updated if it is older than a given number
+ * of seconds.
 */

 #ifdef SLAPD_OVER_LASTBIND
@@ -40,8 +41,6 @@

 /* Per-instance configuration information */
 typedef struct lastbind_info {
-	/* precision to update timestamp in authTimestamp attribute */
-	int timestamp_precision;
 	int forward_updates;	/* use frontend for authTimestamp updates */
 } lastbind_info;

@@ -68,14 +67,6 @@ static struct schema_info {

 /* configuration attribute and objectclass */
 static ConfigTable lastbindcfg[] = {
-	{ "lastbind-precision", "seconds", 2, 2, 0,
-	  ARG_INT|ARG_OFFSET,
-	  (void *)offsetof(lastbind_info, timestamp_precision),
-	  "( OLcfgCtAt:5.1 "
-	  "NAME 'olcLastBindPrecision' "
-	  "DESC 'Precision of authTimestamp attribute' "
-	  "EQUALITY integerMatch "
-	  "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
 	{ "lastbind_forward_updates", "on|off", 1, 2, 0,
 	  ARG_ON_OFF|ARG_OFFSET,
 	  (void *)offsetof(lastbind_info,forward_updates),
@@ -91,7 +82,7 @@ static ConfigOCs lastbindocs[] = {
 	  "NAME 'olcLastBindConfig' "
 	  "DESC 'Last Bind configuration' "
 	  "SUP olcOverlayConfig "
-	  "MAY ( olcLastBindPrecision $ olcLastBindForwardUpdates) )",
+	  "MAY ( olcLastBindForwardUpdates) )",
 	  Cft_Overlay, lastbindcfg, NULL, NULL },
 	{ NULL, 0, NULL }
 };
@@ -148,7 +139,7 @@ lastbind_bind_response( Operation *op, SlapReply *rs )
 			if (bindtime != (time_t)-1) {
 				/* if the recorded bind time is within our precision, we're done
 				 * it doesn't need to be updated (save a write for nothing) */
-				if ((now - bindtime) < lbi->timestamp_precision) {
+				if ((now - bindtime) < op->o_bd->be_lastbind_precision) {
 					goto done;
 				}
 			}

--- a/contrib/slapd-modules/lastbind/slapo-lastbind.5
+++ b/contrib/slapd-modules/lastbind/slapo-lastbind.5
@@ -19,6 +19,11 @@ older than a given value, thus avoiding large numbers of write
 operations penalizing performance.
 One sample use for this overlay would be to detect unused accounts.

+Now that OpenLDAP has native support for most of this functionality,
+storing the value in pwdLastSuccess to better interact with the Behera
+Password Policy draft 10. Unless you require lastbind_forward_updates,
+you should consider using that instead.
+
 .SH CONFIGURATION
 The config directives that are specific to the
 .B lastbind
@@ -98,6 +103,11 @@ default slapd configuration file
 .SH SEE ALSO
 .BR slapd.conf (5),
 .BR slapd (8).
+.LP
+IETF LDAP password policy proposal by P. Behera, L.  Poitou and J.
+Sermersheim:  documented in IETF document
+"draft-behera-ldap-password-policy-10.txt".
+
 The
 .BR slapo-lastbind (5)
 overlay supports dynamic configuration via