Password never expires: OpenLDAP support for individual users

[DavidePrincipi]

Proposed solution

• Enable the "password never expires" feature for individual users in the OpenLDAP account provider, as previously available in Active Directory.

• Add UI implementation for toggling the flag both in cluster-admin and user portal interfaces.

• For compat/reference, the absence of the pwdChangedTime attribute can be used for this purpose, and the following can be used to clear it:

   ldapmodify -e relax <<'EOF'
   dn: uid=username,ou=People,dc=example,dc=com
   changetype: modify
   delete: pwdChangedTime
   EOF
  

Alternative solutions

• Keep the current approach: only the administrator password never expires, others must follow the expiration policy or manage it manually with CLI and attributes.

Additional context

• The -e relax parameter is required for the ldapmodify command to succeed.

• Feature was available for AD, not for OpenLDAP. See the original proposal and feedback in NethServer/dev#7503. Consider admin expectations after upgrade/migration from AD/legacy releases.

• When the pwdChangedTime is removed, the cluster-admin UI already provides a visual feedback:

  

See also

• Original issue: NethServer/dev#7503
• Discussion (AD implementation): https://mattermost.nethesis.it/nethesis/pl/m93w1ifhgtbqdy8qmmmt7ep3wy
• Discussion (LDAP implementation): https://mattermost.nethesis.it/nethesis/pl/1eymwrto3jbfuy5qgrqsiox1ph

---

Thanks to @nrauso @lucagasparini