Password never expires: OpenLDAP support for individual users

[DavidePrincipi]

Proposed solution

• Enable the "password never expires" feature for individual users in the OpenLDAP account provider, as previously available in Active Directory.
• Add UI implementation for toggling the flag both in cluster-admin and user portal interfaces.
• Define a non-expiring ppolicy entry.
• Migrate accounts without pwdChangedTime to the non-expiring ppolicy.

Alternative solutions

• Keep the current approach: only the administrator password never expires, others must follow the expiration policy or manage it manually with CLI and attributes.

Additional context

• Feature was available for AD, not for OpenLDAP. See the original proposal and feedback in NethServer/dev#7503. Consider admin expectations after upgrade/migration from AD/legacy releases.

• When the pwdChangedTime is removed, the cluster-admin UI already provides a visual feedback:

  

See also

• Original issue: NethServer/dev#7503
• Discussion (AD implementation): https://mattermost.nethesis.it/nethesis/pl/m93w1ifhgtbqdy8qmmmt7ep3wy
• Discussion (LDAP implementation): https://mattermost.nethesis.it/nethesis/pl/1eymwrto3jbfuy5qgrqsiox1ph

---

Thanks to @nrauso @lucagasparini

[stephdl]

QA

samba:3.4.6-dev.1
openldap:2.6.1-dev.1
core:3.20.0-dev.2

1. Configure an account provider with password expiration policy enabled.
2. Repeat the following tests on both OpenLDAP and SambaAD.
3. In cluster-admin, open the create/edit user form and verify the “password never expires” option is available for users.
4. Create a user with “password never expires” enabled.
   • Verify the user is created successfully.
   • Verify the user is shown as excluded from password expiration.
5. Edit an existing user in cluster-admin:
   • enable “password never expires” and save
   • disable it and save again
   • verify both changes are applied correctly
6. In ns8-user-manager, open the same user and verify the “password never expires” option is available there too.
7. From ns8-user-manager, toggle the option on and off for the same user.
   • Verify changes are saved successfully.
   • Verify the status is updated correctly after each save.
8. Repeat the edit test on different users, to confirm the option works for all users, not only newly created ones.
9. Disable the domain password expiration policy.
   • Verify the “password never expires” option is hidden in both cluster-admin and ns8-user-manager.
10. Enable the password expiration policy again.
    • Verify the option is shown again in both UIs.

Expected result

• On both OpenLDAP and SambaAD, all users can be marked as “password never expires” from both cluster-admin and ns8-user-manager.
• The option is visible only when password expiration is enforced.
• Changes made from either UI are saved and reflected correctly.