starred/lldap-lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-04-26 08:45:55 +03:00
Code Issues 101 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1187] [FEATURE REQUEST] Password change time attribute #424

New issue
Closed
opened 2026-02-27 08:17:13 +03:00 by kerem · 5 comments
kerem commented 2026-02-27 08:17:13 +03:00
Owner
Copy link

Originally created by @jip149 on GitHub (Jun 5, 2025).
Original GitHub issue: https://github.com/lldap/lldap/issues/1187

Stalwart recently changed their ldap client implementation and now requires an attribute to know when a password has been changed. From their doc:

Since password hashes are not available in bind authentication, Stalwart cannot detect password changes based on stored credentials in order to invalidate existing OAuth tokens. Therefore, it is essential to configure the secret-changed attribute to track password changes. This attribute should contain a value that changes whenever the user's password is updated, such as a timestamp or version hash. This allows Stalwart to recognize when a password has changed, even without access to the hash.

Can lldap implement such attribute?

Originally created by @jip149 on GitHub (Jun 5, 2025). Original GitHub issue: https://github.com/lldap/lldap/issues/1187 Stalwart recently changed their ldap client implementation and now requires an attribute to know when a password has been changed. From their doc: > Since password hashes are not available in bind authentication, Stalwart cannot detect password changes based on stored credentials in order to invalidate existing OAuth tokens. Therefore, it is essential to configure the secret-changed attribute to track password changes. This attribute should contain a value that changes whenever the user's password is updated, such as a timestamp or version hash. This allows Stalwart to recognize when a password has changed, even without access to the hash. Can lldap implement such attribute?
kerem 2026-02-27 08:17:13 +03:00
kerem commented 2026-02-27 08:17:13 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Jun 5, 2025):

There was a discussion about that recently on Discord.

I think this is a perfect example of what a plugin would be great for (once we merge plugin support)

<!-- gh-comment-id:2943312376 --> @nitnelave commented on GitHub (Jun 5, 2025): There was a discussion about that recently on Discord. I think this is a perfect example of what a plugin would be great for (once we merge plugin support)
kerem commented 2026-02-27 08:17:13 +03:00
Author
Owner
Copy link

@choucavalier commented on GitHub (Jul 4, 2025):

That just broke my stalwart mail server and I had to downgrade stalwart for now

<!-- gh-comment-id:3034851084 --> @choucavalier commented on GitHub (Jul 4, 2025): That just broke my stalwart mail server and I had to downgrade stalwart for now
kerem commented 2026-02-27 08:17:14 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Jul 4, 2025):

That just broke my stalwart mail server and I had to downgrade stalwart for now

One workaround, for now, is to use the "user created" timestamp for the password. It means it won't be updated and the oauth tokens not invalidated, but it works.

<!-- gh-comment-id:3035059391 --> @nitnelave commented on GitHub (Jul 4, 2025): > That just broke my stalwart mail server and I had to downgrade stalwart for now One workaround, for now, is to use the "user created" timestamp for the password. It means it won't be updated and the oauth tokens not invalidated, but it works.
kerem commented 2026-02-27 08:17:14 +03:00
Author
Owner
Copy link

@alex-savin commented on GitHub (Aug 12, 2025):

@nitnelave Could you please share the example how you done it?
Thank you in advance

<!-- gh-comment-id:3177663994 --> @alex-savin commented on GitHub (Aug 12, 2025): @nitnelave Could you please share the example how you done it? Thank you in advance
kerem commented 2026-02-27 08:17:14 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Aug 12, 2025):

@alex-savin the plugin API is not merged yet, so there's no way to implement it right now.

<!-- gh-comment-id:3177823235 --> @nitnelave commented on GitHub (Aug 12, 2025): @alex-savin the plugin API is not merged yet, so there's no way to implement it right now.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/github_actions/codecov/codecov-action-6
copilot/fix-equality-filters-list-attributes
dependabot/github_actions/docker/build-push-action-7
dependabot/github_actions/docker/metadata-action-6
dependabot/github_actions/docker/setup-buildx-action-4
dependabot/github_actions/docker/login-action-4
copilot/update-download-artifact-action
copilot/fix-opensuse-warnings
copilot/fix-1268
copilot/fix-727
copilot/fix-898
copilot/fix-1256
copilot/fix-1251
copilot/fix-1249
copilot/fix-1206
user-attribute-form
user-ui
group-ui
server-user-attribute-schema
crates
haveibeenpwned
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.0.1
Labels
Clear labels   
backend

   
blocked

   
bug

   
cleanup

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
frontend

   
github_actions

   
good first issue

   
help wanted

   
help wanted

   
integration

   
invalid

   
ldap

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
rust

   
rust

   
tests

   
wontfix
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/lldap-lldap#424
No description provided.