[GH-ISSUE #1381] [FEATURE REQUEST] pwdLastSet attribute #479

New issue

Open

opened 2026-02-27 08:17:29 +03:00 by kerem · 3 comments

kerem commented

2026-02-27 08:17:29 +03:00

Owner

Originally created by @MrSpock on GitHub (Jan 12, 2026).
Original GitHub issue: https://github.com/lldap/lldap/issues/1381

Motivation
There are number of applications that requires pwdLastSet i.e Stalwart mail server requires that ldap will return attribute when last time password was changed (https://stalw.art/docs/auth/backend/ldap/#object-attributes_
Both OpenLDAP and Microsoft AD have this attribute.

Describe the solution you'd like
Add pwdLastSet with type DateTime that contain date & time when last time password was changed and is returned when requested in attribute list

Originally created by @MrSpock on GitHub (Jan 12, 2026). Original GitHub issue: https://github.com/lldap/lldap/issues/1381 **Motivation** There are number of applications that requires pwdLastSet i.e Stalwart mail server requires that ldap will return attribute when last time password was changed (https://stalw.art/docs/auth/backend/ldap/#object-attributes_ Both OpenLDAP and Microsoft AD have this attribute. **Describe the solution you'd like** Add pwdLastSet with type DateTime that contain date & time when last time password was changed and is returned when requested in attribute list

kerem added the

enhancement

label

2026-02-27 08:17:29 +03:00

kerem commented

2026-02-27 08:17:30 +03:00

Author

Owner

@nitnelave commented on GitHub (Jan 12, 2026):

That sounds like it could be easily handled by a plugin. I'd like to wait for the plugin API to be there instead.

Is this blocking you for an integration? I thought that stalwart was already working with LLDAP?

@nitnelave commented on GitHub (Jan 12, 2026): That sounds like it could be easily handled by a plugin. I'd like to wait for the plugin API to be there instead. Is this blocking you for an integration? I thought that stalwart was already working with LLDAP?

kerem commented

2026-02-27 08:17:30 +03:00

Author

Owner

@MrSpock commented on GitHub (Jan 12, 2026):

Stalwart rewrote its LDAP plugin to integrate more closely with OAuth and now according to docs (https://stalw.art/docs/auth/backend/ldap/#object-attributes) you need either:

password hash (The attribute must contain the hash in a format supported by Stalwart (such as SSHA, SHA, MD5, etc.) User password hash is not returned by lldap to my knowledge.
map ldap attr to "secret-changed": Maps to the LDAP attribute that stores the last time the password was changed. This is used to determine if the password has been changed since the last login and is used for OAuth when the secret attribute is not available.

Workaround for this is to map secret-change -> createtimestamp attribute, but this is "hacky" way and prevents token expiry when password is changed which is some security risk.

@MrSpock commented on GitHub (Jan 12, 2026): Stalwart rewrote its LDAP plugin to integrate more closely with OAuth and now according to docs (https://stalw.art/docs/auth/backend/ldap/#object-attributes) you need either: - password hash (The attribute must contain the hash in a format supported by Stalwart (such as SSHA, SHA, MD5, etc.) User password hash is not returned by lldap to my knowledge. - map ldap attr to "secret-changed": Maps to the LDAP attribute that stores the last time the password was changed. This is used to determine if the password has been changed since the last login and is used for OAuth when the secret attribute is not available. Workaround for this is to map secret-change -> createtimestamp attribute, but this is "hacky" way and prevents token expiry when password is changed which is some security risk.

kerem commented

2026-02-27 08:17:30 +03:00

Author

Owner

@nitnelave commented on GitHub (Jan 12, 2026):

The latest version of LLDAP should have a "last modified" (or something like that) attribute (modify timestamp?)
While obviously not perfect, that should fix your immediate issue, no?

@nitnelave commented on GitHub (Jan 12, 2026): The latest version of LLDAP should have a "last modified" (or something like that) attribute (modify timestamp?) While obviously not perfect, that should fix your immediate issue, no?

kerem referenced this issue

2026-02-27 09:09:40 +03:00

[PR #479] [MERGED] Update devcontainer and build instructions #768