My apologies,<div><br></div><div>I just saw the thread "[389-users] AD <-> LDAP password expiration sync" </div><div><br></div><div>Is this correct, there is no current way to sync the shadowLastChange value?</div>
<div><br></div><div><br></div><div><br></div><div><br></div><div><br><div class="gmail_quote">On Fri, Jan 25, 2013 at 12:04 AM, vladimir Safoo <span dir="ltr"><<a href="mailto:wudadin2003@gmail.com" target="_blank">wudadin2003@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">Greetings all,</span><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">I need help from the experts, so I thank you ahead of time for any help that you are able to assist me with.<br>
<div><br></div><div>Problem - Password set to expire in 90 days. Linux users password expiration is not sync'ing with Windows users password expiration. So I am getting people that are getting locked out of the environment do to their passwords expiring.</div>
<div><br></div><div>I have AD 2008 r2 bidirectionally sync'ing with one 389ds master server. Everything so far has been working fine. I have set up a password policy on the AD server and have mirrored the same policy on the 389ds servers. Passwords are set to expire in 90 days. I have multimaster replication set up on 8 servers and have other read-only consumers.</div>
<div><br></div><div>Resetting a password on a Windows desktop or linux server does not modify the shadowLastChange value on the Linux 389ds servers. It does, however, update the passwordexpirationtime on the linux 389ds servers. But the linux servers don't know what the passwordexpirationtime is so they seem to ignore it. Though the passwordexpirationtime value is correct and does reflect the password to expire in 90 days from the initial password setup or change.</div>
<div><br></div><div>Now since users accounts are created normally before a users starts their new job, the passwords get out of sync do to linux users resetting their initial password on the linux servers once they login for the first time. Our internal chat server authenticates via the AD server, so they are not always notified when their Windows password has expired on the AD side. </div>
<div><br></div><div>How can I get AD to update the Linux side value for the shadowLastChange attribute?</div><div><br></div><div>I can pull the passwordexpirationtime value, if there is no "normal" solution for this, I could write a perl script to check for this time and update the shadowLastChange value I guess. But I need to know if I am just setting this up wrong and what is the solution or if it is not possible. Please let me know if more information is needed.</div>
<div><br></div><div><div># cat /etc/issue</div><div>CentOS release 6.2 (Final)</div></div><div><br></div><div># rpm -qa 389*</div><div>389-ds-console-1.2.6-1.el6.noarch</div><div>389-ds-1.2.2-1.el6.noarch</div><div>389-ds-base-1.2.9.14-1.el6_2.2.x86_64</div>
<div>389-admin-console-1.1.8-1.el6.noarch</div><div>389-ds-console-doc-1.2.6-1.el6.noarch</div><div>389-dsgw-1.1.9-1.el6.x86_64</div><div>389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64</div><div>389-adminutil-1.1.15-1.el6.x86_64</div>
<div>389-console-1.1.7-1.el6.noarch</div><div>389-admin-1.1.29-1.el6.x86_64</div><div>389-admin-console-doc-1.1.8-1.el6.noarch </div><div><br></div><div><div># slaps uid=tuser</div><div>dn: uid=tuser,ou=testOU,ou=Groups,dc=company,dc=net</div>
<div>ntUserLastLogon: 130035596619212394</div><div>userPassword:: e1NTSEF9cTlTNmxTc01uRVFHMjU4WVhIUVhLQWRPNU5ndVZMUDZZV3ZYSGc9PQ=</div><div> =</div><div>shadowLastChange: 15729</div><div>mail: <a href="mailto:tuser@company.net" style="color:rgb(17,85,204)" target="_blank">tuser@company.net</a></div>
<div>loginShell: /bin/bash</div><div>uidNumber: 20288</div><div>gidNumber: 61000</div><div>homeDirectory: /home/tuser</div><div>ntUserLastLogoff: 0</div><div>objectClass: top</div><div>objectClass: person</div><div>objectClass: organizationalperson</div>
<div>objectClass: inetOrgPerson</div><div>objectClass: ntUser</div><div>objectClass: posixAccount</div><div>objectClass: shadowAccount</div><div>ntUserDeleteAccount: true</div><div>uid: tuser</div><div>sn: user</div><div>
givenName: test</div><div>cn: test user</div><div>ntUserCodePage: 0</div><div>ntUserAcctExpires: 9223372036854775807</div><div>ntUserDomainId: tuser</div><div>ntUniqueId: d19af18ff098044db4afb2e59f0ea25b</div></div><div>
<br>
</div><div><div># slaps uid=tuser passwordexpirationtime</div><div>dn: uid=tuser,ou=testOU,ou=Groups,dc=company,dc=net</div><div>passwordexpirationtime: 20130425035421Z</div></div><div><br></div><div><br></div><div>Thank you,</div>
<div>389ds admin</div></div>
</blockquote></div><br></div>