On Tue, 2006-12-05 at 12:28 -0500, Kyle Tucker wrote:
Assuming you're using shadowAccount attributes for your password
expiry, you
are seeing just what I saw until "write for self" access was given to users
to up the shadowLastChange attribute. Here's how I fixed it in admin console.
In Directory tab, select root domain
Right click and select "Set Access Permissions"
Select "Enable self-write for common attributes" and click on Edit
After "userPassword", insert "|| shadowLastChange " and click on OK
and
again on OK on the parent window.
The problem we had with using the shadow attributes is that not all
platforms honor them (I don't recall seeing Solaris update
shadowLastChange). You'd also need to remember to update the
shadowLastChange attribute manually if you reset a user's password by
some mechanism outside of PAM (from the Administrator's Console, for
example).
-Steve