[Fedora-directory-users] Linux password change/expiration issue

Kyle Tucker kylet at panix.com
Sun Nov 5 04:04:55 UTC 2006 

Bingo. In the admin console, I manually edited the top domain in the
Directory tab using Set Access Permissions and Enable self write for
common attributes, and added shadowLastChange and it updates fine 
along with userPassword now. Thanks so much.

aci: (targetattr = "carLicense ||description ||displayName ||facsimileTelephon
 eNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL |
 |mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode |
 |preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber
  ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title
 ||userCertificate ||userPassword ||shadowLastChange ||userSMIMECertificate ||
 x500UniqueIdentifier") (version 3.0;acl "Enable self write for common attribu
 tes";allow (write)(userdn = "ldap:///self");)


> One possible issue:
> Does your ACI set allow shadowLastChange to be written?
> To test, you could add a very permissive ACI that allows anyone to write 
> shadowLastChange.  If that helps, then hone down the ACI.  I think all you 
> should need is self-write for shadowLastChange, but I'm not 100% sure.
> 
> 
> ----- Original Message ----- 
> From: "Kyle Tucker" <kylet at panix.com>
> To: "General discussion list for the Fedora Directory server project." 
> <fedora-directory-users at redhat.com>
> Sent: Saturday, November 04, 2006 11:11 AM
> Subject: Re: [Fedora-directory-users] Linux password change/expiration issue
> 
> > Hi all,
> > Sorry to be a pest with this, but I am so close. I went back
> > to using shadowAccount and have it all behaving just as I need with
> > one acception. When a client uses successfully changes their password,
> > the userPassword attribute is changed in LDAP, but the shadowLastChange
> > is not updated to the current day, and the password is still being
> > interpreted as expired. This occurs with FDS 1.0.2 and 1.0.3. So I am
> > not chasing an unattainable goal, should shadowLastChange be getting
> > updated at the same time and procedure as is userPassword? Thanks.
> >
> > -- 
> > - Kyle
> > ---------------------------------------------
> > kylet at panix.com   http://www.panix.com/~kylet
> > ---------------------------------------------
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 


-- 
- Kyle 
---------------------------------------------
kylet at panix.com   http://www.panix.com/~kylet    
---------------------------------------------

More information about the 389-users mailing list