[389-users] shadowLast Change NOT updating was Re: ldappasswd and shadowLastChange attribute
James Smallacombe
up at 3.am
Mon Sep 27 19:02:21 UTC 2010
Sorry for replying to myself, but I wanted to add more that I've tried
since my last post:
from the DirSrv X Console: in Configuration -> Indexes I added the
"shadowLastChange" attribute to userRoot, then NetscapeRoot, still with no
luck. I then put the following in my /etc/ldap.conf
nss_map_objectclass shadowAccount User
pam_password exop
Still no luck. To clarify, the shadowLastChange DOES get propery updated
when you reset a user's password in Webmin's "Users and Groups" module,
but NOT when you use /usr/lib64/mozldap/ldappasswd OR in the Squirrelmail
"Change LDAP Password" plugin. Again, any of these will change the
password no problem, but not that attribute....any pointers would be
appreciated. Here is a sample user:
version: 1
dn: uid=test123,ou=People, dc=some, dc=domain
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
uid: test123
cn:test123
uidNumber: 999
gidNumber: 999
homeDirectory: /home/test123
loginShell: /bin/false
sn: test123
mail: test123 at some.domain
shadowLastChange: 13678
shadowMin: 1
shadowMax: 99999
shadowWarning: 14
On Mon, 27 Sep 2010, James Smallacombe wrote:
>
> I finally figured out a working shell script to make LDAP user password
> changes using mozldap/ldappasswd. Unfortunately, I just discovered that
> changing the password using this does not update the "shadowLastChange"
> attribute, so users with expired passwords are still not able to log in,
> even after an admin has reset their password in this manner.
>
> Since we are migrating from traditional shadow passwords to LDAP, the
> attribute we need to get updated by this is "shadowLastChange"
>
> I attempted to work around this in /etc/ldap.conf by adding this:
>
> nss_map_attribute shadowLastChange pwdLastSet
>
> But to no avail. In addition, the "change ldap password" plugin also does
> not update this, although webmin users and groups module does.
>
> What am I missing? Thanks in Advance!
>
> James Smallacombe PlantageNet, Inc. CEO and Janitor
> up at 3.am http://3.am
> =========================================================================
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
James Smallacombe PlantageNet, Inc. CEO and Janitor
up at 3.am http://3.am
=========================================================================
More information about the 389-users
mailing list