[389-users] AD and 389ds synchronization of shadowLastChange
Rich Megginson
rmeggins at redhat.com
Fri Jan 25 15:03:08 UTC 2013
On 01/24/2013 11:09 PM, vladimir Safoo wrote:
> My apologies,
>
> I just saw the thread "[389-users] AD <-> LDAP password expiration sync"
>
> Is this correct, there is no current way to sync the shadowLastChange
> value?
Correct.
>
>
>
>
>
> On Fri, Jan 25, 2013 at 12:04 AM, vladimir Safoo
> <wudadin2003 at gmail.com <mailto:wudadin2003 at gmail.com>> wrote:
>
> Greetings all,
>
> I need help from the experts, so I thank you ahead of time for any
> help that you are able to assist me with.
>
> Problem - Password set to expire in 90 days. Linux users password
> expiration is not sync'ing with Windows users password expiration.
> So I am getting people that are getting locked out of the
> environment do to their passwords expiring.
>
> I have AD 2008 r2 bidirectionally sync'ing with one 389ds master
> server. Everything so far has been working fine. I have set up a
> password policy on the AD server and have mirrored the same policy
> on the 389ds servers. Passwords are set to expire in 90 days. I
> have multimaster replication set up on 8 servers and have other
> read-only consumers.
>
> Resetting a password on a Windows desktop or linux server does not
> modify the shadowLastChange value on the Linux 389ds servers. It
> does, however, update the passwordexpirationtime on the linux
> 389ds servers. But the linux servers don't know what the
> passwordexpirationtime is so they seem to ignore it. Though the
> passwordexpirationtime value is correct and does reflect the
> password to expire in 90 days from the initial password setup or
> change.
>
> Now since users accounts are created normally before a users
> starts their new job, the passwords get out of sync do to linux
> users resetting their initial password on the linux servers once
> they login for the first time. Our internal chat server
> authenticates via the AD server, so they are not always notified
> when their Windows password has expired on the AD side.
>
> How can I get AD to update the Linux side value for the
> shadowLastChange attribute?
>
> I can pull the passwordexpirationtime value, if there is no
> "normal" solution for this, I could write a perl script to check
> for this time and update the shadowLastChange value I guess. But I
> need to know if I am just setting this up wrong and what is the
> solution or if it is not possible. Please let me know if more
> information is needed.
>
> # cat /etc/issue
> CentOS release 6.2 (Final)
>
> # rpm -qa 389*
> 389-ds-console-1.2.6-1.el6.noarch
> 389-ds-1.2.2-1.el6.noarch
> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64
> 389-admin-console-1.1.8-1.el6.noarch
> 389-ds-console-doc-1.2.6-1.el6.noarch
> 389-dsgw-1.1.9-1.el6.x86_64
> 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64
> 389-adminutil-1.1.15-1.el6.x86_64
> 389-console-1.1.7-1.el6.noarch
> 389-admin-1.1.29-1.el6.x86_64
> 389-admin-console-doc-1.1.8-1.el6.noarch
>
> # slaps uid=tuser
> dn: uid=tuser,ou=testOU,ou=Groups,dc=company,dc=net
> ntUserLastLogon: 130035596619212394
> userPassword::
> e1NTSEF9cTlTNmxTc01uRVFHMjU4WVhIUVhLQWRPNU5ndVZMUDZZV3ZYSGc9PQ=
> =
> shadowLastChange: 15729
> mail: tuser at company.net <mailto:tuser at company.net>
> loginShell: /bin/bash
> uidNumber: 20288
> gidNumber: 61000
> homeDirectory: /home/tuser
> ntUserLastLogoff: 0
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetOrgPerson
> objectClass: ntUser
> objectClass: posixAccount
> objectClass: shadowAccount
> ntUserDeleteAccount: true
> uid: tuser
> sn: user
> givenName: test
> cn: test user
> ntUserCodePage: 0
> ntUserAcctExpires: 9223372036854775807
> ntUserDomainId: tuser
> ntUniqueId: d19af18ff098044db4afb2e59f0ea25b
>
> # slaps uid=tuser passwordexpirationtime
> dn: uid=tuser,ou=testOU,ou=Groups,dc=company,dc=net
> passwordexpirationtime: 20130425035421Z
>
>
> Thank you,
> 389ds admin
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130125/37d482c6/attachment.html>
More information about the 389-users
mailing list