[389-users] AD and 389ds synchronization of shadowLastChange

Rich Megginson rmeggins at redhat.com
Fri Jan 25 15:03:08 UTC 2013 

On 01/24/2013 11:09 PM, vladimir Safoo wrote:
> My apologies,
>
> I just saw the thread "[389-users] AD <-> LDAP password expiration sync"
>
> Is this correct, there is no current way to sync the shadowLastChange 
> value?
Correct.
>
>
>
>
>
> On Fri, Jan 25, 2013 at 12:04 AM, vladimir Safoo 
> <wudadin2003 at gmail.com <mailto:wudadin2003 at gmail.com>> wrote:
>
>     Greetings all,
>
>     I need help from the experts, so I thank you ahead of time for any
>     help that you are able to assist me with.
>
>     Problem - Password set to expire in 90 days. Linux users password
>     expiration is not sync'ing with Windows users password expiration.
>     So I am getting people that are getting locked out of the
>     environment do to their passwords expiring.
>
>     I have AD 2008 r2 bidirectionally sync'ing with one 389ds master
>     server. Everything so far has been working fine. I have set up a
>     password policy on the AD server and have mirrored the same policy
>     on the 389ds servers. Passwords are set to expire in 90 days. I
>     have multimaster replication set up on 8 servers and have other
>     read-only consumers.
>
>     Resetting a password on a Windows desktop or linux server does not
>     modify the shadowLastChange value on the Linux 389ds servers. It
>     does, however, update the passwordexpirationtime on the linux
>     389ds servers. But the linux servers don't know what the
>     passwordexpirationtime is so they seem to ignore it. Though the
>     passwordexpirationtime value is correct and does reflect the
>     password to expire in 90 days from the initial password setup or
>     change.
>
>     Now since users accounts are created normally before a users
>     starts their new job, the passwords get out of sync do to linux
>     users resetting their initial password on the linux servers once
>     they login for the first time. Our internal chat server
>     authenticates via the AD server, so they are not always notified
>     when their Windows password has expired on the AD side.
>
>     How can I get AD to update the Linux side value for the
>     shadowLastChange attribute?
>
>     I can pull the passwordexpirationtime value, if there is no
>     "normal" solution for this, I could write a perl script to check
>     for this time and update the shadowLastChange value I guess. But I
>     need to know if I am just setting this up wrong and what is the
>     solution or if it is not possible. Please let me know if more
>     information is needed.
>
>     # cat /etc/issue
>     CentOS release 6.2 (Final)
>
>     # rpm -qa 389*
>     389-ds-console-1.2.6-1.el6.noarch
>     389-ds-1.2.2-1.el6.noarch
>     389-ds-base-1.2.9.14-1.el6_2.2.x86_64
>     389-admin-console-1.1.8-1.el6.noarch
>     389-ds-console-doc-1.2.6-1.el6.noarch
>     389-dsgw-1.1.9-1.el6.x86_64
>     389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64
>     389-adminutil-1.1.15-1.el6.x86_64
>     389-console-1.1.7-1.el6.noarch
>     389-admin-1.1.29-1.el6.x86_64
>     389-admin-console-doc-1.1.8-1.el6.noarch
>
>     # slaps uid=tuser
>     dn: uid=tuser,ou=testOU,ou=Groups,dc=company,dc=net
>     ntUserLastLogon: 130035596619212394
>     userPassword::
>     e1NTSEF9cTlTNmxTc01uRVFHMjU4WVhIUVhLQWRPNU5ndVZMUDZZV3ZYSGc9PQ=
>      =
>     shadowLastChange: 15729
>     mail: tuser at company.net <mailto:tuser at company.net>
>     loginShell: /bin/bash
>     uidNumber: 20288
>     gidNumber: 61000
>     homeDirectory: /home/tuser
>     ntUserLastLogoff: 0
>     objectClass: top
>     objectClass: person
>     objectClass: organizationalperson
>     objectClass: inetOrgPerson
>     objectClass: ntUser
>     objectClass: posixAccount
>     objectClass: shadowAccount
>     ntUserDeleteAccount: true
>     uid: tuser
>     sn: user
>     givenName: test
>     cn: test user
>     ntUserCodePage: 0
>     ntUserAcctExpires: 9223372036854775807
>     ntUserDomainId: tuser
>     ntUniqueId: d19af18ff098044db4afb2e59f0ea25b
>
>     # slaps uid=tuser passwordexpirationtime
>     dn: uid=tuser,ou=testOU,ou=Groups,dc=company,dc=net
>     passwordexpirationtime: 20130425035421Z
>
>
>     Thank you,
>     389ds admin
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130125/37d482c6/attachment.html>

More information about the 389-users mailing list