On Tue, 2006-12-05 at 12:28 -0500, Kyle Tucker wrote: > Assuming you're using shadowAccount attributes for your password expiry, you > are seeing just what I saw until "write for self" access was given to users > to up the shadowLastChange attribute. Here's how I fixed it in admin console. > > In Directory tab, select root domain > > Right click and select "Set Access Permissions" > > Select "Enable self-write for common attributes" and click on Edit > > After "userPassword", insert "|| shadowLastChange " and click on OK and > again on OK on the parent window. The problem we had with using the shadow attributes is that not all platforms honor them (I don't recall seeing Solaris update shadowLastChange). You'd also need to remember to update the shadowLastChange attribute manually if you reset a user's password by some mechanism outside of PAM (from the Administrator's Console, for example). -Steve
