One possible issue: Does your ACI set allow shadowLastChange to be written? To test, you could add a very permissive ACI that allows anyone to write shadowLastChange. If that helps, then hone down the ACI. I think all you should need is self-write for shadowLastChange, but I'm not 100% sure. ----- Original Message ----- From: "Kyle Tucker" <kylet at panix.com> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users at redhat.com> Sent: Saturday, November 04, 2006 11:11 AM Subject: Re: Linux password change/expiration issue > Hi all, > Sorry to be a pest with this, but I am so close. I went back > to using shadowAccount and have it all behaving just as I need with > one acception. When a client uses successfully changes their password, > the userPassword attribute is changed in LDAP, but the shadowLastChange > is not updated to the current day, and the password is still being > interpreted as expired. This occurs with FDS 1.0.2 and 1.0.3. So I am > not chasing an unattainable goal, should shadowLastChange be getting > updated at the same time and procedure as is userPassword? Thanks. > > -- > - Kyle > --------------------------------------------- > kylet at panix.com http://www.panix.com/~kylet > ---------------------------------------------
