John A. Sullivan III wrote: > Hello, all. I'm seeing a strange problem in our set up to synchronize > passwords between Directory Server 8.0 and Active Directory. If I > change a user's password from idm-console, the password synchronizes. > If I change it from Active Directory, the password synchronizes. > > However, if the user changes their own password (they use Ubuntu 8.0.4 > KDE desktops), the passwords do not synchronize. We do see an entry in > the error log: > > Entry "uid=mlap,ou=Desks,o=a0,o=Int,dc=mycompany,dc=com" -- attribute "shadowLastChange" not allowed > Do your account objects have the shadowAccount objectClass? > That seemed straightforward so I checked the ACIs and we do allow users > to change this attribute: > > (targetattr != "nsroledn||aci") > (version 3.0; > acl "Allow self entry modification except for nsroledn and aci > attributes"; > allow (read,compare,search,write) > (userdn = "ldap:///self";) > ;) > > Any idea why we are receiving these errors? Would this cause password > synchronization to fail? Thanks - John >
