shadowLast Change NOT updating was Re: ldappasswd and shadowLastChange attribute

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Sorry for replying to myself, but I wanted to add more that I've tried 
since my last post:

from the DirSrv X Console: in Configuration -> Indexes I added the 
"shadowLastChange" attribute to userRoot, then NetscapeRoot, still with no 
luck.  I then put the following in my /etc/ldap.conf

nss_map_objectclass shadowAccount User
pam_password exop

Still no luck.  To clarify, the shadowLastChange DOES get propery updated 
when you reset a user's password in Webmin's "Users and Groups" module, 
but NOT when you use /usr/lib64/mozldap/ldappasswd OR in the Squirrelmail 
"Change LDAP Password" plugin.  Again, any of these will change the 
password no problem, but not that attribute....any pointers would be 
appreciated.  Here is a sample user:

version: 1
dn: uid=test123,ou=People, dc=some, dc=domain
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
uid: test123
cn:test123
uidNumber: 999
gidNumber: 999
homeDirectory: /home/test123
loginShell: /bin/false
sn: test123
mail: test123 at some.domain
shadowLastChange: 13678
shadowMin: 1
shadowMax: 99999
shadowWarning: 14

On Mon, 27 Sep 2010, James Smallacombe wrote:

>
> I finally figured out a working shell script to make LDAP user password
> changes using mozldap/ldappasswd.  Unfortunately, I just discovered that
> changing the password using this does not update the "shadowLastChange"
> attribute, so users with expired passwords are still not able to log in,
> even after an admin has reset their password in this manner.
>
> Since we are migrating from traditional shadow passwords to LDAP, the
> attribute we need to get updated by this is "shadowLastChange"
>
> I attempted to work around this in /etc/ldap.conf by adding this:
>
> nss_map_attribute shadowLastChange pwdLastSet
>
> But to no avail.  In addition, the "change ldap password" plugin also does
> not update this, although webmin users and groups module does.
>
> What am I missing?  Thanks in Advance!
>
> James Smallacombe		      PlantageNet, Inc. CEO and Janitor
> up at 3.am							    http://3.am
> =========================================================================
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up at 3.am							    http://3.am
=========================================================================
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux