On Thu, 2017-01-05 at 15:09 -0800, Gordon Messmer wrote: > After upgrading to CentOS 7.3, I found that shadowExpire attributes were > not returned correctly. Searching for an account shows: > > dn: UID=gmessmer,ou=People,dc=... > uid: gmessmer > shadowexpire: 117170 > > The same value is shown in the 389-ds console. The correct value, > however, appears in our daily LDIF exports. After downgrading to > 389-ds-base-1.3.4.0-33.el7_2.x86_64, the value appears correctly in > searches again: > > dn: UID=gmessmer,ou=People,dc=... > uid: gmessmer > shadowexpire: 17248 > The shadowexpire value now is handled differently on 1.3.5 if I recall. Instead of being "set" by you to a value, it's now calculated and derived from the ns password policy. As the account nears expiry, the values decrements. When you export the DB with the ldif, you are bypassing the calculation code, and you get what's stored in the DB. I hope that helps you see why the values are changing. Your best path forward is to work on and resolve the password policy configuration of your system. -- Sincerely, William Brown Software Engineer Red Hat, Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
