On Mon, 2009-04-27 at 14:15 -0700, George Holbert wrote: > John A. Sullivan III wrote: > > Hello, all. I'm seeing a strange problem in our set up to synchronize > > passwords between Directory Server 8.0 and Active Directory. If I > > change a user's password from idm-console, the password synchronizes. > > If I change it from Active Directory, the password synchronizes. > > > > However, if the user changes their own password (they use Ubuntu 8.0.4 > > KDE desktops), the passwords do not synchronize. We do see an entry in > > the error log: > > > > Entry "uid=mlap,ou=Desks,o=a0,o=Int,dc=mycompany,dc=com" -- attribute "shadowLastChange" not allowed > > > > Do your account objects have the shadowAccount objectClass? Argh!! Embarrassment, embarrassment. I had checked several and they did . . . except for the one I was testing with! Would that torpedo Windows synchronization? Thanks - John > > > That seemed straightforward so I checked the ACIs and we do allow users > > to change this attribute: > > > > (targetattr != "nsroledn||aci") > > (version 3.0; > > acl "Allow self entry modification except for nsroledn and aci > > attributes"; > > allow (read,compare,search,write) > > (userdn = "ldap:///self";) > > ;) > > > > Any idea why we are receiving these errors? Would this cause password > > synchronization to fail? Thanks - John > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx http://www.spiritualoutreach.com Making Christianity intelligible to secular society -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
