Looks like there's already a "Directory Administrators" ACI under (Company) that has all the attributes checked. I assume we do NOT have to do this under the "netscape root" tree, right? What's more, Webmin does correctly update the shadowLastChange attribute when you change a user's password there. It just doesn't work when using "ldappasswd" or a squirrelmail plugin for users to change their password, all of which bind as Directory Manager. Is there something more that needs be done in /etc/ldap.conf or pam.d/ ? We use ldap via authconfig (pam.d/systme-auth). On Tue, 28 Sep 2010, Jason Brown wrote: > The ACI where it is set is in the top of the tree, not in People. > This will also prevent Domain Managers the ability to write to this as > well. > > > On Sep 27, 2010, at 6:52 PM, James Smallacombe wrote: > >> >> Thanks for your reply, Jason. I am a bit of a noob here, but I went >> to >> the DirServ console and: >> >> (Example) -> People did a right-click on it, then -> Set Access >> Permissions and saw the 6 default ACIs. I edited "Allow self entry >> modifications" and checked "shadowLastChange". Since this was only >> for >> "Self" and these mods are done either by root in the shell, or the >> apache >> user in the web plugin, I didn't really expect it to help. So, I >> create a >> custom ACI: >> >> Selected ALL users, then unchecked all targets, then re-checked >> "shadowLastChange" and a few others. >> >> Still no luck. Although I'm not up on ACIs, in all cases I am >> binding to >> the server as the Directory Manager, so doesn't that mean the ACI >> shouldn't matter? >> >> Thanks again, >> >> On Mon, 27 Sep 2010, Jason Brown wrote: >> >>> I am not sure if there is a huge difference between RHDS and 389, but >>> I also had this same issue. I believe it had to do with the ACI's >>> preventing the update to that attribute. Once you allow write access >>> to shadowLastChange it was able to update it. >>> >>> >>> On Sep 27, 2010, at 3:02 PM, James Smallacombe wrote: >>> >>>> >>>> Sorry for replying to myself, but I wanted to add more that I've >>>> tried >>>> since my last post: >>>> >>>> from the DirSrv X Console: in Configuration -> Indexes I added the >>>> "shadowLastChange" attribute to userRoot, then NetscapeRoot, still >>>> with no >>>> luck. I then put the following in my /etc/ldap.conf >>>> >>>> nss_map_objectclass shadowAccount User >>>> pam_password exop >>>> >>>> Still no luck. To clarify, the shadowLastChange DOES get propery >>>> updated >>>> when you reset a user's password in Webmin's "Users and Groups" >>>> module, >>>> but NOT when you use /usr/lib64/mozldap/ldappasswd OR in the >>>> Squirrelmail >>>> "Change LDAP Password" plugin. Again, any of these will change the >>>> password no problem, but not that attribute....any pointers would be >>>> appreciated. Here is a sample user: >>>> >>>> version: 1 >>>> dn: uid=test123,ou=People, dc=some, dc=domain >>>> objectClass: posixAccount >>>> objectClass: top >>>> objectClass: person >>>> objectClass: organizationalPerson >>>> objectClass: inetOrgPerson >>>> objectClass: shadowAccount >>>> uid: test123 >>>> cn:test123 >>>> uidNumber: 999 >>>> gidNumber: 999 >>>> homeDirectory: /home/test123 >>>> loginShell: /bin/false >>>> sn: test123 >>>> mail: test123@xxxxxxxxxxx >>>> shadowLastChange: 13678 >>>> shadowMin: 1 >>>> shadowMax: 99999 >>>> shadowWarning: 14 >>>> >>>> On Mon, 27 Sep 2010, James Smallacombe wrote: >>>> >>>>> >>>>> I finally figured out a working shell script to make LDAP user >>>>> password >>>>> changes using mozldap/ldappasswd. Unfortunately, I just discovered >>>>> that >>>>> changing the password using this does not update the >>>>> "shadowLastChange" >>>>> attribute, so users with expired passwords are still not able to >>>>> log in, >>>>> even after an admin has reset their password in this manner. >>>>> >>>>> Since we are migrating from traditional shadow passwords to LDAP, >>>>> the >>>>> attribute we need to get updated by this is "shadowLastChange" >>>>> >>>>> I attempted to work around this in /etc/ldap.conf by adding this: >>>>> >>>>> nss_map_attribute shadowLastChange pwdLastSet >>>>> >>>>> But to no avail. In addition, the "change ldap password" plugin >>>>> also does >>>>> not update this, although webmin users and groups module does. >>>>> >>>>> What am I missing? Thanks in Advance! >>>>> >>>>> James Smallacombe PlantageNet, Inc. CEO and Janitor >>>>> up@xxxx http://3.am >>>>> = >>>>> = >>>>> = >>>>> = >>>>> = >>>>> = >>>>> =================================================================== >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>> >>>> >>>> James Smallacombe PlantageNet, Inc. CEO and Janitor >>>> up@xxxx http://3.am >>>> = >>>> = >>>> = >>>> = >>>> = >>>> ==================================================================== >>>> -- >>>> 389 users mailing list >>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> >>> -- >>> 389 users mailing list >>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> >> >> James Smallacombe PlantageNet, Inc. CEO and Janitor >> up@xxxx http://3.am >> = >> = >> = >> ====================================================================== >> -- >> 389 users mailing list >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-users > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users > James Smallacombe PlantageNet, Inc. CEO and Janitor up@xxxx http://3.am ========================================================================= -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
