Re: Updating ShadowLastChange with slurpd

[Tony Earnshaw <tonye@billy.demon.nl>]

Brian wrote:

> > This should *not* be "by self write". The system should update the
> > shadowLastChange attribute automatically (at least, I just confirmed
> > that this happens on RedHat ES3/Openldap 2.1.23); the user should at the
> > most only be able to read it.
>
> I agree with you that this is subject to abuse if the user knows about it.
>  However I can confirm that under RH ES 2.1/OpenLDAP 2.0.27-2.7.3 that if
> this is not set this way, the user is unable to update the attribute when
> they change their passwords themselves.  The object is never updated and
> they're perpetually prompted to change their passwords.  Or at least,
> that's what I've observed.

Interesting. I'd deinstalled the 2.0.27 server/clients, kept the 2.0.27
ldap libs for the dependencies, and installed 2.1.23 to /usr/local from
source. What I saw I and did to the shadow attribute I did with GQ.
Changed shadowLastChange from some 5-figure value to 0, user 
force-changed password, shadowLastChange was changed to 12376 
(yesterday). That ACL is read-only on this machine. I did it again, and 
the 0 was changed to 12377. Checked this with another user, also 12377 
after the change.

But I can't see what LDAP has to do with it. It's purely the receptacle.
ldd on different binaries doesn't give much of a clue, either.

--Tonni

--
Tony Earnshaw

If my mail server refuses your
mail resend to:

billy at billy.demon.nl
http: www.billy.demon.nl