[Date Prev][Date Next] [Chronological] [Thread] [Top]

shadowLastChange, update problem...


I am using OpenLDAP2-2.1.4-26 and I seem to be having serious problems with a feature that the both of you appear to have been able to make work.  I curious as to what I am doing wrong here and hoping that you will be willing and able to assist me.

I have been able to successfully prove that root can change a users password and the shadowLastChange attribute is updated; however, when a user changes his or her password or is forced to perform a change of his or her password the field is not updated.  

Secondly, when I force a user to change his or her password by setting attribute shadowLastChange to 0 the user is prompted to change their password.  They are first asked for a new password, then to verify, and finally their old password.  The system then responds that the user's password was changed.  However, the password in fact was not changed and the value of shadowLastChange remains 0.

I have included other lists in this E-mail in the hopes that someone can tell me what I am missing.  

This is my current configuration:

pam_ldap version is from PADL and is pam_ldap-166.

# more /etc/pam.d/passwd

#%PAM-1.0
auth    required        pam_env.so
auth    sufficient      pam_unix.so likeauth nullok
auth    sufficient      pam_ldap.so use_first_pass
auth    required        pam_deny.so
account sufficient      pam_unix.so
account sufficient      pam_ldap.so
account required        pam_deny.so
password        sufficient      pam_ldap.so
password        sufficient      pam_unix.so nullok use_authtok md5
password        required        pam_deny.so
session         required        pam_limits.so
session         required        pam_unix.so
session         optional        pam_ldap.so

=============================================

#more /etc/ldap.conf

host            myserver
base            dc=mydomain,dc=org
rootbinddn      cn=proxyuser,dc=mydomain,dc=org
#
#bindpw         secret
#
ldap_version    3
port            389
scope           sub
uri             ldap://myserver.mydomain.org/

timelimit       30
pam_filter              objectClass=posixAccount
pam_login_attribute     uid
pam_password            md5
pam_check_host_attr     yes

============================================

# more /etc/openldap/slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema


access to dn=".*,dc=mydomain,dc=org" attr=userPassword
        by self write
        by dn="cn=Manager,dc=mydomain,dc=org" write
        by dn="cn=proxyuser,dc=mydomain,dc=org" write
        by dn="uid=root,dc=mydomain,dc=org" write
        by * auth

access to dn=".*,dc=mydomain,dc=org" attr=shadowLastChange
        by dn="cn=Manager,dc=mydomain,dc=org" write
        by dn="cn=proxyuser,dc=mydomain,dc=org" write
        by dn="uid=root,dc=mydomain,dc=org" write

       by self read
        by * auth

access to *
        by * read

loglevel        256
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

database        bdb
suffix          "dc=mydomain,dc=org"
#
# Define Rootdn
#
rootdn          "cn=Manager,dc=mydomain,dc=org"
rootpw         shhhhhh don't tell...
#
# Data store
#
directory       /var/lib/frb.org
mode            0600

index           objectClass     eq
index   cn,uid  eq
index   uidNumber       eq
index   gidNumber       eq

Thanks!
Eric Sammons