On 13-09-03 10:34 PM, john espiro wrote:
I changed the password with ldappasswd successfully, but still the error persists. Doing some research it seems that shadowLastChange is not getting updated.
How can we resolve this?
There are two ways.
The first is that every application that might change a user's password could be set up to also update shadowLastChange. For example, nslcd(8) 0.8.0 and newer will try to update it, if you use libpam-ldapd and perform a PAM password change. In the case where you change the password with ldappasswd(1), you would have to update shadowLastChange separately using ldapmodify(1).
The second way, which I prefer, is to use an overlay such as smbk5pwd to maintain shadowLastChange. Even if you don't use Samba or Heimdal, you can configure smbk5pwd with just
olcSmbK5PwdEnable: shadow
to have it maintain shadowLastChange. Then your responsibility is to make sure that every application performs a proper password change using the exop and not directly writing to userPassword. (ldappasswd(1) and nslcd(8) both do the right thing, but most web applications I've encountered do not.)
Hope that helps.