Hello, John.
I am still not getting shadowLastChange to update. I am using the ldappasswd command to set the password and it does change the password but the shadowLastChange is not being updated. Anyone got any feedback for me. I am beginning to wonder if there is a bug in this older version of openldap that Centos is using.
As mentioned in the manpage, ldappasswd uses the LDAPv3 Password Modify (RFC 3062) extended operation. This operation allows the server to automatically hash the supplied password.
If the password policy overlay is loaded and attached, it may update the pwdChangedTime attribute.
Under no circumstances should this have anything to do with shadowLastChange, which is part of the unrelated RFC 2307 schema.
Modern LDAP PAM-modules should be able to use the ppolicy mechanisms to enforce changes instead. Try checking out slapo-ppolicy?
Matthew Backes Symas Corporation mbackes@symas.com