On 10/06/11 17:56 -0600, Bidwell, Matt wrote:
If a user changes passwords on and ldap client machine, the shadow entry disappears. This is true for all hash methods except for {CRYPT}.
Do you mean that the userPassword attribute disappears, or one of the shadow* attributes? Or do you mean that you can no longer see the user with 'getent shadow' on the client system?
Clearly I would like {SSHA} or {MD5} over {CRYPT}. The client machines are pretty standard RHEL 5 machines. I have exop in the config on the client. Setting the password on the LDAP server works correctly. Running the server in debug didn't make anything jump out at me. Anyone have any ideas? Perhaps I'm missing an ACL I don't know about.
Can you reproduce the problem using ldappasswd on the client?
Can you provide (sanitized) examples of what good and bad ldap user entries look like?
What pam/nss software are you running on the clients?