Maria McKinley wrote:

Hi there,

I can change the shadowLastChange attribute:

maria@mimi:~/sysadmin/ldap$ ldapmodify -x -v -r -W -D "cn=admin,dc=example,dc=com" -f pass.expldap_initialize( <DEFAULT> ) Enter LDAP Password: replace shadowLastChange: 15786 modifying entry "uid=chris,ou=people,dc=example,dc=com" modify complete

But, I can't see it:

annette:~# ldapsearch -x "uid=chris" shadowLastChange # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree # filter: uid=chris # requesting: shadowLastChange #

# chris, people, example.com http://example.com dn: uid=chris,ou=people,dc=example,dc=com

# search result search: 2 result: 0 Success

# numResponses: 2 # numEntries: 1

Even though this is my permission:

olcAccess: {0}to attrs=shadowLastChange by self write by anonymous auth by dn= "cn=admin,dc=example,dc=com" write by * read olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn= admin,dc=example,dc=com" write by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by self write by dn="cn=admin,dc=example,dc=com" write by * read

Have I done something wrong with my permissions? Is there something else that could be going on here?

Looks like it's behaving exactly as you specified. As admin you have write access. When you searched anonymously, you got no access. (You gave anonymous auth access, but a search is obviously not an auth request.)