We have opnldap (Version: 2.4.31-1ubuntu2.1) setup on our ubuntu server. Just migrated over from an older server and are getting this message for a user:
Our users can login to webmail to send and receive mail, and other stuff like that, they can download pop3 mail via desktop client, but when they go to send out, or su to that user we get messages like this:
auth: pam_unix(dovecot:account): account has expired (account expired) Sep 3 19:05:03 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=XXXX rhost=::1 user=XXXX
I changed the password with ldappasswd successfully, but still the error persists. Doing some research it seems that shadowLastChange is not getting updated.
How can we resolve this?
/usr/share/slapd/slapd.conf
access to attrs=userPassword,shadowLastChange by dn="@ADMIN@" write by anonymous auth by self write by * none access to dn.base="" by * read
# The admin dn has full write access, everyone else # can read everything. access to * by dn="@ADMIN@" write by * read
Package: slapd Status: install ok installed Priority: optional Section: net Installed-Size: 4101 Maintainer: Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com Architecture: amd64 Source: openldap Version: 2.4.31-1ubuntu2.1 Replaces: ldap-utils (<< 2.2.23-3), libldap2 Provides: ldap-server, libslapi-2.4-2 Depends: libc6 (>= 2.15), libdb5.1, libldap-2.4-2 (= 2.4.31-1ubuntu2.1), libltdl7 (>= 2.4.2), libodbc1 (>= 2.2.11) | unixodbc (>= 2.2.11), libperl5.14 (>= 5.14.2), libsasl2-2 (>= 2.1.24), libslp1, libwrap0 (>= 7.6-4~), coreutils (>= 4.5.1-1), psmisc, perl (>> 5.8.0) | libmime-base64-perl, adduser, lsb-base (>= 3.2-13) Pre-Depends: debconf (>= 0.5) | debconf-2.0, multiarch-support Recommends: libsasl2-modules Suggests: ldap-utils, ufw Conflicts: ldap-server, libltdl3 (= 1.5.4-1), umich-ldapd Conffiles:
Am Tue, 3 Sep 2013 22:34:07 -0700 (PDT) schrieb john espiro john_espiro@yahoo.com:
We have opnldap (Version: 2.4.31-1ubuntu2.1) setup on our ubuntu server. Just migrated over from an older server and are getting this message for a user:
Our users can login to webmail to send and receive mail, and other stuff like that, they can download pop3 mail via desktop client, but when they go to send out, or su to that user we get messages like this:
auth: pam_unix(dovecot:account): account has expired (account expired) Sep 3 19:05:03 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=XXXX rhost=::1 user=XXXX
I changed the password with ldappasswd successfully, but still the error persists. Doing some research it seems that shadowLastChange is not getting updated.
How can we resolve this?
[...] This issue is not OpenLDAP related, get acquainted with your pam environment.
-Dieter
On 13-09-03 10:34 PM, john espiro wrote:
I changed the password with ldappasswd successfully, but still the error persists. Doing some research it seems that shadowLastChange is not getting updated.
How can we resolve this?
There are two ways.
The first is that every application that might change a user's password could be set up to also update shadowLastChange. For example, nslcd(8) 0.8.0 and newer will try to update it, if you use libpam-ldapd and perform a PAM password change. In the case where you change the password with ldappasswd(1), you would have to update shadowLastChange separately using ldapmodify(1).
The second way, which I prefer, is to use an overlay such as smbk5pwd to maintain shadowLastChange. Even if you don't use Samba or Heimdal, you can configure smbk5pwd with just
olcSmbK5PwdEnable: shadow
to have it maintain shadowLastChange. Then your responsibility is to make sure that every application performs a proper password change using the exop and not directly writing to userPassword. (ldappasswd(1) and nslcd(8) both do the right thing, but most web applications I've encountered do not.)
Hope that helps.
openldap-technical@openldap.org
-
Dieter Klünter -
john espiro -
Ryan Tandy