Hey All
I am troubleshooting openldap on a Centos box and having an issue. When the users set their passwords using the passwd program shadowLastChange is not getting updated in ldap. Using openldap 2.3.43.12.el5. Here is a listing of my ACL's. Any ideas?
access to attrs=userPassword,shadowLastChange by dn.base="cn=Manager,dc=turbocorp,dc=com" write by anonymous auth by self write by * none access to attrs=SambaLMPassword,SambaNTPassword by dn.base="cn=Manager,dc=turbocorp,dc=com" write by anonymous auth by self write by * none access to * by dn.base="cn=Manager,dc=turbocorp,dc=com" write by self write by * read
John Allgood Senior Systems Administrator OHL Transportation Services 2251 Jesse Jewell Pky. NE Gainesville, GA 30507 tel: (678) 989-3051 fax: (770) 531-7878
jallgood@ohl.commailto:jallgood@ohl.com www.ohl.comhttp://www.ohl.com
______________________________________________________
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.
Hey All
I am still not getting shadowLastChange to update. I am using the ldappasswd command to set the password and it does change the password but the shadowLastChange is not being updated. Anyone got any feedback for me. I am beginning to wonder if there is a bug in this older version of openldap that Centos is using.
John Allgood Senior Systems Administrator OHL Transportation Services 2251 Jesse Jewell Pky. NE Gainesville, GA 30507 tel: (678) 989-3051 fax: (770) 531-7878
jallgood@ohl.commailto:jallgood@ohl.com www.ohl.comhttp://www.ohl.com
From: openldap-technical-bounces+jallgood=ohl.com@OpenLDAP.org [mailto:openldap-technical-bounces+jallgood=ohl.com@OpenLDAP.org] On Behalf Of Allgood, John Sent: Wednesday, May 19, 2010 3:21 PM To: 'openldap-technical@openldap.org' Subject: shadowLastChange not updating
Hey All
I am troubleshooting openldap on a Centos box and having an issue. When the users set their passwords using the passwd program shadowLastChange is not getting updated in ldap. Using openldap 2.3.43.12.el5. Here is a listing of my ACL's. Any ideas?
access to attrs=userPassword,shadowLastChange by dn.base="cn=Manager,dc=turbocorp,dc=com" write by anonymous auth by self write by * none access to attrs=SambaLMPassword,SambaNTPassword by dn.base="cn=Manager,dc=turbocorp,dc=com" write by anonymous auth by self write by * none access to * by dn.base="cn=Manager,dc=turbocorp,dc=com" write by self write by * read
John Allgood Senior Systems Administrator OHL Transportation Services 2251 Jesse Jewell Pky. NE Gainesville, GA 30507 tel: (678) 989-3051 fax: (770) 531-7878
jallgood@ohl.commailto:jallgood@ohl.com www.ohl.comhttp://www.ohl.com
______________________________________________________
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.
______________________________________________________
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.
Hello, John.
I am still not getting shadowLastChange to update. I am using the ldappasswd command to set the password and it does change the password but the shadowLastChange is not being updated. Anyone got any feedback for me. I am beginning to wonder if there is a bug in this older version of openldap that Centos is using.
As mentioned in the manpage, ldappasswd uses the LDAPv3 Password Modify (RFC 3062) extended operation. This operation allows the server to automatically hash the supplied password.
If the password policy overlay is loaded and attached, it may update the pwdChangedTime attribute.
Under no circumstances should this have anything to do with shadowLastChange, which is part of the unrelated RFC 2307 schema.
Modern LDAP PAM-modules should be able to use the ppolicy mechanisms to enforce changes instead. Try checking out slapo-ppolicy?
Matthew Backes Symas Corporation mbackes@symas.com
With that being said do I even need to maintain the shadow module in ldap. I had ppolicy loaded but dropped it out trying to figure out how all this is supposed to work.
John Allgood Senior Systems Administrator OHL Transportation Services 2251 Jesse Jewell Pky. NE Gainesville, GA 30507 tel: (678) 989-3051 fax: (770) 531-7878
jallgood@ohl.com www.ohl.com
-----Original Message----- From: Matthew Backes [mailto:mbackes@symas.com] Sent: Friday, May 21, 2010 4:50 PM To: Allgood, John Cc: 'openldap-technical@openldap.org' Subject: Re: shadowLastChange not updating
Hello, John.
I am still not getting shadowLastChange to update. I am using the
ldappasswd command to set the password and it does change the password but the shadowLastChange is not being updated. Anyone got any feedback for me. I am beginning to wonder if there is a bug in this older version of openldap that Centos is using.
As mentioned in the manpage, ldappasswd uses the LDAPv3 Password Modify (RFC 3062) extended operation. This operation allows the server to automatically hash the supplied password.
If the password policy overlay is loaded and attached, it may update the pwdChangedTime attribute.
Under no circumstances should this have anything to do with shadowLastChange, which is part of the unrelated RFC 2307 schema.
Modern LDAP PAM-modules should be able to use the ppolicy mechanisms to enforce changes instead. Try checking out slapo-ppolicy?
Matthew Backes Symas Corporation mbackes@symas.com
______________________________________________________
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.
openldap-technical@openldap.org