[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    Re:  [pamldap] Shadow account
From:       David Le Blanc <leblancd () cs ! caltech ! edu>
Date:       2002-10-23 17:52:05
[Download RAW message or body]

On Wed, Oct 23, 2002 at 12:29:56PM -0400, Nalin Dahyabhai wrote:
>On Tue, Oct 22, 2002 at 07:58:33PM -0700, David Le Blanc wrote:
>> My problem is actually the reverse (with pam_ldap-150 and nss_ldap-198):
>> I can expire users' passwords, and they are forced to change their passwords
>> as expected. However, every login after that the user is forced to change the
>> password with the same message:
>> 	You are required to change your password immediately (password aged)
>> 	Warning: Your password has expired, please change it now
>> 	Enter login(LDAP) password:
>> 
>> As far as I can tell, my problem has to do with the shadowLastChange attribute
>> not being updated by pam_ldap...
>> ...and I've tried everything on the server end to try a fix!
>
>The pam_ldap module is probably attempting to update shadowLastChange
>using the user's credentials, and failing.  (If it succeeds, then that
>means that the user can modify her shadowLastChange value with any LDAP
>client to avoid needing to change her password at all.)

So, how must (with what cred's) the shadowLastChange be modified, if not with
the cred's of the owner of the LDAP entry?

...I guess my real question is: does shadow-functionality work for anyone at
all, and if so, how did you get it to work?

---Dave Le Blanc
Systems Administrator
Computer Science Department
California Institute of Technology
[prev in list] [next in list] [prev in thread] [next in thread]