FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 09-27-2010, 07:11 PM
Jason Brown
 
Default shadowLast Change NOT updating was ldappasswd and shadowLastChange attribute

I am not sure if there is a huge difference between RHDS and 389, but
I also had this same issue. I believe it had to do with the ACI's
preventing the update to that attribute. Once you allow write access
to shadowLastChange it was able to update it.


On Sep 27, 2010, at 3:02 PM, James Smallacombe wrote:

>
> Sorry for replying to myself, but I wanted to add more that I've tried
> since my last post:
>
> from the DirSrv X Console: in Configuration -> Indexes I added the
> "shadowLastChange" attribute to userRoot, then NetscapeRoot, still
> with no
> luck. I then put the following in my /etc/ldap.conf
>
> nss_map_objectclass shadowAccount User
> pam_password exop
>
> Still no luck. To clarify, the shadowLastChange DOES get propery
> updated
> when you reset a user's password in Webmin's "Users and Groups"
> module,
> but NOT when you use /usr/lib64/mozldap/ldappasswd OR in the
> Squirrelmail
> "Change LDAP Password" plugin. Again, any of these will change the
> password no problem, but not that attribute....any pointers would be
> appreciated. Here is a sample user:
>
> version: 1
> dn: uid=test123,ou=People, dc=some, dc=domain
> objectClass: posixAccount
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: shadowAccount
> uid: test123
> cn:test123
> uidNumber: 999
> gidNumber: 999
> homeDirectory: /home/test123
> loginShell: /bin/false
> sn: test123
> mail: test123@some.domain
> shadowLastChange: 13678
> shadowMin: 1
> shadowMax: 99999
> shadowWarning: 14
>
> On Mon, 27 Sep 2010, James Smallacombe wrote:
>
>>
>> I finally figured out a working shell script to make LDAP user
>> password
>> changes using mozldap/ldappasswd. Unfortunately, I just discovered
>> that
>> changing the password using this does not update the
>> "shadowLastChange"
>> attribute, so users with expired passwords are still not able to
>> log in,
>> even after an admin has reset their password in this manner.
>>
>> Since we are migrating from traditional shadow passwords to LDAP, the
>> attribute we need to get updated by this is "shadowLastChange"
>>
>> I attempted to work around this in /etc/ldap.conf by adding this:
>>
>> nss_map_attribute shadowLastChange pwdLastSet
>>
>> But to no avail. In addition, the "change ldap password" plugin
>> also does
>> not update this, although webmin users and groups module does.
>>
>> What am I missing? Thanks in Advance!
>>
>> James Smallacombe PlantageNet, Inc. CEO and Janitor
>> up@3.am http://3.am
>> =
>> =
>> =
>> =
>> ================================================== ===================
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
> James Smallacombe PlantageNet, Inc. CEO and Janitor
> up@3.am http://3.am
> =
> =
> =
> ================================================== ====================
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-28-2010, 02:03 PM
Jason Brown
 
Default shadowLast Change NOT updating was ldappasswd and shadowLastChange attribute

The ACI where it is set is in the top of the tree, not in People.
This will also prevent Domain Managers the ability to write to this as
well.


On Sep 27, 2010, at 6:52 PM, James Smallacombe wrote:

>
> Thanks for your reply, Jason. I am a bit of a noob here, but I went
> to
> the DirServ console and:
>
> (Example) -> People did a right-click on it, then -> Set Access
> Permissions and saw the 6 default ACIs. I edited "Allow self entry
> modifications" and checked "shadowLastChange". Since this was only
> for
> "Self" and these mods are done either by root in the shell, or the
> apache
> user in the web plugin, I didn't really expect it to help. So, I
> create a
> custom ACI:
>
> Selected ALL users, then unchecked all targets, then re-checked
> "shadowLastChange" and a few others.
>
> Still no luck. Although I'm not up on ACIs, in all cases I am
> binding to
> the server as the Directory Manager, so doesn't that mean the ACI
> shouldn't matter?
>
> Thanks again,
>
> On Mon, 27 Sep 2010, Jason Brown wrote:
>
>> I am not sure if there is a huge difference between RHDS and 389, but
>> I also had this same issue. I believe it had to do with the ACI's
>> preventing the update to that attribute. Once you allow write access
>> to shadowLastChange it was able to update it.
>>
>>
>> On Sep 27, 2010, at 3:02 PM, James Smallacombe wrote:
>>
>>>
>>> Sorry for replying to myself, but I wanted to add more that I've
>>> tried
>>> since my last post:
>>>
>>> from the DirSrv X Console: in Configuration -> Indexes I added the
>>> "shadowLastChange" attribute to userRoot, then NetscapeRoot, still
>>> with no
>>> luck. I then put the following in my /etc/ldap.conf
>>>
>>> nss_map_objectclass shadowAccount User
>>> pam_password exop
>>>
>>> Still no luck. To clarify, the shadowLastChange DOES get propery
>>> updated
>>> when you reset a user's password in Webmin's "Users and Groups"
>>> module,
>>> but NOT when you use /usr/lib64/mozldap/ldappasswd OR in the
>>> Squirrelmail
>>> "Change LDAP Password" plugin. Again, any of these will change the
>>> password no problem, but not that attribute....any pointers would be
>>> appreciated. Here is a sample user:
>>>
>>> version: 1
>>> dn: uid=test123,ou=People, dc=some, dc=domain
>>> objectClass: posixAccount
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: inetOrgPerson
>>> objectClass: shadowAccount
>>> uid: test123
>>> cn:test123
>>> uidNumber: 999
>>> gidNumber: 999
>>> homeDirectory: /home/test123
>>> loginShell: /bin/false
>>> sn: test123
>>> mail: test123@some.domain
>>> shadowLastChange: 13678
>>> shadowMin: 1
>>> shadowMax: 99999
>>> shadowWarning: 14
>>>
>>> On Mon, 27 Sep 2010, James Smallacombe wrote:
>>>
>>>>
>>>> I finally figured out a working shell script to make LDAP user
>>>> password
>>>> changes using mozldap/ldappasswd. Unfortunately, I just discovered
>>>> that
>>>> changing the password using this does not update the
>>>> "shadowLastChange"
>>>> attribute, so users with expired passwords are still not able to
>>>> log in,
>>>> even after an admin has reset their password in this manner.
>>>>
>>>> Since we are migrating from traditional shadow passwords to LDAP,
>>>> the
>>>> attribute we need to get updated by this is "shadowLastChange"
>>>>
>>>> I attempted to work around this in /etc/ldap.conf by adding this:
>>>>
>>>> nss_map_attribute shadowLastChange pwdLastSet
>>>>
>>>> But to no avail. In addition, the "change ldap password" plugin
>>>> also does
>>>> not update this, although webmin users and groups module does.
>>>>
>>>> What am I missing? Thanks in Advance!
>>>>
>>>> James Smallacombe PlantageNet, Inc. CEO and Janitor
>>>> up@3.am http://3.am
>>>> =
>>>> =
>>>> =
>>>> =
>>>> =
>>>> =
>>>> ================================================== =================
>>>> --
>>>> 389 users mailing list
>>>> 389-users@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>
>>> James Smallacombe PlantageNet, Inc. CEO and Janitor
>>> up@3.am http://3.am
>>> =
>>> =
>>> =
>>> =
>>> =
>>> ================================================== ==================
>>> --
>>> 389 users mailing list
>>> 389-users@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
> James Smallacombe PlantageNet, Inc. CEO and Janitor
> up@3.am http://3.am
> =
> =
> =
> ================================================== ====================
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 08:04 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org