Re: shadowLastChange can't be read

[Howard Chu <hyc@symas.com>]

Maria McKinley wrote:
> Hi there,
>
> I can change the shadowLastChange attribute:
>
> maria@mimi:~/sysadmin/ldap$ ldapmodify -x -v -r -W -D
> "cn=admin,dc=example,dc=com" -f pass.expldap_initialize( <DEFAULT> )
> Enter LDAP Password:
> replace shadowLastChange:
>          15786
> modifying entry "uid=chris,ou=people,dc=example,dc=com"
> modify complete
>
> But, I can't see it:
>
> annette:~# ldapsearch -x "uid=chris" shadowLastChange
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=com> (default) with scope subtree
> # filter: uid=chris
> # requesting: shadowLastChange
> #
>
> # chris, people, example.com <http://example.com>
> dn: uid=chris,ou=people,dc=example,dc=com
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> Even though this is my permission:
>
> olcAccess: {0}to attrs=shadowLastChange by self write by anonymous auth by dn=
>   "cn=admin,dc=example,dc=com" write by * read
> olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn=
>   admin,dc=example,dc=com" write by * none
> olcAccess: {2}to dn.base="" by * read
> olcAccess: {3}to * by self write by dn="cn=admin,dc=example,dc=com" write by *
>    read
>
> Have I done something wrong with my permissions? Is there something else that
> could be going on here?

Looks like it's behaving exactly as you specified. As admin you have write 
access. When you searched anonymously, you got no access. (You gave anonymous 
auth access, but a search is obviously not an auth request.)

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/