[Date Prev][Date Next] [Chronological] [Thread] [Top]

Password updates and shadowLastchanged

Hi! We are currently using openldap (with pam_ldap from padl) to
authenticate unix users, and have some problems getting password
expiry to work. The password expiration itself works (the pam_ldap
module checks the traditional unix shadow-values in in the "session"
phase of the login), but when users change their passwords the accounting
information is not updated.  Am I correct in assuming that there is
currently no way for slapd to ensure that the "shadowLastchange"
attribute is updated when a user changes his password?

If so - would a patch to have slapd execute an external command with
the dn of the object updated as parameter upon a succesfull password
change be a viable solution? Would something like that have any chance
to accepted into the openldap sources?

And if I am wrong and there is already a way to acomplish this, please
tell me :)

I could try to fix this on the client side, but then the users would
have to have write access to their shadowLastChange fields, or
plaintext passwords would be stored on all the client machines, and
the user could bypass it all by changing theyr passwords talking
directly with the ldap server