[Date Prev][Date Next] [Chronological] [Thread] [Top]

Updating ShadowLastChange with slurpd

I have an openldap server acting in the standard master / slave

I have forced password expiration on first login by setting
ShadowLastChange to 0.

If a user logs in for the first time to any LDAP client machine or to the
master itself, they're prompted to change their password immediately and
the password gets updated immediately.

If they log into the slave and change their password, the updateref passes
it back to the master and updates the password, but logging into any LDAP
client or master server prompts them to change their newly changed

My ACL's on the master and slave are as so:

access to attribute=shadowLastChange
   by dn="cn=root,dc=sboss,dc=com"
   by self write
   by * read

access to attrs=userPassword
     by dn="cn=root,dc=sboss,dc=com"
     by self write
     by * auth

access to *
     by * read

And on the slave server we have the identical slapd.conf save for the
replog and replica entries and these:

updatedn        "cn=root,dc=sboss,dc=com"
updateref       ldap://ldap02.sboss.com:389

I'm sure this is a simple misconfiguration, but where?

Thank you,