[Date Prev][Date Next]
Re: Updating ShadowLastChange with slurpd
This should *not* be "by self write". The system should update the
shadowLastChange attribute automatically (at least, I just confirmed
that this happens on RedHat ES3/Openldap 2.1.23); the user should at the
most only be able to read it.
I agree with you that this is subject to abuse if the user knows about it.
However I can confirm that under RH ES 2.1/OpenLDAP 2.0.27-2.7.3 that if
this is not set this way, the user is unable to update the attribute when
they change their passwords themselves. The object is never updated and
they're perpetually prompted to change their passwords. Or at least,
that's what I've observed.
Interesting. I'd deinstalled the 2.0.27 server/clients, kept the 2.0.27
ldap libs for the dependencies, and installed 2.1.23 to /usr/local from
source. What I saw I and did to the shadow attribute I did with GQ.
Changed shadowLastChange from some 5-figure value to 0, user
force-changed password, shadowLastChange was changed to 12376
(yesterday). That ACL is read-only on this machine. I did it again, and
the 0 was changed to 12377. Checked this with another user, also 12377
after the change.
But I can't see what LDAP has to do with it. It's purely the receptacle.
ldd on different binaries doesn't give much of a clue, either.
If my mail server refuses your
mail resend to:
billy at billy.demon.nl