[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password expiration

The problem was resolved by adding the following per the nis schema. My statement below was incorrect. shadowLastChange was not updating, as "getent shadow username" showed me.

access to attrs=shadowLastChange,shadowMax
       by dn="cn=Manager,dc=domain,dc=com" write
       by self write
       by * read

Thank you for your response.

On 04/03/2012 12:43 PM, Jonathan Clarke wrote:
Hi Cris,

On 27/03/12 00:46, Collins, Cris L. wrote:
I am running OpenLDAP as packaged for CentOS 5 and having problems with
password expiration.
Users are being told every time they login that their password has expired
and to change their password. When ShadowMax is changed to 99999 their
passwords are not expiring. The preferable setting is 90 days.
ShadowLastChange is updating to the correct date when they input a new
password. Thank you for you time and input as to why this might be
shadow attributes are used by UNIX systems during authentication,
depending on your system configuration (PAM, pam_ldap, login.defs...)

However, the OpenLDAP server itself will not use these attributes to
prevent binds by LDAP, which is what I understand you expect. For this,
check out the ppolicy overlay.