RE: rootpwmoddn/rootpwmodpw testing

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: RE: rootpwmoddn/rootpwmodpw testing
Date: Sat, 04 Dec 2010 11:27:03 +0100

On Fri, 2010-12-03 at 13:53 -0600, Kollar, Thaddeus J. wrote:
> On a related issue, when the password change occurs, shadowLastChange
> does not get updated so if a user's password is expired, the new one
> remains expired. I considered using pam_exec.so to run ldap_modify as
> a workaround but it's not safe. Any chance of adding that
> functionality to nslcd?

I was wondering about how that is usually implemented. The way this
should work is to probably do the modification after the LDAP EXOP
operation and log a warning if the shadowLastChange attribute change
fails for some reason (but not report this warning back to the PAM
module). The hard part is determening whether to actually attempt this
change (shadowLastChange should be present and perhaps already have some
reasonable value).

Another solution would be to implement it in the LDAP server but I don't
know if there is a solution available for that yet (like a database
trigger).

I still have to take a look at how PADL's pam_ldap does it.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

rootpwmoddn/rootpwmodpw testing, Kollar, Thaddeus J. (GRC-V000)[DB Consulting Group, Inc.]
- Re: rootpwmoddn/rootpwmodpw testing, Arthur de Jong
  - RE: rootpwmoddn/rootpwmodpw testing, Kollar, Thaddeus J. (GRC-V000)[DB Consulting Group, Inc.]
    - RE: rootpwmoddn/rootpwmodpw testing, Arthur de Jong

Prev by Date: RE: rootpwmoddn/rootpwmodpw testing
Next by Date: Re: rootpwmoddn/rootpwmodpw testing
Previous by thread: RE: rootpwmoddn/rootpwmodpw testing
Next by thread: Re: rootpwmoddn/rootpwmodpw testing