RE: rootpwmoddn/rootpwmodpw testing
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
RE: rootpwmoddn/rootpwmodpw testing
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: RE: rootpwmoddn/rootpwmodpw testing
- Date: Sat, 04 Dec 2010 11:27:03 +0100
On Fri, 2010-12-03 at 13:53 -0600, Kollar, Thaddeus J. wrote:
> On a related issue, when the password change occurs, shadowLastChange
> does not get updated so if a user's password is expired, the new one
> remains expired. I considered using pam_exec.so to run ldap_modify as
> a workaround but it's not safe. Any chance of adding that
> functionality to nslcd?
I was wondering about how that is usually implemented. The way this
should work is to probably do the modification after the LDAP EXOP
operation and log a warning if the shadowLastChange attribute change
fails for some reason (but not report this warning back to the PAM
module). The hard part is determening whether to actually attempt this
change (shadowLastChange should be present and perhaps already have some
reasonable value).
Another solution would be to implement it in the LDAP server but I don't
know if there is a solution available for that yet (like a database
trigger).
I still have to take a look at how PADL's pam_ldap does it.
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users