RSS feed

Re: rootpwmoddn/rootpwmodpw testing

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: rootpwmoddn/rootpwmodpw testing

On Dec 4, 2010, at 5:28 AM, "Arthur de Jong" <> wrote:

> On Fri, 2010-12-03 at 13:53 -0600, Kollar, Thaddeus J. wrote:
>> On a related issue, when the password change occurs, shadowLastChange
>> does not get updated so if a user's password is expired, the new one
>> remains expired. I considered using to run ldap_modify as
>> a workaround but it's not safe. Any chance of adding that
>> functionality to nslcd?
> I was wondering about how that is usually implemented. The way this
> should work is to probably do the modification after the LDAP EXOP
> operation and log a warning if the shadowLastChange attribute change
> fails for some reason (but not report this warning back to the PAM
> module). The hard part is determening whether to actually attempt this
> change (shadowLastChange should be present and perhaps already have some
> reasonable value).

This sounds reasonable to me. Also, I found that pam_exec has a seteuid option 
that I hadn't noticed before, so I'm more comfortable using it to run 
ldap_modify in a script as a workaround, e.g.:

password  required  seteuid /usr/local/sbin/ldap_update_lastChange


To unsubscribe send an email to or see