Re: rootpwmoddn/rootpwmodpw testing
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: rootpwmoddn/rootpwmodpw testing
- From: "Kollar, Thaddeus J. (GRC-V000)[DB Consulting Group, Inc.]" <thaddeus.j.kollar [at] nasa.gov>
- To: Arthur de Jong <arthur [at] arthurdejong.org>
- Cc: "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: rootpwmoddn/rootpwmodpw testing
- Date: Mon, 6 Dec 2010 09:27:44 -0600
On Dec 4, 2010, at 5:28 AM, "Arthur de Jong" <arthur@arthurdejong.org> wrote:
> On Fri, 2010-12-03 at 13:53 -0600, Kollar, Thaddeus J. wrote:
>> On a related issue, when the password change occurs, shadowLastChange
>> does not get updated so if a user's password is expired, the new one
>> remains expired. I considered using pam_exec.so to run ldap_modify as
>> a workaround but it's not safe. Any chance of adding that
>> functionality to nslcd?
>
> I was wondering about how that is usually implemented. The way this
> should work is to probably do the modification after the LDAP EXOP
> operation and log a warning if the shadowLastChange attribute change
> fails for some reason (but not report this warning back to the PAM
> module). The hard part is determening whether to actually attempt this
> change (shadowLastChange should be present and perhaps already have some
> reasonable value).
This sounds reasonable to me. Also, I found that pam_exec has a seteuid option
that I hadn't noticed before, so I'm more comfortable using it to run
ldap_modify in a script as a workaround, e.g.:
password required pam_exec.so seteuid /usr/local/sbin/ldap_update_lastChange
>
Tad
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users