RSS feed

My password is always too old during authentication

[Date Prev][Date Next] [Thread Prev][Thread Next]

My password is always too old during authentication

Dear list,

  I'm writing because have a small problem when authenticating on my machines.

I need to expire the password of my users after a defined period, so I added the following records to my users entries:


Setting the record 'shadowLastChange' to 0 on my first access the software as expected requires me to change the password.
After changing the password, the record shadowLastChange is correctly updated, but on the second login, I am prompted to change the password again, after that SSH daemon drops the connection again.

I think this is because the NSS query is done anonymously and the record shadowLastChange (as configured ACL) is not returned.

These are my LDAP's ACLs (Debian default ACLs):

to attrs=userPassword,shadowLastChange
  by self write
  by anonymous auth
  by dn="cn=admin,dc=example,dc=net" write
  by * none

to dn.base=""
  by * read

to * by self write
  by dn="cn=admin,dc=comm2000,dc=it" write
  by * read

If I remove shadowLastChange from 1st ACL all works fine.
If i bind nslcd to cn=admin,dc=example,dc=net (or an other privileged user) all works fine.

So I'm asking you if this situation is regular for you, and I must give up and make shadowLastChange anonymously readable :)
Also, I can bind nslcd with a "reader only" account, but IMHO thats seems a quick and dirty workaround too..

I'm so sorry for my spaghetti english :)
Hope you can reply soon.


To unsubscribe send an email to or see