RSS feed

Re: My password is always too old during authentication

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: My password is always too old during authentication

On Tue, 2013-03-12 at 22:53 +0100, Alessio D'Ascanio wrote:
> So I'm asking you if this situation is regular for you, and I must
> give up and make shadowLastChange anonymously readable :)

The nslcd daemon must be able to read shadowLastChange if you want to
use password ageing in the PAM stack.

If this attribute is unset or empty (or cannot be read) by default a
value of -1 will be assumed. If the shadowMax attribute is also set it
will conclude that the password has expired.

> Also, I can bind nslcd with a "reader only" account, but IMHO thats
> seems a quick and dirty workaround too..

There are two ways you can set this up (with a recent nss-pam-ldapd):
- allow the user to write shadowLastChange (like in your set-up)
- allow the user that runs nslcd to write shadowLastChange

In the first case, nslcd should be able to at least read
shadowLastChange. This second case is a little more secure since a user
cannot arbitrarily set their own value for shadowLastChange to bypass
password ageing.

A quick alternative for your situation is to split the ACL for
userPassword and shadowLastChange in two ACLs.

For further details, it could be helpful to provide the version of
nss-pam-ldapd you are using and some output from nslcd -d during the
authentication phase. Also information on your PAM stack would be useful
(e.g. to determine whether pam_unix or pam_ldap is enforcing the
password expiry).


-- arthur - - --
To unsubscribe send an email to or see