My apologies,
I just saw the thread "[389-users] AD <-> LDAP password expiration sync"
Is this correct, there is no current way to sync the shadowLastChange
value?
Correct.
On Fri, Jan 25, 2013 at 12:04 AM, vladimir Safoo
<wudadin2003(a)gmail.com <mailto:wudadin2003@gmail.com>> wrote:
Greetings all,
I need help from the experts, so I thank you ahead of time for any
help that you are able to assist me with.
Problem - Password set to expire in 90 days. Linux users password
expiration is not sync'ing with Windows users password expiration.
So I am getting people that are getting locked out of the
environment do to their passwords expiring.
I have AD 2008 r2 bidirectionally sync'ing with one 389ds master
server. Everything so far has been working fine. I have set up a
password policy on the AD server and have mirrored the same policy
on the 389ds servers. Passwords are set to expire in 90 days. I
have multimaster replication set up on 8 servers and have other
read-only consumers.
Resetting a password on a Windows desktop or linux server does not
modify the shadowLastChange value on the Linux 389ds servers. It
does, however, update the passwordexpirationtime on the linux
389ds servers. But the linux servers don't know what the
passwordexpirationtime is so they seem to ignore it. Though the
passwordexpirationtime value is correct and does reflect the
password to expire in 90 days from the initial password setup or
change.
Now since users accounts are created normally before a users
starts their new job, the passwords get out of sync do to linux
users resetting their initial password on the linux servers once
they login for the first time. Our internal chat server
authenticates via the AD server, so they are not always notified
when their Windows password has expired on the AD side.
How can I get AD to update the Linux side value for the
shadowLastChange attribute?
I can pull the passwordexpirationtime value, if there is no
"normal" solution for this, I could write a perl script to check
for this time and update the shadowLastChange value I guess. But I
need to know if I am just setting this up wrong and what is the
solution or if it is not possible. Please let me know if more
information is needed.
# cat /etc/issue
CentOS release 6.2 (Final)
# rpm -qa 389*
389-ds-console-1.2.6-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-ds-base-1.2.9.14-1.el6_2.2.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-dsgw-1.1.9-1.el6.x86_64
389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64
389-adminutil-1.1.15-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-admin-1.1.29-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
# slaps uid=tuser
dn: uid=tuser,ou=testOU,ou=Groups,dc=company,dc=net
ntUserLastLogon: 130035596619212394
userPassword::
e1NTSEF9cTlTNmxTc01uRVFHMjU4WVhIUVhLQWRPNU5ndVZMUDZZV3ZYSGc9PQ=
=
shadowLastChange: 15729
mail: tuser(a)company.net <mailto:tuser@company.net>
loginShell: /bin/bash
uidNumber: 20288
gidNumber: 61000
homeDirectory: /home/tuser
ntUserLastLogoff: 0
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetOrgPerson
objectClass: ntUser
objectClass: posixAccount
objectClass: shadowAccount
ntUserDeleteAccount: true
uid: tuser
sn: user
givenName: test
cn: test user
ntUserCodePage: 0
ntUserAcctExpires: 9223372036854775807
ntUserDomainId: tuser
ntUniqueId: d19af18ff098044db4afb2e59f0ea25b
# slaps uid=tuser passwordexpirationtime
dn: uid=tuser,ou=testOU,ou=Groups,dc=company,dc=net
passwordexpirationtime: 20130425035421Z
Thank you,
389ds admin
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users