[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
password expiry and ldap
Hi,
I use ldap as backend for heimdal. I have accounts in ldap with:
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: sambaSamAccount
created by smbldap-adduser, then loaded with kerberos data using kadmin -l
load
So far it looks well, i can get tickets, when I change password w. kpasswd the
sambaNTPassword gets updated too. Problem is with password expiration: there
is both krb5PasswordEnd and sambaPwdMustChange (set right when i loaded the
dump of old database). However, when viewed in kadmin the field "Password
expires:" is set to never, and both ldap fields are happily ignored (i can
see in logs that the attrs are fetched from ldap). When I try to modify
password expiry, I get error:
kadmin> mod --pw-expiration-time=2006-08-16 ax
kadmin: kadm5_modify_principal: Unknown error 36150281
I am not sure what this error means, but accoring to the logs, no write is
tried to ldap and last attibutes accessed are creator/modifiet name and
timestamp (which are afaict nonexistent, and not present in any schema file I
have).
Can please anybody give me any hint? Is password aging even supposed to work
in this config?
I have heimdal-0.7.2 and slapd 2.3.24 here.
Ax
--
Václav Hůla,
správce unixových serverů
Přírodovědecká fakulta
Univerzita Karlova v Praze