Reset shadowExpire on password change

Hi all,

I have an OpenLDAP 2.2.26 server running on Ubuntu 6.06.1 with various
Linux and Unix clients conencting with pam_ldap (e.g. version 180 on my
test box). Accounts in LDAP have shadowExpire and other shadow*
attributes set - it works quite good and pam_ldap refuses login when
shadowExpire date passed as expected. Users can change passwords with
"passwd" but I haven't found a way to reset shadowExpire at the same
time as well.

Can I have some form of "trigger" to run on "userPassword" change? Or
can pam_ldap itself do it? In the worst case I can run a cronjob every
few hours and update shadowExpire from shadowLastChange but that looks
like a pretty suboptimal approach - having an event-triggered update
would be much better.

Thanks for any input!

Michal Ludvig

Michal Ludvig wrote:

Solved. Big thanks goes to Howard Chu who pointed out that shadowExpire
is not supposed to be updated. It's shadowLastChanged + shadowMax that
specifies the password expiration date. shadowLastChange is is updated
automatically (by pam_ldap?) on password change and shadowMax is a
constant so there is nothing else to do on my side. It just works once
shadowMax is set appropriately. That's just for the record, sorry for
the noise.

Michal

  *  *The shadowExpire is not usually a dynamic field (ldap or
traditional unix flat files), but is rather intended to specify an
absolute end date for a given user.
If you're trying to impose a password life (ie 180 days or something)
the shadowMin, shadowMax and shadowWarn fields may be a better approach.
As implied by their names, the shadowMax field specifies the maximum age
(in days) for a password to live, the shadowMin specifies the minimum
age before a user would be allowed to change their password, and the
shadowWarn specifies how many days in advance of a password expiring the
user will be warned. All these use shadowLastChanged as the base, so its
pretty much a set it and forget it thing.
    If you need the shadowExpire field, I'll defer to others as to a
'best aproach'.
Chris

Michal Ludvig wrote:


--
-----------------------------------
Chris Stephens
Unix Systems Administrator
-----------------------------------
Phone: 665-3280
Pager: 104-2526
Email: chriss@...
-----------------------------------

Michal Ludvig [michal@...] wrote:
Just don't use distribution-provided "passwd" program. Write your
own. Or use something like "smbpasswd" with minor local adjustments.


--
Michal Kurowski
perl -e '$_=q#: 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\2: 5/7\_/\7: 12m m::#;
y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print'

Christopher J. Stephens wrote:
Thanks!

I already got this explanation but apparently my mail hasn't made it
through to the list yet.

This definitely solves my problem - I wasn't aware that shadowMax is for
this purpose as it wasn't set in the LDAP record so I didn't even know
there exists such a field :-(

Oh well, maybe I should read more documentation next time.

Michal