You are required to change your password immediately (password aged)
Enter login(LDAP) password:
(Ez a cikk magyarul is olvasható)Piece of cake! Let's change the password. It can be done - we've dealt with that last time. But when loggong on next time, the same message appears. Lovely.
Fisrt we reproduce the error. As you might remember, some time ago we created the user called jdoe. So we have John Doe, but he has no shadow account. On second thought he has one, as the followng command will clearly show the shadowAccount object class on jdoe:
ldapsearch -D cn=admin,dc=itthon,dc=cucc -b dc=itthon,dc=cucc -w secret -LLL 'uid=jdoe'We did not set up any sahdow-attribute yet, though. (By the way de do not use the -H ldapi:/// switch because we put the URI in the file /etc/ldap/ldap.conf)
Let's create a file called jdoe_shadow_on.ldif:
dn: uid=jdoe,ou=People,dc=itthon,dc=cucc changetype: modify add: shadowLastChange shadowLastChange: 15461 - add: shadowMax shadowMax: 45If the attribute shadowLastChange has already existed (because John already changed his password) modify the file accordingly. When ready, issue the comand:
ldapmodify -D cn=admin,dc=itthon,dc=cucc -w secret -f jdoe_shadow_on.ldifIf you did not get the error message before, from now on you will. The reason is that the value of the shadowMax cannot be read by the client.
Want to be absolutely sure? Create the file jdoe_shadow_off.ldif fájlt:
dn: uid=jdoe,ou=People,dc=itthon,dc=cucc changetype: modify delete: shadowLastChange - delete: shadowMaxMake it happen:
ldapmodify -D cn=admin,dc=itthon,dc=cucc -w secret -f jdoe_shadow_off.ldifAnd there you got it: John is able to log on again withot the error message.
Lets get back to the state where the error message comes and prepare our newest ACL file (let us call it acl.ldif):
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=itthon,dc=cucc" write by * none olcAccess: {1}to attrs=shadowLastChange,shadowMax by self write by dn="cn=admin,dc=itthon,dc=cucc" write by * read olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by self write by dn="cn=admin,dc=itthon,dc=cucc" write by * readWhen ready, issue the command:
sudo ldapmodify -Y EXTERNAL -f acl.ldifAnd John can log on smoothly, no "password aged".
For investigating the problem the command getent shadow might come handy. Try it when changing ACLs. The actual ACL in effect can be observed by using the command:
sudo ldapsearch -Y EXTERNAL -b olcDatabase={1}hdb,cn=config
Nincsenek megjegyzések:
Megjegyzés küldése