[Pkg-openldap-devel] Bug#639903: slapd-smbk5pwd: do not update shadowLastChange
Simone Piccardi
piccardi at truelite.it
Wed Aug 31 13:54:05 UTC 2011
Package: slapd-smbk5pwd
Version: 2.4.23-7.2
Severity: normal
This overlay goal is to keep syncronized password data stored in a
LDAP tree between samba, unix and kerberos, but it fails to keep
updated the shadowLastChange attribute when a password is changed.
It works updating sambaPwdLastSet, so it seems that keeping that
information is within its goal, but it do not touch shadowLastChange.
This means that when used with password aging, an unix password will
stay expired also if you have just changed it.
There is a patch, written by Mark A. Ziesemer, that allow to make this
update. This could also solve the similar problem with libpam-ldapd (see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619881)
The patch was proposed upstream, received some support by Michael
Michael Ströder but then was refused by Howard Chu. Some history here:
http://blogger.ziesemer.com/2011/01/ldap-authentication-for-samba.html
Reason given is that you should use the nssov overlay, that is not even
packaged in Debian, and ppolicy. I'll try to bring back discussion on
openldap devel list, but in the meantime all people using the classic
shadowAccount objectclass have no working solution, and, if they have
to follow Chu intentions, they are forced to do a massive rework of
their current tree contents.
I reformatted the patch against the overlay source in the current
squeeze pakage and I'm attaching it to this message. I tested it in
some small installations and it seems to work just fine.
I'll try to provide also an updated source package but I'm not too
much competent in this area
-- System Information:
Debian Release: 6.0.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages slapd-smbk5pwd depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libgcrypt1 1.4.5-2 LGPL Crypto library - runtime libr
ii libkadm5sr 1.4.0~git20100726.dfsg.1-1+b1 Libraries for Heimdal Kerberos
ii libkrb5-26 1.4.0~git20100726.dfsg.1-1+b1 Heimdal Kerberos - libraries
ii libldap-2. 2.4.23-7.2 OpenLDAP libraries
ii slapd 2.4.23-7.2 OpenLDAP server (slapd)
slapd-smbk5pwd recommends no packages.
slapd-smbk5pwd suggests no packages.
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smbk5pwd.patch
Type: text/x-diff
Size: 10818 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20110831/23052b50/attachment.patch>
More information about the Pkg-openldap-devel
mailing list