[Pkg-openldap-devel] Bug#639903: slapd-smbk5pwd: do not update shadowLastChange

Simone Piccardi piccardi at truelite.it
Wed Aug 31 13:54:05 UTC 2011 

Package: slapd-smbk5pwd
Version: 2.4.23-7.2
Severity: normal


This overlay goal is to keep syncronized password data stored in a
LDAP tree between samba, unix and kerberos, but it fails to keep
updated the shadowLastChange attribute when a password is changed. 

It works updating sambaPwdLastSet, so it seems that keeping that
information is within its goal, but it do not touch shadowLastChange. 
This means that when used with password aging, an unix password will 
stay expired also if you have just changed it. 

There is a patch, written by Mark A. Ziesemer, that allow to make this
update. This could also solve the similar problem with libpam-ldapd (see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619881)

The patch was proposed upstream, received some support by Michael
Michael Ströder but then was refused by Howard Chu. Some history here:

http://blogger.ziesemer.com/2011/01/ldap-authentication-for-samba.html

Reason given is that you should use the nssov overlay, that is not even
packaged in Debian, and ppolicy. I'll try to bring back discussion on
openldap devel list, but in the meantime all people using the classic
shadowAccount objectclass have no working solution, and, if they have
to follow Chu intentions, they are forced to do a massive rework of
their current tree contents.

I reformatted the patch against the overlay source in the current 
squeeze pakage and I'm attaching it to this message. I tested it in
some small installations and it seems to work just fine. 

I'll try to provide also an updated source package but I'm not too
much competent in this area

-- System Information:
Debian Release: 6.0.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages slapd-smbk5pwd depends on:
ii  libc6      2.11.2-10                     Embedded GNU C Library: Shared lib
ii  libgcrypt1 1.4.5-2                       LGPL Crypto library - runtime libr
ii  libkadm5sr 1.4.0~git20100726.dfsg.1-1+b1 Libraries for Heimdal Kerberos
ii  libkrb5-26 1.4.0~git20100726.dfsg.1-1+b1 Heimdal Kerberos - libraries
ii  libldap-2. 2.4.23-7.2                    OpenLDAP libraries
ii  slapd      2.4.23-7.2                    OpenLDAP server (slapd)

slapd-smbk5pwd recommends no packages.

slapd-smbk5pwd suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smbk5pwd.patch
Type: text/x-diff
Size: 10818 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20110831/23052b50/attachment.patch>

More information about the Pkg-openldap-devel mailing list