Hello, all. I'm seeing a strange problem in our set up to synchronize passwords between Directory Server 8.0 and Active Directory. If I change a user's password from idm-console, the password synchronizes. If I change it from Active Directory, the password synchronizes.
However, if the user changes their own password (they use Ubuntu 8.0.4 KDE desktops), the passwords do not synchronize. We do see an entry in the error log:
Entry "uid=mlap,ou=Desks,o=a0,o=Int,dc=mycompany,dc=com" -- attribute "shadowLastChange" not allowed
That seemed straightforward so I checked the ACIs and we do allow users to change this attribute:
(targetattr != "nsroledn||aci") (version 3.0; acl "Allow self entry modification except for nsroledn and aci attributes"; allow (read,compare,search,write) (userdn = "ldap:///self") ;)
Any idea why we are receiving these errors? Would this cause password synchronization to fail? Thanks - John
John A. Sullivan III wrote:
Hello, all. I'm seeing a strange problem in our set up to synchronize passwords between Directory Server 8.0 and Active Directory. If I change a user's password from idm-console, the password synchronizes. If I change it from Active Directory, the password synchronizes.
However, if the user changes their own password (they use Ubuntu 8.0.4 KDE desktops), the passwords do not synchronize. We do see an entry in the error log:
Entry "uid=mlap,ou=Desks,o=a0,o=Int,dc=mycompany,dc=com" -- attribute "shadowLastChange" not allowed
Do your account objects have the shadowAccount objectClass?
That seemed straightforward so I checked the ACIs and we do allow users to change this attribute:
(targetattr != "nsroledn||aci") (version 3.0; acl "Allow self entry modification except for nsroledn and aci attributes"; allow (read,compare,search,write) (userdn = "ldap:///self") ;)
Any idea why we are receiving these errors? Would this cause password synchronization to fail? Thanks - John
On Mon, 2009-04-27 at 14:15 -0700, George Holbert wrote:
John A. Sullivan III wrote:
Hello, all. I'm seeing a strange problem in our set up to synchronize passwords between Directory Server 8.0 and Active Directory. If I change a user's password from idm-console, the password synchronizes. If I change it from Active Directory, the password synchronizes.
However, if the user changes their own password (they use Ubuntu 8.0.4 KDE desktops), the passwords do not synchronize. We do see an entry in the error log:
Entry "uid=mlap,ou=Desks,o=a0,o=Int,dc=mycompany,dc=com" -- attribute "shadowLastChange" not allowed
Do your account objects have the shadowAccount objectClass?
Argh!! Embarrassment, embarrassment. I had checked several and they did . . . except for the one I was testing with! Would that torpedo Windows synchronization? Thanks - John
That seemed straightforward so I checked the ACIs and we do allow users to change this attribute:
(targetattr != "nsroledn||aci") (version 3.0; acl "Allow self entry modification except for nsroledn and aci attributes"; allow (read,compare,search,write) (userdn = "ldap:///self") ;)
Any idea why we are receiving these errors? Would this cause password synchronization to fail? Thanks - John
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
John A. Sullivan III wrote:
On Mon, 2009-04-27 at 14:15 -0700, George Holbert wrote:
John A. Sullivan III wrote:
Hello, all. I'm seeing a strange problem in our set up to synchronize passwords between Directory Server 8.0 and Active Directory. If I change a user's password from idm-console, the password synchronizes. If I change it from Active Directory, the password synchronizes.
However, if the user changes their own password (they use Ubuntu 8.0.4 KDE desktops), the passwords do not synchronize. We do see an entry in the error log:
Entry "uid=mlap,ou=Desks,o=a0,o=Int,dc=mycompany,dc=com" -- attribute "shadowLastChange" not allowed
Do your account objects have the shadowAccount objectClass?
Argh!! Embarrassment, embarrassment. I had checked several and they did . . . except for the one I was testing with! Would that torpedo Windows synchronization? Thanks - John
I think it would just torpedo these password changes being accepted by FDS. If you don't need or use the shadow attributes, then you might look into seeing if your Ubuntu workstations can be configured to not try modifying them as part of password changes... and perhaps also ditching the shadowAccount objectClass altogether on your accounts. My hunch is if you accept password changes from both Windows and Ubuntu, you're not really using shadow attributes (not intentionally, at least).
That seemed straightforward so I checked the ACIs and we do allow users to change this attribute:
(targetattr != "nsroledn||aci") (version 3.0; acl "Allow self entry modification except for nsroledn and aci attributes"; allow (read,compare,search,write) (userdn = "ldap:///self") ;)
Any idea why we are receiving these errors? Would this cause password synchronization to fail? Thanks - John
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org
-
George Holbert -
John A. Sullivan III