On Thu, 2017-01-05 at 15:09 -0800, Gordon Messmer wrote:
> After upgrading to CentOS 7.3, I found that shadowExpire attributes were
> not returned correctly. Searching for an account shows:
>
> dn: UID=gmessmer,ou=People,dc=...
> uid: gmessmer
> shadowexpire: 117170
>
> The same value is shown in the 389-ds console. The correct value,
> however, appears in our daily LDIF exports. After downgrading to
> 389-ds-base-1.3.4.0-33.el7_2.x86_64, the value appears correctly in
> searches again:
>
> dn: UID=gmessmer,ou=People,dc=...
> uid: gmessmer
> shadowexpire: 17248
>
The shadowexpire value now is handled differently on 1.3.5 if I recall.
Instead of being "set" by you to a value, it's now calculated and
derived from the ns password policy. As the account nears expiry, the
values decrements.
When you export the DB with the ldif, you are bypassing the calculation
code, and you get what's stored in the DB.
I hope that helps you see why the values are changing. Your best path
forward is to work on and resolve the password policy configuration of
your system.
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
No comments:
Post a Comment