shadowLastChange not updated

Hello Folks!

Backend is openldap-2.3.43-3.el5 OS is Centos5.4 Webmin 1.5.10 Virtualmin 3.78 GPL Usermin 1.440

Setup follows the guide provided in virtualmin forums.

When loggin in to usermin, changing password shadowLastChange is not updated, password is changed. The same result is if you from command line try: virtualmin change-password or the similar /usr/libexec/webmin/virtual-server/change-password.pl

If password is expired, usermin nicely ask user to change password, but this fully fails with pam error saying password is wrong, and logs tell it could not bind with this password.

When using ssh logged in as root or logged in as user you can change password successfully also updating the shadoLastChange attribute. The same result if you are logged in to webmin and change a user password, then it also works as expected.

Both usermin and webmin is using pam, and are same:

%PAM-1.0

auth include system-auth account include system-auth session include system-auth password include system-auth

OpenLDAP acl's is as follows: access to * by self write by users read by anonymous read by * none access to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=my-domain,dc=com" write by self write by * read

Can someone help me to sort this out please.

Status: 
Active

Comments

Thanks for reporting this - I see the cause, and will include a fix in the 3.79 Virtualmin release.

Please let us know if you'd like to get a patch or pre-release version that includes the fix sooner.

Automatically closed -- issue fixed for 2 weeks with no activity.

Hello Folks!

Ok, I updated to latest package of virtualmin now.

One down one to go! shadowLastChange now works as expected, date get updated when changing passwords, fine!

One problem reamin: You still get the error when trying to login to USERMIN after passwords has expired nor do you get warned when using shadowWarning = 5.

Error recieved after being prompted to change password (day after it has expired, no warnings are issued before either):

Failed to change password : PAM error : LDAP Password incorrect: try again

The logbook /var/log/messages say: xec/usermin/password_change.cgi: pam_ldap: error trying to bind as user "uid=nizze,dc=Users,dc=unix,o=Edu" (Invalid credentials)

Logging in to webmin/usermin and change password works. It works with virtualmin change-password Logging in as to command line with expired password ask for password and you can change it.

So it seems like there still is a bug hanging around.

Thank you in advance!

Ok .. so is the issue just that usermin doesn't force you to change password when you login after it has expired?

There is a setting at Webmin -> Usermin Configuration -> Authentication called "Prompt users with expired passwords to enter a new one" that should help here.

Hello Jamie!

"Prompt users with expired passwords to enter a new one" is set and works, user get prompted for new password when it has expired, the last day, there is no warning in the grace period.

Ldap attribute: shadowWarning = 5 is not respected by usermin/webmin.

This issue is not so serious as the fact that it is impossible to change password when it has expired and you get prompted at login. When entering the old and new password, usermin thinks a moment and then bugs out with PAM error. Please see above information.

So in fact there are at least two more bugs, it is impossible to change password at login when get prompted and shadowWarning = 5 is not respected.

Thank you in advance // // Peter Steen