[CentOS] LDAP and expired passwords

Steve Thompson smt at vgersoft.com
Fri Oct 31 20:32:10 UTC 2008

CentOS 5.2 with OpenLDAP 2.3.27, nss_ldap_253.13, using TLS, i686 and 

If a user with an expired password (shadowLastChange + shadowMax < current 
day) logs in to a system where ldap.conf points first to a consumer-only 
LDAP server, the password change operation (exop) proceeds and fails with:

 	LDAP password information update failed: Referral

If I comment out "ssl start_tls", the referral to the master is followed 
and the password change operation succeeds. I've found references to 
problems with earlier releases of pam_ldap when referrals were not 
properly followed when using TLS, and these are supposed to be fixed; 
apparently not in my case. Can anyone hit me with the clue stick?

Steve Thompson                 E-mail:      smt AT vgersoft DOT com
Voyager Software LLC           Web:         http://www DOT vgersoft DOT com
39 Smugglers Path              VSW Support: support AT vgersoft DOT com
Ithaca, NY 14850
   "186,300 miles per second: it's not just a good idea, it's the law"

More information about the CentOS mailing list