I am running OpenLDAP as packaged for CentOS 5 and having problems with passwords expiring.

Users are being told every time they login that their password has expired and to change their password. When a user's OpenLDAP account ShadowMax is changed to 99999 their passwords are not expiring. But when I change back to 90 days the problem is there again. ShadowLastChange is updating to the correct date when they input a new password. Thank you for you time and input as to why this might be occurring.

I am able to login fine after I change my password, but I have to change my password every time I log in, /var/log/secure:

Mar 27 11:28:28 ldap login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=john
Mar 27 11:28:28 ldap login: pam_unix(login:account): expired password for user john (password aged)
Mar 27 11:28:28 ldap login: pam_unix(login:chauthtok): user "john" does not exist in /etc/passwd
Mar 27 11:28:46 ldap login: pam_unix(login:chauthtok): user "john" does not exist in /etc/passwd
Mar 27 11:28:46 ldap login: pam_unix(login:session): session opened for user john by LOGIN(uid=0)
Mar 27 11:28:46 ldap login: LOGIN ON tty1 BY john

The CentOS generated /etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

Users solely reside in OpenLDAP and when the user inputs their new password shadow is not being updated with the Last Change number, as illustrated by:
getent shadow
john:*::0:90:7:::

I have tried updating the password with passwd and it still does not update.

When I set shadowMax to -1 the shadow is being updated:
getent shadow john
john:*::0::7:::

# john, People, gd-ldap.com
dn: uid=john,ou=People,dc=gd-ldap,dc=com
uid: john
cn: John Doe
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/john
gecos: John Doe
mail: john.doe@domain.com
userPassword:: e2NyeXB0fSQxJDg1JkIwY28uJGN2YmR2V2dyY0hPS1lQVVVZeFVGdi8=
shadowLastChange: 15426
shadowMax: -1




When I set the Last Change to 15419 and Max to 900 only the Max changes.
How do I get the last change in shadow to update?
getent shadow john
john:*::0:900:7:::

# john, People, gd-ldap.com
dn: uid=john,ou=People,dc=gd-ldap,dc=com
uid: john
cn: John Doe
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/john
gecos: John Doe
mail: john.doe@domain.com
userPassword:: e2NyeXB0fSQxJDg1JkIwY28uJGN2YmR2V2dyY0hPS1lQVVVZeFVGdi8=
shadowLastChange: 15419
shadowMax: 900

found my mistake. Somewhere along the line I had some problems with an account expiring and edited slapd.conf as follows:
access to attrs=userPassword,userLastChange
by dn="cn=Manager,dc=gd-ldap,dc=com" write
by self write
by * auth

access to *
by dn="cn=Manager,dc=gd-ldap,dc=com" write
by users read
by self write
by * read

I changed back to:
access to attrs=userPassword
by dn="cn=Manager,dc=gd-ldap,dc=com" write
by self write
by * auth
access to *
by dn="cn=Manager,dc=gd-ldap,dc=com" write
by users read
by self write
by * read

And now it works.

For some reason it did not work again, so I added the following to /etc/openldap/slapd.conf
access to attrs=shadowLastChange
by * write
by * auth

Let us hope it works tomorrow.