merge changes from trunk

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-solaris@1349 ef36b2f9-881f-0410-afb5-c4e39611909c

11 files changed, 219 insertions, 59 deletions

diff --git a/nslcd/attmap.c b/nslcd/attmap.c
index 92cc011..32b8041 100644
--- a/nslcd/attmap.c
+++ b/nslcd/attmap.c
@@ -213,10 +213,13 @@ const char *attmap_set_mapping(const char **var,const char *value)
     /* these attributes may contain an expression
        (note that this needs to match the functionality in the specific
        lookup module) */
-    if ( (var!=&attmap_passwd_gidNumber) &&
+    if ( (var!=&attmap_group_userPassword) &&
+         (var!=&attmap_passwd_userPassword) &&
+         (var!=&attmap_passwd_gidNumber) &&
          (var!=&attmap_passwd_gecos) &&
          (var!=&attmap_passwd_homeDirectory) &&
          (var!=&attmap_passwd_loginShell) &&
+         (var!=&attmap_shadow_userPassword) &&
          (var!=&attmap_shadow_shadowLastChange) &&
          (var!=&attmap_shadow_shadowMin) &&
          (var!=&attmap_shadow_shadowMax) &&
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index 364e726..c2a5480 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -120,6 +120,7 @@ static void cfg_defaults(struct ldap_config *cfg)
   cfg->ldc_pagesize=0;
   cfg->ldc_nss_initgroups_ignoreusers=NULL;
   cfg->ldc_pam_authz_search=NULL;
+  cfg->ldc_nss_min_uid=0;
 }
 
 /* simple strdup wrapper */
@@ -985,7 +986,8 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
       LDAP_SET_OPTION(NULL,LDAP_OPT_X_TLS_CACERTDIR,value);
       free(value);
     }
-    else if (strcasecmp(keyword,"tls_cacertfile")==0)
+    else if ( (strcasecmp(keyword,"tls_cacertfile")==0) ||
+              (strcasecmp(keyword,"tls_cacert")==0) )
     {
       get_strdup(filename,lnr,keyword,&line,&value);
       get_eol(filename,lnr,keyword,&line);
@@ -1050,6 +1052,11 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
       check_argumentcount(filename,lnr,keyword,(line!=NULL)&&(*line!='\0'));
       cfg->ldc_pam_authz_search=xstrdup(line);
     }
+    else if (strcasecmp(keyword,"nss_min_uid")==0)
+    {
+      get_uid(filename,lnr,keyword,&line,&cfg->ldc_nss_min_uid);
+      get_eol(filename,lnr,keyword,&line);
+    }
 #ifdef ENABLE_CONFIGFILE_CHECKING
     /* fallthrough */
     else
diff --git a/nslcd/cfg.h b/nslcd/cfg.h
index de43956..a44d5d2 100644
--- a/nslcd/cfg.h
+++ b/nslcd/cfg.h
@@ -137,6 +137,8 @@ struct ldap_config
   SET *ldc_nss_initgroups_ignoreusers;
   /* the search that should be performed to do autorisation checks */
   char *ldc_pam_authz_search;
+  /* minimum uid for users retreived from LDAP */
+  uid_t ldc_nss_min_uid;
 };
 
 /* this is a pointer to the global configuration, it should be available
diff --git a/nslcd/common.c b/nslcd/common.c
index d88bb60..dc25bed 100644
--- a/nslcd/common.c
+++ b/nslcd/common.c
@@ -35,6 +35,7 @@
 #include "nslcd.h"
 #include "common.h"
 #include "log.h"
+#include "attmap.h"
 
 /* simple wrapper around snptintf() to return non-0 in case
    of any failure (but always keep string 0-terminated) */
@@ -51,25 +52,21 @@ int mysnprintf(char *buffer,size_t buflen,const char *format, ...)
   return ((res<0)||(((size_t)res)>=buflen));
 }
 
-const char *get_userpassword(MYLDAP_ENTRY *entry,const char *attr)
+const char *get_userpassword(MYLDAP_ENTRY *entry,const char *attr,char *buffer,size_t buflen)
 {
-  const char **values;
-  int i;
-  /* get the entries */
-  values=myldap_get_values(entry,attr);
-  if ((values==NULL)||(values[0]==NULL))
+  const char *tmpvalue;
+  /* get the value */
+  tmpvalue=attmap_get_value(entry,attr,buffer,buflen);
+  if (tmpvalue==NULL)
     return NULL;
   /* go over the entries and return the remainder of the value if it
      starts with {crypt} or crypt$ */
-  for (i=0;values[i]!=NULL;i++)
-  {
-    if (strncasecmp(values[i],"{crypt}",7)==0)
-      return values[i]+7;
-    if (strncasecmp(values[i],"crypt$",6)==0)
-      return values[i]+6;
-  }
+  if (strncasecmp(tmpvalue,"{crypt}",7)==0)
+    return tmpvalue+7;
+  if (strncasecmp(tmpvalue,"crypt$",6)==0)
+    return tmpvalue+6;
   /* just return the first value completely */
-  return values[0];
+  return tmpvalue;
   /* TODO: support more password formats e.g. SMD5
     (which is $1$ but in a different format)
     (any code for this is more than welcome) */
@@ -100,13 +97,20 @@ int isvalidname(const char *name)
     if (i>=LOGIN_NAME_MAX)
       return 0;
 #endif /* LOGIN_NAME_MAX */
-    if ( ! ( ( (i!=0) && (name[i]=='-') ) ||
-             ( (i!=0) && (name[i]=='\\') && name[i+1]!='\0' ) ||
-             (name[i]>='@' && name[i] <= 'Z') ||
-             (name[i]>='a' && name[i] <= 'z') ||
-             (name[i]>='0' && name[i] <= '9') ||
-             name[i]=='.' || name[i]=='_'  || name[i]=='$' || name[i]==' ') )
-      return 0;
+    /* characters supported everywhere in the name */
+    if ( (name[i]>='@' && name[i] <= 'Z') ||
+         (name[i]>='a' && name[i] <= 'z') ||
+         (name[i]>='0' && name[i] <= '9') ||
+         name[i]=='.' || name[i]=='_'  || name[i]=='$' )
+      continue;
+    /* characters that may be anywhere except as first character */
+    if ( i>0 && ( name[i]=='-' || name[i]=='~' ) )
+      continue;
+    /* characters that may not be the first or last character */
+    if ( ( i>0 && name[i+1]!='\0' ) && ( name[i]=='\\' || name[i]==' ') )
+      continue;
+    /* anything else is bad */
+    return 0;
   }
   /* no test failed so it must be good */
   return -1;
diff --git a/nslcd/common.h b/nslcd/common.h
index 90e9b10..5bd98ea 100644
--- a/nslcd/common.h
+++ b/nslcd/common.h
@@ -59,7 +59,8 @@ int mysnprintf(char *buffer,size_t buflen,const char *format, ...)
    /etc/group or /etc/shadow depending upon what is in the directory.
    This function will return NULL if no passwd is found and will return the
    literal value in the directory if conversion is not possible. */
-const char *get_userpassword(MYLDAP_ENTRY *entry,const char *attr);
+const char *get_userpassword(MYLDAP_ENTRY *entry,const char *attr,
+                             char *buffer,size_t buflen);
 
 /* write out an address, parsing the addr value */
 int write_address(TFILE *fp,const char *addr);
@@ -94,6 +95,9 @@ MYLDAP_ENTRY *uid2entry(MYLDAP_SESSION *session,const char *uid,int *rcp);
 /* transforms the uid into a DN by doing an LDAP lookup */
 MUST_USE char *uid2dn(MYLDAP_SESSION *session,const char *uid,char *buf,size_t buflen);
 
+/* try to update the shadowLastChange attribute of the entry if possible */
+int update_lastchange(MYLDAP_SESSION *session,const char *userdn);
+
 /* these are the functions for initialising the database specific
    modules */
 void alias_init(void);
diff --git a/nslcd/group.c b/nslcd/group.c
index baf367e..fa50d6f 100644
--- a/nslcd/group.c
+++ b/nslcd/group.c
@@ -61,7 +61,7 @@ const char *group_filter = "(objectClass=posixGroup)";
 
 /* the attributes to request with searches */
 const char *attmap_group_cn            = "cn";
-const char *attmap_group_userPassword  = "userPassword";
+const char *attmap_group_userPassword  = "\"*\"";
 const char *attmap_group_gidNumber     = "gidNumber";
 const char *attmap_group_memberUid     = "memberUid";
 const char *attmap_group_uniqueMember  = "uniqueMember";
@@ -69,9 +69,8 @@ const char *attmap_group_uniqueMember  = "uniqueMember";
 /* default values for attributes */
 static const char *default_group_userPassword     = "*"; /* unmatchable */
 
-
 /* the attribute list to request with searches */
-static const char *group_attrs[6];
+static const char **group_attrs=NULL;
 
 /* create a search filter for searching a group entry
    by name, return -1 on errors */
@@ -132,6 +131,7 @@ static int mkfilter_group_bymember(MYLDAP_SESSION *session,
 void group_init(void)
 {
   int i;
+  SET *set;
   /* set up search bases */
   if (group_bases[0]==NULL)
     for (i=0;i<NSS_LDAP_CONFIG_MAX_BASES;i++)
@@ -140,12 +140,14 @@ void group_init(void)
   if (group_scope==LDAP_SCOPE_DEFAULT)
     group_scope=nslcd_cfg->ldc_scope;
   /* set up attribute list */
-  group_attrs[0]=attmap_group_cn;
-  group_attrs[1]=attmap_group_userPassword;
-  group_attrs[2]=attmap_group_memberUid;
-  group_attrs[3]=attmap_group_gidNumber;
-  group_attrs[4]=attmap_group_uniqueMember;
-  group_attrs[5]=NULL;
+  set=set_new();
+  attmap_add_attributes(set,attmap_group_cn);
+  attmap_add_attributes(set,attmap_group_userPassword);
+  attmap_add_attributes(set,attmap_group_memberUid);
+  attmap_add_attributes(set,attmap_group_gidNumber);
+  attmap_add_attributes(set,attmap_group_uniqueMember);
+  group_attrs=set_tolist(set);
+  set_free(set);
 }
 
 static int do_write_group(
@@ -224,6 +226,7 @@ static int write_group(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname,
   gid_t gids[MAXGIDS_PER_ENTRY];
   int numgids;
   char *tmp;
+  char passbuffer[80];
   int rc;
   /* get group name (cn) */
   names=myldap_get_values(entry,attmap_group_cn);
@@ -260,7 +263,7 @@ static int write_group(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname,
     }
   }
   /* get group passwd (userPassword) (use only first entry) */
-  passwd=get_userpassword(entry,attmap_group_userPassword);
+  passwd=get_userpassword(entry,attmap_group_userPassword,passbuffer,sizeof(passbuffer));
   if (passwd==NULL)
     passwd=default_group_userPassword;
   /* get group memebers (memberUid&uniqueMember) */
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index fb0f617..a1acb21 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -1705,3 +1705,15 @@ int myldap_passwd(
   }
   return rc;
 }
+
+int myldap_modify(MYLDAP_SESSION *session,const char *dn,LDAPMod *mods[])
+{
+  int rc;
+  if (!is_valid_session(session)||(dn==NULL))
+  {
+    log_log(LOG_ERR,"myldap_passwd(): invalid parameter passed");
+    errno=EINVAL;
+    return LDAP_OTHER;
+  }
+  return ldap_modify_ext_s(session->ld,dn,mods,NULL,NULL);
+}
diff --git a/nslcd/myldap.h b/nslcd/myldap.h
index f7df4a3..e0fe688 100644
--- a/nslcd/myldap.h
+++ b/nslcd/myldap.h
@@ -139,9 +139,12 @@ MUST_USE int myldap_escape(const char *src,char *buffer,size_t buflen);
 /* Set the debug level globally. Returns an LDAP status code. */
 int myldap_set_debuglevel(int i);
 
-/* Perform an EXOP password modification call. */
+/* Perform an EXOP password modification call. Returns an LDAP status code. */
 int myldap_passwd(
         MYLDAP_SESSION *session,
         const char *userdn,const char *oldpassword,const char *newpasswd);
 
+/* Perform an LDAP modification request. Returns an LDAP status code. */
+int myldap_modify(MYLDAP_SESSION *session,const char *dn,LDAPMod *mods[]);
+
 #endif /* not NSLCD__MYLDAP_H */
diff --git a/nslcd/pam.c b/nslcd/pam.c
index f6d3877..5c1d0a8 100644
--- a/nslcd/pam.c
+++ b/nslcd/pam.c
@@ -457,6 +457,11 @@ static int try_pwmod(const char *binddn,const char *userdn,
       oldpassword=NULL;
     /* perform password modification */
     rc=myldap_passwd(session,userdn,oldpassword,newpassword);
+    if (rc==LDAP_SUCCESS)
+    {
+      /* try to update the shadowLastChange attribute */
+      (void)update_lastchange(session,userdn);
+    }
   }
   /* close the session */
   myldap_session_close(session);
diff --git a/nslcd/passwd.c b/nslcd/passwd.c
index f0dceb0..9113f5d 100644
--- a/nslcd/passwd.c
+++ b/nslcd/passwd.c
@@ -56,7 +56,7 @@ const char *passwd_filter = "(objectClass=posixAccount)";
 
 /* the attributes used in searches */
 const char *attmap_passwd_uid           = "uid";
-const char *attmap_passwd_userPassword  = "userPassword";
+const char *attmap_passwd_userPassword  = "\"*\"";
 const char *attmap_passwd_uidNumber     = "uidNumber";
 const char *attmap_passwd_gidNumber     = "gidNumber";
 const char *attmap_passwd_gecos         = "\"${gecos:-$cn}\"";
@@ -138,13 +138,46 @@ struct dn2uid_cache_entry
 };
 #define DN2UID_CACHE_TIMEOUT (15*60)
 
+/* checks whether the entry has a valid uidNumber attribute
+   (>= nss_min_uid) */
+static int entry_has_valid_uid(MYLDAP_ENTRY *entry)
+{
+  int i;
+  const char **values;
+  char *tmp;
+  uid_t uid;
+  /* if min_uid is not set any entry should do */
+  if (nslcd_cfg->ldc_nss_min_uid==0)
+    return 1;
+  /* get all uidNumber attributes */
+  values=myldap_get_values(entry,attmap_passwd_uidNumber);
+  if ((values==NULL)||(values[0]==NULL))
+  {
+    log_log(LOG_WARNING,"passwd entry %s does not contain %s value",
+                        myldap_get_dn(entry),attmap_passwd_uidNumber);
+    return 0;
+  }
+  /* check if there is a uidNumber attributes >= min_uid */
+  for (i=0;values[i]!=NULL;i++)
+  {
+    uid=(uid_t)strtol(values[i],&tmp,0);
+    if ((*(values[i])=='\0')||(*tmp!='\0'))
+      log_log(LOG_WARNING,"passwd entry %s contains non-numeric %s value",
+                          myldap_get_dn(entry),attmap_passwd_uidNumber);
+    else if (uid>=nslcd_cfg->ldc_nss_min_uid)
+      return 1;
+  }
+  /* nothing found */
+  return 0;
+}
+
 /* Perform an LDAP lookup to translate the DN into a uid.
    This function either returns NULL or a strdup()ed string. */
 char *lookup_dn2uid(MYLDAP_SESSION *session,const char *dn,int *rcp,char *buf,size_t buflen)
 {
   MYLDAP_SEARCH *search;
   MYLDAP_ENTRY *entry;
-  static const char *attrs[2];
+  static const char *attrs[3];
   int rc=LDAP_SUCCESS;
   const char **values;
   char *uid=NULL;
@@ -152,7 +185,8 @@ char *lookup_dn2uid(MYLDAP_SESSION *session,const char *dn,int *rcp,char *buf,si
     rcp=&rc;
   /* we have to look up the entry */
   attrs[0]=attmap_passwd_uid;
-  attrs[1]=NULL;
+  attrs[1]=attmap_passwd_uidNumber;
+  attrs[2]=NULL;
   search=myldap_search(session,dn,LDAP_SCOPE_BASE,passwd_filter,attrs,rcp);
   if (search==NULL)
   {
@@ -166,13 +200,17 @@ char *lookup_dn2uid(MYLDAP_SESSION *session,const char *dn,int *rcp,char *buf,si
       log_log(LOG_WARNING,"lookup of user %s failed: %s",dn,ldap_err2string(*rcp));
     return NULL;
   }
-  /* get uid (just use first one) */
-  values=myldap_get_values(entry,attmap_passwd_uid);
-  /* check the result for presence and validity */
-  if ((values!=NULL)&&(values[0]!=NULL)&&isvalidname(values[0])&&(strlen(values[0])<buflen))
+  /* check the uidNumber attribute if min_uid is set */
+  if (entry_has_valid_uid(entry))
   {
-    strcpy(buf,values[0]);
-    uid=buf;
+    /* get uid (just use first one) */
+    values=myldap_get_values(entry,attmap_passwd_uid);
+    /* check the result for presence and validity */
+    if ((values!=NULL)&&(values[0]!=NULL)&&isvalidname(values[0])&&(strlen(values[0])<buflen))
+    {
+      strcpy(buf,values[0]);
+      uid=buf;
+    }
   }
   /* clean up and return */
   myldap_search_close(search);
@@ -258,14 +296,15 @@ MYLDAP_ENTRY *uid2entry(MYLDAP_SESSION *session,const char *uid,int *rcp)
   MYLDAP_ENTRY *entry=NULL;
   const char *base;
   int i;
-  static const char *attrs[2];
+  static const char *attrs[3];
   char filter[1024];
   /* if it isn't a valid username, just bail out now */
   if (!isvalidname(uid))
     return NULL;
   /* set up attributes (we don't need much) */
   attrs[0]=attmap_passwd_uid;
-  attrs[1]=NULL;
+  attrs[1]=attmap_passwd_uidNumber;
+  attrs[2]=NULL;
   /* we have to look up the entry */
   mkfilter_passwd_byname(uid,filter,sizeof(filter));
   for (i=0;(i<NSS_LDAP_CONFIG_MAX_BASES)&&((base=passwd_bases[i])!=NULL);i++)
@@ -274,7 +313,7 @@ MYLDAP_ENTRY *uid2entry(MYLDAP_SESSION *session,const char *uid,int *rcp)
     if (search==NULL)
       return NULL;
     entry=myldap_get_entry(search,NULL);
-    if (entry!=NULL)
+    if ((entry!=NULL)&&(entry_has_valid_uid(entry)))
       return entry;
   }
   return NULL;
@@ -309,6 +348,7 @@ static int write_passwd(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser,
   char gecos[100];
   char homedir[100];
   char shell[100];
+  char passbuffer[80];
   int i,j;
   /* get the usernames for this entry */
   usernames=myldap_get_values(entry,attmap_passwd_uid);
@@ -326,7 +366,7 @@ static int write_passwd(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser,
   }
   else
   {
-    passwd=get_userpassword(entry,attmap_passwd_userPassword);
+    passwd=get_userpassword(entry,attmap_passwd_userPassword,passbuffer,sizeof(passbuffer));
     if ((passwd==NULL)||(calleruid!=0))
       passwd=default_passwd_userPassword;
   }
@@ -393,14 +433,17 @@ static int write_passwd(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser,
       {
         for (j=0;j<numuids;j++)
         {
-          WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
-          WRITE_STRING(fp,usernames[i]);
-          WRITE_STRING(fp,passwd);
-          WRITE_TYPE(fp,uids[j],uid_t);
-          WRITE_TYPE(fp,gid,gid_t);
-          WRITE_STRING(fp,gecos);
-          WRITE_STRING(fp,homedir);
-          WRITE_STRING(fp,shell);
+          if (uids[j]>=nslcd_cfg->ldc_nss_min_uid)
+          {
+            WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
+            WRITE_STRING(fp,usernames[i]);
+            WRITE_STRING(fp,passwd);
+            WRITE_TYPE(fp,uids[j],uid_t);
+            WRITE_TYPE(fp,gid,gid_t);
+            WRITE_STRING(fp,gecos);
+            WRITE_STRING(fp,homedir);
+            WRITE_STRING(fp,shell);
+          }
         }
       }
     }
@@ -427,7 +470,14 @@ NSLCD_HANDLE_UID(
   uid_t uid;
   char filter[1024];
   READ_TYPE(fp,uid,uid_t);
-  log_setrequest("passwd=%d",(int)uid);,
+  log_setrequest("passwd=%d",(int)uid);
+  if (uid<nslcd_cfg->ldc_nss_min_uid)
+  {
+    /* return an empty result */
+    WRITE_INT32(fp,NSLCD_VERSION);
+    WRITE_INT32(fp,NSLCD_ACTION_PASSWD_BYUID);
+    WRITE_INT32(fp,NSLCD_RESULT_END);
+  },
   NSLCD_ACTION_PASSWD_BYUID,
   mkfilter_passwd_byuid(uid,filter,sizeof(filter)),
   write_passwd(fp,entry,NULL,&uid,calleruid)
diff --git a/nslcd/shadow.c b/nslcd/shadow.c
index a5c4a6d..e5f4a54 100644
--- a/nslcd/shadow.c
+++ b/nslcd/shadow.c
@@ -28,6 +28,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <time.h>
 
 #include "common.h"
 #include "log.h"
@@ -54,7 +55,7 @@ const char *shadow_filter = "(objectClass=shadowAccount)";
 
 /* the attributes to request with searches */
 const char *attmap_shadow_uid              = "uid";
-const char *attmap_shadow_userPassword     = "userPassword";
+const char *attmap_shadow_userPassword     = "\"*\"";
 const char *attmap_shadow_shadowLastChange = "\"${shadowLastChange:--1}\"";
 const char *attmap_shadow_shadowMin        = "\"${shadowMin:--1}\"";
 const char *attmap_shadow_shadowMax        = "\"${shadowMax:--1}\"";
@@ -169,6 +170,71 @@ static long to_date(const char *date,const char *attr)
     tmpvalue=""; \
   var=to_date(tmpvalue,attmap_shadow_##att);
 
+/* try to update the shadowLastChange attribute of the entry if possible */
+int update_lastchange(MYLDAP_SESSION *session,const char *userdn)
+{
+  MYLDAP_SEARCH *search;
+  MYLDAP_ENTRY *entry;
+  static const char *attrs[3];
+  const char *attr;
+  int rc;
+  const char **values;
+  LDAPMod mod,*mods[2];
+  char buffer[80],*strvals[2];
+  /* find the name of the attribute to use */
+  if ( (attmap_shadow_shadowLastChange==NULL) || (attmap_shadow_shadowLastChange[0]=='\0') )
+    return LDAP_LOCAL_ERROR; /* attribute not set at all */
+  else if (strcmp(attmap_shadow_shadowLastChange,"\"${shadowLastChange:--1}\"")==0)
+    attr="shadowLastChange";
+  else if (attmap_shadow_shadowLastChange[0]=='\"')
+    return LDAP_LOCAL_ERROR; /* other expressions not supported for now */
+  else
+    attr=attmap_shadow_shadowLastChange;
+  /* set up the attributes we need */
+  attrs[0]=attmap_shadow_uid;
+  attrs[1]=attr;
+  attrs[2]=NULL;
+  /* find the entry to see if the attribute is present */
+  search=myldap_search(session,userdn,LDAP_SCOPE_BASE,shadow_filter,attrs,&rc);
+  if (search==NULL)
+    return rc;
+  entry=myldap_get_entry(search,&rc);
+  if (entry==NULL)
+    return rc;
+  values=myldap_get_values(entry,attr);
+  if ((values==NULL)||(values[0]==NULL)||(values[0][0]=='\0'))
+    return LDAP_NO_SUCH_ATTRIBUTE;
+  /* build the value for the new attribute */
+  if (strcasecmp(attr,"pwdLastSet")==0)
+  {
+    /* for AD we use another timestamp */
+    if(mysnprintf(buffer,sizeof(buffer),"%ld000000000",((long int)time(NULL)/100L+(134774L*864L))))
+      return LDAP_LOCAL_ERROR;
+  }
+  else
+  {
+    /* time in days since Jan 1, 1970 */
+    if(mysnprintf(buffer,sizeof(buffer),"%ld",((long int)(time(NULL)/(long int)(60*60*24)))))
+      return LDAP_LOCAL_ERROR;
+  }
+  /* update the shadowLastChange attribute */
+  strvals[0]=buffer;
+  strvals[1]=NULL;
+  mod.mod_op=LDAP_MOD_REPLACE;
+  mod.mod_type=(char *)attr;
+  mod.mod_values=strvals;
+  mods[0]=&mod;
+  mods[1]=NULL;
+  rc=myldap_modify(session,userdn,mods);
+  if (rc!=LDAP_SUCCESS)
+    log_log(LOG_WARNING,"modification of %s attribute of %s failed: %s",
+                        attr,userdn,ldap_err2string(rc));
+  else
+    log_log(LOG_DEBUG,"modification of %s attribute of %s succeeded",
+                     attr,userdn);
+  return rc;
+}
+
 static int write_shadow(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser)
 {
   int32_t tmpint32;
@@ -185,6 +251,7 @@ static int write_shadow(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser)
   unsigned long flag;
   int i;
   char buffer[80];
+  char passbuffer[80];
   /* get username */
   usernames=myldap_get_values(entry,attmap_shadow_uid);
   if ((usernames==NULL)||(usernames[0]==NULL))
@@ -194,7 +261,7 @@ static int write_shadow(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser)
     return 0;
   }
   /* get password */
-  passwd=get_userpassword(entry,attmap_shadow_userPassword);
+  passwd=get_userpassword(entry,attmap_shadow_userPassword,passbuffer,sizeof(passbuffer));
   if (passwd==NULL)
     passwd=default_shadow_userPassword;
   /* get lastchange date */