[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange



Michael Ströder wrote:
> Howard Chu wrote:
>> michael@stroeder.com wrote:
>>> michael@stroeder.com wrote:
>>>> I'd rather argue that for
>>>> Samba 3 'sambaPwdLastSet' should be set.
>>>
>>> Uumpf! This is already set. Sorry for the noise.
>>>
>>>> 'shadowLastChange' is rather a POSIX account attribute which from my
>>>> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope
>>>> could be
>>>> extended...
>>>
>>> But still it's the question whether we want to have this functionality
>>> for
>>> various password-related attribute all in on overlay or whether there
>>> should
>>> be distinct overlays for each account type (posixAccount/shadowAccount,
>>> sambaSAMAccount, Kerberos user).
>>
>> shadowAccount is deprecated. LDAP ppolicy already provides a
>> pwdChangedTime attribute.
>
> While I agree that slapo-ppolicy is the better solution in the long run I see
> no reason why to not set both attributes at the server's side to make older
> LDAP clients happy.

This is not a realistic use case. smbk5pwd was written starting in 2004; 
pam_ldap started supporting LDAP password policy long before then. Anyone 
running LDAP clients (pam_ldap, nss_ldap) older than that has far worse 
problems to worry about.

>> Ultimately both Kerberos and Samba will just be using LDAP ppolicy.
>
> Yes. But there is indeed a real need for a solution in the meantime...

Yes, in the meantime both Heimdal and Samba use the smbPwdLastSet attribute 
which is already taken care of.

This ITS will be closed.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/