[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: migrating from (old) /etc/shadow to LDAP

To: openldap-technical@openldap.org
Subject: Re: migrating from (old) /etc/shadow to LDAP
From: Christopher Wood <christopher_wood@pobox.com>
Date: Fri, 23 Sep 2011 08:42:01 -0400
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=TNWG7oOKbDhNXXfLJ24g8Sxv80M=; b=oqyie03 n/QSGnj2MopZmOL2m9cSuvL07nBrx1pQFGP/uRopksDSrevhcBZTVITDvJ5Pq3oh sJIqOa4BzA/Yvca6VUErriFWRG/uyVsNBxBBooLcCWhUCSYnQnraTz7y49oxeQCD yE2dC1Yu4DBnbFg+RVcSSxx3Gxrm9KD9bHK8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=RHXXwbkpbo3CdwOIHoXaZUxG6m52YMvue VsTrYCatWevYnXpiaSy9rGWDtCxzDsdce2D8IsqA9f1in8r2V18jolEI4wiD9bpo oHmn2lKS2sO146T59+kT3P39CHuWGBISbp0zmTkYyVfwP4ItkdWmhCUW4ga5drk2 cDgApEpbsE=
In-reply-to: <4E7C5D25.1040008@truelite.it>
References: <1316552249.7492.8.camel@inca.fmed.uba.ar> <20110920231818.GA9425@iniquitous.lan> <1316602294.20463.8.camel@inca.fmed.uba.ar> <20110921141645.GA11869@iniquitous.lan> <1316688650.26247.9.camel@inca.fmed.uba.ar> <20110922141059.GA14997@iniquitous.lan> <4E7C5D25.1040008@truelite.it>
User-agent: Mutt/1.5.20 (2009-06-14)

On Fri, Sep 23, 2011 at 12:19:17PM +0200, Simone Piccardi wrote:
> On 22/09/2011 16:10, Christopher Wood wrote:
> >Debian/Ubuntu: install nslcd, libnss-ldapd, libpam-ldapd, configure your /etc/nslcd.conf, and ensure you have "compat ldap" as lookups listed in /etc/nsswitch.conf for passwd, group, shadow. (I figure on the whole nss-pam-ldapd arrangement for CentOS6 too, but I haven't gotten that far yet.)
> 
> This, at least for Debian Stable and Ubuntu LTS has an important
> shortcoming, it does not update shadowLastChange on password change.
> So if you set a password expiration they will stay expired forever.

This depends where passwords are maintained. Certainly in your case it sounds like the authoritative password copy is maintained in the directory.
 
> It can be made working with a patched smbk5pwd overlay in the
> openldap server, but that's not present in Debian or Ubuntu.
> 
> Simone
> -- 
> Simone Piccardi                                 Truelite Srl
> piccardi@truelite.it (email/jabber)             Via Monferrato, 6
> Tel. +39-347-1032433                            50142 Firenze
> http://www.truelite.it  Tel. +39-055-7879597    Fax. +39-055-7333336
> 
>

Follow-Ups:
- Re: migrating from (old) /etc/shadow to LDAP
  - From: Simone Piccardi <piccardi@truelite.it>

References:
- migrating from (old) /etc/shadow to LDAP
  - From: Gerardo Herzig <gherzig@fmed.uba.ar>
- Re: migrating from (old) /etc/shadow to LDAP
  - From: Christopher Wood <christopher_wood@pobox.com>
- Re: migrating from (old) /etc/shadow to LDAP
  - From: Gerardo Herzig <gherzig@fmed.uba.ar>
- Re: migrating from (old) /etc/shadow to LDAP
  - From: Christopher Wood <christopher_wood@pobox.com>
- Re: migrating from (old) /etc/shadow to LDAP
  - From: Gerardo Herzig <gherzig@fmed.uba.ar>
- Re: migrating from (old) /etc/shadow to LDAP
  - From: Christopher Wood <christopher_wood@pobox.com>
- Re: migrating from (old) /etc/shadow to LDAP
  - From: Simone Piccardi <piccardi@truelite.it>

Prev by Date: Re: migrating from (old) /etc/shadow to LDAP
Next by Date: Re: migrating from (old) /etc/shadow to LDAP
Index(es):
- Chronological
- Thread