[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password expiration

To: "Collins, Cris L." <Cris.Collins@gd-ais.com>
Subject: Re: Password expiration
From: Jonathan Clarke <jonathan@phillipoux.net>
Date: Tue, 03 Apr 2012 18:43:14 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <A0271C841FB45D4EA17B803FF7E358075046069459@EADC-E-MABPRD01.ad.gd-ais.com>
References: <A0271C841FB45D4EA17B803FF7E358075046069459@EADC-E-MABPRD01.ad.gd-ais.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1

Hi Cris,

On 27/03/12 00:46, Collins, Cris L. wrote:
> I am running OpenLDAP as packaged for CentOS 5 and having problems with
> password expiration.
> Users are being told every time they login that their password has expired
> and to change their password. When ShadowMax is changed to 99999 their
> passwords are not expiring. The preferable setting is 90 days.
> ShadowLastChange is updating to the correct date when they input a new
> password. Thank you for you time and input as to why this might be
> occurring.

shadow attributes are used by UNIX systems during authentication,
depending on your system configuration (PAM, pam_ldap, login.defs...)

However, the OpenLDAP server itself will not use these attributes to
prevent binds by LDAP, which is what I understand you expect. For this,
check out the ppolicy overlay.

Jonathan
-- 
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------

Follow-Ups:
- Re: Password expiration
  - From: "Collins, Cris" <cris.collins@gd-ais.com>

Prev by Date: Re: openldap proxy to AD
Next by Date: Re: Convert *.schema to *.ldif
Index(es):
- Chronological
- Thread