[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password expiration

To: openldap-technical@openldap.org
Subject: Re: Password expiration
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Wed, 4 Apr 2012 11:23:50 +0200
Cc: "Collins, Cris" <cris.collins@gd-ais.com>
In-reply-to: <4F7B68BB.8050206@gd-ais.com>
References: <A0271C841FB45D4EA17B803FF7E358075046069459@EADC-E-MABPRD01.ad.gd-ais.com> <4F7B28A2.9010304@phillipoux.net> <4F7B68BB.8050206@gd-ais.com>
User-agent: KMail/1.13.7 (Linux/2.6.38.8-desktop-9.mga; KDE/4.6.5; x86_64; ; )

On Tuesday, 3 April 2012 23:16:43 Collins, Cris wrote:
> The problem was resolved by adding the following per the nis schema. My
> statement below was incorrect. shadowLastChange was not updating, as
> "getent shadow username" showed me.
> 
> access to attrs=shadowLastChange,shadowMax
>         by dn="cn=Manager,dc=domain,dc=com" write
>         by self write
>         by * read
> 
> Thank you for your response.

Yes, it will work, for applications that look for shadowAccount attributes.

My approach is to remove ldap from the shadow line of nsswitch.conf, configure 
ppolicy on the LDAP server, and ensure PAM is setup correctly to enforce 
password expiration via ppolicy.

Then, even if users never login to a shell on a server configured for LDAP, 
they will be locked out of all other LDAP-using services (except for WiFi 
access points via FreeRADIUS EAP PEAP with MSCHAPv2 against samba attributes, 
since even if the samba attributes are updated, FreeRADIUS doesn't currently 
seem to respect them).

Regards,
Buchan

References:
- Re: Password expiration
  - From: Jonathan Clarke <jonathan@phillipoux.net>
- Re: Password expiration
  - From: "Collins, Cris" <cris.collins@gd-ais.com>

Prev by Date: Re: centralized sudo policies : ACL issue
Next by Date: Re: Convert *.schema to *.ldif
Index(es):
- Chronological
- Thread