[Date Prev][Date Next]
Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
- From: firstname.lastname@example.org
- Date: Fri, 14 May 2010 14:35:22 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Michael Ströder wrote:
> Howard Chu wrote:
>> email@example.com wrote:
>>> firstname.lastname@example.org wrote:
>>>> I'd rather argue that for
>>>> Samba 3 'sambaPwdLastSet' should be set.
>>> Uumpf! This is already set. Sorry for the noise.
>>>> 'shadowLastChange' is rather a POSIX account attribute which from my
>>>> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope
>>>> could be
>>> But still it's the question whether we want to have this functionality
>>> various password-related attribute all in on overlay or whether there
>>> be distinct overlays for each account type (posixAccount/shadowAccount,
>>> sambaSAMAccount, Kerberos user).
>> shadowAccount is deprecated. LDAP ppolicy already provides a
>> pwdChangedTime attribute.
> While I agree that slapo-ppolicy is the better solution in the long run I see
> no reason why to not set both attributes at the server's side to make older
> LDAP clients happy.
This is not a realistic use case. smbk5pwd was written starting in 2004;
pam_ldap started supporting LDAP password policy long before then. Anyone
running LDAP clients (pam_ldap, nss_ldap) older than that has far worse
problems to worry about.
>> Ultimately both Kerberos and Samba will just be using LDAP ppolicy.
> Yes. But there is indeed a real need for a solution in the meantime...
Yes, in the meantime both Heimdal and Samba use the smbPwdLastSet attribute
which is already taken care of.
This ITS will be closed.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/