[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: shadowaccount expiry

>This comes from RFC 2307 which itself is derived from Sun's original
>definition of /etc/shadow. Personally I think RFC 2307 is a mistake;
>these attributes should have been specified as GeneralizedTime. RFC 2307
>itself is extremely closely bound with Sun/Solaris' view of the world,
>and does not support common account attributes from systems like AIX,
>HP-UX, or SCO OpenServer. It has other problems too, like not using DNs
>for the members of a posixGroup, etc. etc... It is unfortunate that this
>RFC is worded as if it were applicable to Unix in general when it is
>primarily a specification for using Sun's NIS in LDAP.

There are historical reasons for this but there is little point defending it
now. At least support for this "mistake" is available on almost every
UNIX, and is endorsed by the major platforms -- Solaris, HP-UX, Linux and
(yes) OS X. Perhaps a better result than leaving UNIX vendors to define
proprietary schema. Not perfect, agreed.

GeneralizedTime attributes would have made more sense. It is not that
hard to map the shadowAccount attributes to, for example, the 4.4BSD
password age attributes. In any case, as we move towards password policies
being enforced by the directory server itself rather than the client
workstations, shadowAccount should be deprecated. We support, for example,
an older version of the Netscape password policy schema in pam_ldap.

Distinguished name members of posixGroup are defined in RFC2307bis and
supported by all our software. In fact, nss_ldap has supported them since
April, 1999!

-- Luke
Luke Howard | lukehoward.com
PADL Software | www.padl.com