[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: shadow accounts

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Douglas B. Jones

> Hi,
> I wanted to get some more detail on shadow accounts. From looking
> at the archives, I see:
>  struct spwd {
> 	char *sp_namp; /* user login name */		uid
> 	char *sp_pwdp; /* encrypted password */		userpassword
> 	long sp_lstchg; /* last password change */	shadowLastChange
> 	int  sp_min; /* days until change allowed. */	shadowMin
> 	int  sp_max; /* days before change required */	shadowMax
> 	int  sp_warn; /* days warning for expiration */	shadowWarning
> 	int  sp_inact; /* days before account inactive */
> shadowInactive
> 	int  sp_expire; /* date when account expires */	shadowExpire
> 	int  sp_flag; /* reserved for future use */	shadowFlag
>  }
> My question, is what are the values in the sp_expire, min, max and
> so on. Are they seconds, actual number of days? I understand these
> values to map to nis.schema values sure as shadowExpire and so on.

As the comments say, they are a number of days.

> These appear to be of type 'EQUALITY integerMatch'. Does this
> mean I can't
> to less than and greater than operations, only equality? I wasn't
> sure what 'EQUALITY integerMatch' incorporated. I am still looking at
> the RFCs, but haven't really found what I am looking for.

If there is an ORDERING rule, then you can do less/greater comparisons. If
not, then not.

> Unfortunately,
> I don't have access to a system that tells me more about the structure
> spwd - only what I have found in the archives. On a tru64 system, the
> structure similar to these would use seconds, not days so you could
> disable at a certain time on a day (if you expire or inactive).

Yes, on a well-designed system these parameters would be in seconds. (AIX,
HPUX and SCO also use seconds in their native security parameters. But the
spec wasn't modeled after them, it was modeled after Solaris.) We at Symas
use our own schema here, with seconds for these parameters, and our Solaris
clients are written to round off to days so they can play with everyone else.
> Also, does cli like ldapsearch/add/mod/... respect these values. As an
> example, if I had the password for an id expired or set inact to 1 (is
> this how you make it inactive?), would ldapsearch fail if I
> authenticated
> against this id to do my search?

No. This schema specifically applies to Unix (actually, Solaris) logins, and
only programs that explicitly use the shadow account model will check it.
(E.g., /bin/login.) Other applications that use the directory are free to
adopt this usage if they wish, but none of it is checked in a regular LDAP

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support