Re: Best multi-password password changing setup

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Thursday 11 October 2007 22:34:33 Kurt Zeilenga wrote:
> On Oct 11, 2007, at 1:05 PM, Buchan Milne wrote:
>
> The OpenLDAP-specific solution would be write modules that would,
> after update of a directory password, would update whatever other
> systems you want updated.

As discussed in the first email in this thread, the combination of modules 
(ppolicy, smbk5passwd) is not more than the sum of the two parts. Thus, 
password expiry times aren't updated in the samba-specific attributes (only 
the password, and time of last password change) or heimdal-specific 
attributes.

So, the OpenLDAP-specific solution I had in mind was one of:
-ppolicy, on seeing smbk5passwd has also changed sambaNTPassword and krb5Key, 
updates sambaPwdMustChange and krb5PasswordEnd according to the same policy
or
-smbk5passwd, on seeing pwdChangedTime being updated, assumes the times for 
sambaPwdMustChange and krb5PasswordEnd should be the same, and sets them.
or
-a third module, which applies the time in pwdChangedTime to 
sambaPwdMustChange and krb5PasswordEnd if sambaNTPassword or krb5Key have 
changed.

I'm happy to try and assist in implementing whichever of the 3 options is 
preferable ...

Regards,
Buchan