Re: Password expiration question (ppolicy and smbk5wpd interaction)

[Howard Chu <hyc@symas.com>]

Pat Riehecky wrote:
> Like many before me I would love to get the smbk5pwd module up and
> running, but I have a question.
>
> In OpenLDAP 2.4.7:
> If I set a password expiration time up (with ppolicy), and the user's
> password expires, does it lock the Heimdal, Samba, and ldap passwords?

No. The smbk5pwd overlay doesn't know about ppolicy, and vice versa. smbk5pwd 
could be patched to look for the ppolicy expiration, of course.

> On the flip side, if I set a password expiration time up (with
> smbk5pwd), and the user's password expires, does it lock the Heimdal,
> Samba, and ldap passwords?

Likewise, no.

> Or perhaps more to the point, what can I do to keep all three of these
> passwords either all valid or all expired at the same time?

Extend the smbk5pwd code to synchronize their different policy attributes, and 
submit your patch to the ITS.

> The documentation is a bit vague on this one point, and the archives
> left me still in confusion.....

The documentation states exactly what the overlay will manage. Anything that 
isn't described is clearly not going to be managed.
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/