[Date Prev][Date Next]
Re: migrating from (old) /etc/shadow to LDAP
Simone Piccardi wrote:
On 22/09/2011 16:10, Christopher Wood wrote:
Debian/Ubuntu: install nslcd, libnss-ldapd, libpam-ldapd, configure your /etc/nslcd.conf, and ensure you have "compat ldap" as lookups listed in /etc/nsswitch.conf for passwd, group, shadow. (I figure on the whole nss-pam-ldapd arrangement for CentOS6 too, but I haven't gotten that far yet.)
This, at least for Debian Stable and Ubuntu LTS has an important
shortcoming, it does not update shadowLastChange on password change. So
if you set a password expiration they will stay expired forever.
Not a major shortcoming. If you're actually using LDAP then you should set
expiration using ppolicy and not using shadow attributes at all.
It can be made working with a patched smbk5pwd overlay in the openldap
server, but that's not present in Debian or Ubuntu.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/