[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: migrating from (old) /etc/shadow to LDAP

On Fri, Sep 23, 2011 at 12:19:17PM +0200, Simone Piccardi wrote:
> On 22/09/2011 16:10, Christopher Wood wrote:
> >Debian/Ubuntu: install nslcd, libnss-ldapd, libpam-ldapd, configure your /etc/nslcd.conf, and ensure you have "compat ldap" as lookups listed in /etc/nsswitch.conf for passwd, group, shadow. (I figure on the whole nss-pam-ldapd arrangement for CentOS6 too, but I haven't gotten that far yet.)
> This, at least for Debian Stable and Ubuntu LTS has an important
> shortcoming, it does not update shadowLastChange on password change.
> So if you set a password expiration they will stay expired forever.

This depends where passwords are maintained. Certainly in your case it sounds like the authoritative password copy is maintained in the directory.
> It can be made working with a patched smbk5pwd overlay in the
> openldap server, but that's not present in Debian or Ubuntu.
> Simone
> -- 
> Simone Piccardi                                 Truelite Srl
> piccardi@truelite.it (email/jabber)             Via Monferrato, 6
> Tel. +39-347-1032433                            50142 Firenze
> http://www.truelite.it  Tel. +39-055-7879597    Fax. +39-055-7333336