shadow accounts

["Douglas B. Jones" <douglas@gpc.edu>]

Hi,

I wanted to get some more detail on shadow accounts. From looking
at the archives, I see:

 struct spwd {
	char *sp_namp; /* user login name */		uid
	char *sp_pwdp; /* encrypted password */		userpassword
	long sp_lstchg; /* last password change */	shadowLastChange
	int  sp_min; /* days until change allowed. */	shadowMin
	int  sp_max; /* days before change required */	shadowMax
	int  sp_warn; /* days warning for expiration */	shadowWarning
	int  sp_inact; /* days before account inactive */	shadowInactive
	int  sp_expire; /* date when account expires */	shadowExpire
	int  sp_flag; /* reserved for future use */	shadowFlag
 }

My question, is what are the values in the sp_expire, min, max and
so on. Are they seconds, actual number of days? I understand these
values to map to nis.schema values sure as shadowExpire and so on.
These appear to be of type 'EQUALITY integerMatch'. Does this mean I can't
to less than and greater than operations, only equality? I wasn't
sure what 'EQUALITY integerMatch' incorporated. I am still looking at
the RFCs, but haven't really found what I am looking for. Unfortunately,
I don't have access to a system that tells me more about the structure
spwd - only what I have found in the archives. On a tru64 system, the
structure similar to these would use seconds, not days so you could
disable at a certain time on a day (if you expire or inactive).

Also, does cli like ldapsearch/add/mod/... respect these values. As an
example, if I had the password for an id expired or set inact to 1 (is
this how you make it inactive?), would ldapsearch fail if I authenticated
against this id to do my search?

Thanks,
Cheers,
Douglas