[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Active Directory Password Cache
On Tue, Aug 07, 2007 at 08:50:37AM +0200, Buchan Milne wrote:
>
> Would it not be better to just use the smbk5pwd overlay as well ?
>
smbk5pwd hooks into the PasswordModify extended operation while adpwc
hooks into bind. So both address different situations.
>
> Would it be possible to apply password expiry (using the local password policy
> via ppolicy) as well ?
>
Since adpwc does not perform pwdModify exop, I expect ppolicy to fail at
least some of its features.
>
> Would it not be possible to use a non-default realm ?
>
The overlay uses the krb(5)PrincipalName as given in the user object.
If it includes a realm, that is used.
>
> Finally, would it be possible to provide any information on what is required
> on the AD side for this to work (I assume some account for the OpenLDAP
> server to use)?
>
The current design intentionally has absolutely no requirements on the AD side.
The overlay does no server authentication.
Regards,
Sebastian