[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: migrating from (old) /etc/shadow to LDAP

To: Simone Piccardi <piccardi@truelite.it>
Subject: Re: migrating from (old) /etc/shadow to LDAP
From: Howard Chu <hyc@symas.com>
Date: Fri, 23 Sep 2011 04:20:38 -0700
Cc: openldap-technical@openldap.org
In-reply-to: <4E7C5D25.1040008@truelite.it>
References: <1316552249.7492.8.camel@inca.fmed.uba.ar> <20110920231818.GA9425@iniquitous.lan> <1316602294.20463.8.camel@inca.fmed.uba.ar> <20110921141645.GA11869@iniquitous.lan> <1316688650.26247.9.camel@inca.fmed.uba.ar> <20110922141059.GA14997@iniquitous.lan> <4E7C5D25.1040008@truelite.it>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110612 Firefox/7.0a1 SeaMonkey/2.4a1

Simone Piccardi wrote:

On 22/09/2011 16:10, Christopher Wood wrote:

Debian/Ubuntu: install nslcd, libnss-ldapd, libpam-ldapd, configure your /etc/nslcd.conf, and ensure you have "compat ldap" as lookups listed in /etc/nsswitch.conf for passwd, group, shadow. (I figure on the whole nss-pam-ldapd arrangement for CentOS6 too, but I haven't gotten that far yet.)


This, at least for Debian Stable and Ubuntu LTS has an important
shortcoming, it does not update shadowLastChange on password change. So
if you set a password expiration they will stay expired forever.

Not a major shortcoming. If you're actually using LDAP then you should setexpiration using ppolicy and not using shadow attributes at all.

It can be made working with a patched smbk5pwd overlay in the openldap
server, but that's not present in Debian or Ubuntu.

Simone


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: migrating from (old) /etc/shadow to LDAP
  - From: Simone Piccardi <piccardi@truelite.it>

References:
- migrating from (old) /etc/shadow to LDAP
  - From: Gerardo Herzig <gherzig@fmed.uba.ar>
- Re: migrating from (old) /etc/shadow to LDAP
  - From: Christopher Wood <christopher_wood@pobox.com>
- Re: migrating from (old) /etc/shadow to LDAP
  - From: Gerardo Herzig <gherzig@fmed.uba.ar>
- Re: migrating from (old) /etc/shadow to LDAP
  - From: Christopher Wood <christopher_wood@pobox.com>
- Re: migrating from (old) /etc/shadow to LDAP
  - From: Gerardo Herzig <gherzig@fmed.uba.ar>
- Re: migrating from (old) /etc/shadow to LDAP
  - From: Christopher Wood <christopher_wood@pobox.com>
- Re: migrating from (old) /etc/shadow to LDAP
  - From: Simone Piccardi <piccardi@truelite.it>

Prev by Date: Re: rwm + cn=config
Next by Date: Re: migrating from (old) /etc/shadow to LDAP
Index(es):
- Chronological
- Thread