On Tue, 2006-12-05 at 13:31 -0500, Kyle Tucker wrote:
> The problem we had with using the shadow attributes is that not
all
> platforms honor them (I don't recall seeing Solaris update
> shadowLastChange).
Well that's unsettling. I'd have thought the nss_ldap would provide
adherence to RFC2307, where I believe shadowAccount to be outlined,
across platforms. And I'd have thought Solaris to support it foremost.
My implementations have been all Linux, but I know what I am going to
test next.
I was testing in conjunction with password policies enforced by the
directory since I don't consider using the shadow attributes a full-
proof means of handling password aging (nothing to stop the user from
updating shadowLastChange if they don't feel like changing their
password every x days). IIRC, Solaris wanted every account to be a
shadowAccount, but it didn't seem to care about any of the values that
shadow provides. Maybe it ignores shadow if their is a password policy
in place...
All of the platforms I've tested (RHEL 3, RHEL 4, Solaris 8/9, and Irix)
were happy with the password policies enforced by the directory.
-Steve