PAM should honor the Fedora DS password policy, so I don't think
you
need the shadow stuff anymore.
I agree with Rich.
Also, in my testing I found that Solaris 8 native LDAP clients ignore
the shadow attributes, which meant the shadow method is useless for my
particular situation.
Richard Megginson wrote:
Jason Russler wrote:
> Hi all,
> I imported our Unix/Linux password and shadow files into FDS recently
> (using LdapImport.pl) and I'm trying to figure out the difference or
> conflicts between the shadowaccount object class attributes
> (shdowmax, shadowwarning etc.) and the passwordexpiriationtime and
> passwordexpiredwarned etc. attributes that I assume come from the
> Password policy settings features of the directory.
>
> I'm having trouble getting inconsistent results when expiring
> accounts to test whether or not the PAM ldap client (on RedHat
> Enterprise 4 systems) weighs one set of attributes more more over the
> other or even cares about them at all. Does anyone have experience
> with the PAM clients and the directory's password policy settings vs.
> the shadowaccount attributes? Should I quit using the password and
> password expiration features and just use the shadowaccount
> attributes or ditch the shadowaccount object class altogether?
>
> If PAM will honor the password expiration policy then I may just
> write a little something to set the policy attributes from the shadow
> attributes of the imported files and then remove shadowaccount OC
> altogether. Any thoughts?
PAM should honor the Fedora DS password policy, so I don't think you
need the shadow stuff anymore.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users