-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/11/2011 01:16 PM, Pierre Carrier wrote:
Hello Stephen,
On 11 Apr 2011, at 17:26, Stephen Gallagher wrote:
I have a question, first. Does Active Directory ALWAYS use this attribute, or can shadowLastChange also exist? If they can both exist, which one should be the primary for best compatibility (i.e. does AD define that one of them should overrule the other?)
You can definitely at least choose to create shadow* attributes yourself, obviously.
shadowLastChange _is_ defined on: http://msdn.microsoft.com/en-us/library/ms679790(v=vs.85).aspx
[MS-ADTS] does not seem to enforce the existence of pwdLastSet, but it has FLAG_ATTR_IS_CRITICAL.
I'd go with:
- if shadowLastChange is here, use it
- if not, if pwdLastChanged is here, use it
- if not, fail miserably
Please suppress whitespace on empty lines. It's very painful for those of us with editors that highlight this in red :)
Sorry, it even happens to be the case in my usual vim.
I note also that your calculation was wrong, because it was dealing in
nanoseconds, but pwdLastSet is a count of HUNDRED nanosecond blocks.
I have to admit I stole this in nss_ldap, where it is not documented either.
I'm surprised they made this mistake, I'll make sure to fix this.
Finally, your assignment to the 'days' variable (which is a long) from an action involving two long long variables is risky. It would be wiser for 'days' to be a long long which you then test for whether it exceeds LONG_MAX.
I'll fix this too.
You can expect a new patch soon :)
Actually, upon further thought, it's probably a bad idea to use ldap_pwd_policy = shadow at all here.
It would make much more sense to implement a new policy type and handle this there.
So we would want ldap_pwd_policy = ad.
Then we wouldn't be doing any of this hacking around shadowLastChange either (and in the future we can expand password policy support to any other available attributes)
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/