Hello Stephen,
On 11 Apr 2011, at 17:26, Stephen Gallagher wrote:
I have a question, first. Does Active Directory ALWAYS use this attribute, or can shadowLastChange also exist? If they can both exist, which one should be the primary for best compatibility (i.e. does AD define that one of them should overrule the other?)
You can definitely at least choose to create shadow* attributes yourself, obviously.
shadowLastChange _is_ defined on: http://msdn.microsoft.com/en-us/library/ms679790(v=vs.85).aspx
[MS-ADTS] does not seem to enforce the existence of pwdLastSet, but it has FLAG_ATTR_IS_CRITICAL.
I'd go with: - if shadowLastChange is here, use it - if not, if pwdLastChanged is here, use it - if not, fail miserably
Please suppress whitespace on empty lines. It's very painful for those of us with editors that highlight this in red :)
Sorry, it even happens to be the case in my usual vim.
I note also that your calculation was wrong, because it was dealing in
nanoseconds, but pwdLastSet is a count of HUNDRED nanosecond blocks.
I have to admit I stole this in nss_ldap, where it is not documented either.
I'm surprised they made this mistake, I'll make sure to fix this.
Finally, your assignment to the 'days' variable (which is a long) from an action involving two long long variables is risky. It would be wiser for 'days' to be a long long which you then test for whether it exceeds LONG_MAX.
I'll fix this too.
You can expect a new patch soon :)
Yours sincerely,