Hi, with this patch the LDAP provider check typical attributes which determines the lifetime of a password. If there is more than one scheme available the following order is user: - server side password policies - Kerberos password attributes - shadow attributes Currently only in the case of server side password policies the password can actually be changed. Kerberos password should be changed with the Kerberos backend.

On Wed, Oct 14, 2009 at 07:45:46PM -0400, Simo Sorce wrote: > On Fri, 2009-10-09 at 21:38 +0200, Sumit Bose wrote: > > Hi, > > > > with this patch the LDAP provider check typical attributes which > > determines the lifetime of a password. If there is more than one scheme > > available the following order is user: > > - server side password policies > > - Kerberos password attributes > > - shadow attributes > > Currently only in the case of server side password policies the password > > can actually be changed. Kerberos password should be changed with the > > Kerberos backend. > > The patch seem mostly ok, I have tried it against a freeipa server (so > haven't tested shadow or password control), and found a problem. > > The kerberos expiration time is read as it was in local time. It is not > it is in UTC. This prevented the code from detecting as expired an > account the was just expired, as it thought, wrongly, that the > expiration time was 5 hours in the future (I am GMT-5 here). fixed > > I think the shadow time checks may have a similar problem, but they use > a different method to test for expiration so I am not entirely sure, > please check that too. I have adopted the calulations from pam_unix so it should be safe. > > So NACK until this is fixed. > > Patch also need to be rebased as option definitions have been moved to > ldap_common.c done, new version attached.