Sorry for the delay, I thought I'd replied to this, but I guess I forgot
to send the draft.
On Thu, 2012-06-07 at 15:00 +0200, Angel Bosch wrote:
----- Original Message -----
> You should be able to configure this using:
> ldap_pwd_policy = shadow
thanks, there was a little typo in my config.
can you explain how these attributes are interpreted?
They just allow you to specify which attribute in LDAP represents this
attribute for "shadow".
now I only get two estates from the point of view of user: user can login or user
I don't get any warning about expiration or any chance to change expired passwords.
I've opened a bug regarding info on lightdm package because I think is client job to
understand pam messages: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1009013
Yeah, that's likely the case. We mainly test with GDM, which does
support the PAM conversation properly. One thing you can try is directly
logging in on the console (ctrl-alt-f2) or via SSH. If those both warn
you appropriately, it's a lightdm bug. If they don't, something else is
wrong. (Please try both, SSH has some gotchas in configuration that make
it easy for just it to be wrong where other login mechanisms are
but I wonder if there's another aproach to shadow management.
We've been considering adding support for retrieving the shadow map, but
in general we consider it best for our users to properly configure their
server-side policies instead. After all, client-side security... isn't.
also, I would like to know if there's any way to configure
Firefox/Chrome in linux to honour pam credentials, just as it does in Windows with NTLM
This is actually done through Kerberos, and yes Firefox and Chrome can
be configured to honor this (and apache can be configured with
mod_auth_krb5 to respect it). For an example, take a look at the FreeIPA
project. That's how they manage SSO to their administrative web