[Fedora-directory-users] Shadow account vs. password policy
Jason Russler
jrussler at helix.nih.gov
Fri May 19 13:35:37 UTC 2006
Hi all,
I imported our Unix/Linux password and shadow files into FDS recently
(using LdapImport.pl) and I'm trying to figure out the difference or
conflicts between the shadowaccount object class attributes (shdowmax,
shadowwarning etc.) and the passwordexpiriationtime and
passwordexpiredwarned etc. attributes that I assume come from the
Password policy settings features of the directory.
I'm having trouble getting inconsistent results when expiring accounts
to test whether or not the PAM ldap client (on RedHat Enterprise 4
systems) weighs one set of attributes more more over the other or even
cares about them at all. Does anyone have experience with the PAM
clients and the directory's password policy settings vs. the
shadowaccount attributes? Should I quit using the password and password
expiration features and just use the shadowaccount attributes or ditch
the shadowaccount object class altogether?
If PAM will honor the password expiration policy then I may just write a
little something to set the policy attributes from the shadow attributes
of the imported files and then remove shadowaccount OC altogether. Any
thoughts?
More information about the Fedora-directory-users
mailing list