[Fedora-directory-users] SSH login and pwd expiration message
Stephen C. Rigler
srigler at marathonoil.com
Tue Dec 5 18:45:47 UTC 2006
On Tue, 2006-12-05 at 13:31 -0500, Kyle Tucker wrote:
> > The problem we had with using the shadow attributes is that not all
> > platforms honor them (I don't recall seeing Solaris update
> > shadowLastChange).
>
> Well that's unsettling. I'd have thought the nss_ldap would provide
> adherence to RFC2307, where I believe shadowAccount to be outlined,
> across platforms. And I'd have thought Solaris to support it foremost.
> My implementations have been all Linux, but I know what I am going to
> test next.
I was testing in conjunction with password policies enforced by the
directory since I don't consider using the shadow attributes a full-
proof means of handling password aging (nothing to stop the user from
updating shadowLastChange if they don't feel like changing their
password every x days). IIRC, Solaris wanted every account to be a
shadowAccount, but it didn't seem to care about any of the values that
shadow provides. Maybe it ignores shadow if their is a password policy
in place...
All of the platforms I've tested (RHEL 3, RHEL 4, Solaris 8/9, and Irix)
were happy with the password policies enforced by the directory.
-Steve
More information about the Fedora-directory-users
mailing list