Howard Chu wrote: > [email protected] wrote: >> [email protected] wrote: >>> I'd rather argue that for >>> Samba 3 'sambaPwdLastSet' should be set. >> >> Uumpf! This is already set. Sorry for the noise. >> >>> 'shadowLastChange' is rather a POSIX account attribute which from my >>> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope >>> could be >>> extended... >> >> But still it's the question whether we want to have this functionality >> for >> various password-related attribute all in on overlay or whether there >> should >> be distinct overlays for each account type (posixAccount/shadowAccount, >> sambaSAMAccount, Kerberos user). > > shadowAccount is deprecated. LDAP ppolicy already provides a > pwdChangedTime attribute.
While I agree that slapo-ppolicy is the better solution in the long run I see no reason why to not set both attributes at the server's side to make older LDAP clients happy. > Ultimately both Kerberos and Samba will just be using LDAP ppolicy. Yes. But there is indeed a real need for a solution in the meantime... Ciao, Michael.
