Michael Ströder wrote: > Howard Chu wrote: >> [email protected] wrote: >>> [email protected] wrote: >>>> I'd rather argue that for >>>> Samba 3 'sambaPwdLastSet' should be set. >>> >>> Uumpf! This is already set. Sorry for the noise. >>> >>>> 'shadowLastChange' is rather a POSIX account attribute which from my >>>> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope >>>> could be >>>> extended... >>> >>> But still it's the question whether we want to have this functionality >>> for >>> various password-related attribute all in on overlay or whether there >>> should >>> be distinct overlays for each account type (posixAccount/shadowAccount, >>> sambaSAMAccount, Kerberos user). >> >> shadowAccount is deprecated. LDAP ppolicy already provides a >> pwdChangedTime attribute. > > While I agree that slapo-ppolicy is the better solution in the long run I see > no reason why to not set both attributes at the server's side to make older > LDAP clients happy.
This is not a realistic use case. smbk5pwd was written starting in 2004; pam_ldap started supporting LDAP password policy long before then. Anyone running LDAP clients (pam_ldap, nss_ldap) older than that has far worse problems to worry about. >> Ultimately both Kerberos and Samba will just be using LDAP ppolicy. > > Yes. But there is indeed a real need for a solution in the meantime... Yes, in the meantime both Heimdal and Samba use the smbPwdLastSet attribute which is already taken care of. This ITS will be closed. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
