On Tue, Aug 07, 2007 at 08:50:37AM +0200, Buchan Milne wrote: > > Would it not be better to just use the smbk5pwd overlay as well ? >
smbk5pwd hooks into the PasswordModify extended operation while adpwc hooks into bind. So both address different situations. > > Would it be possible to apply password expiry (using the local password > policy > via ppolicy) as well ? > Since adpwc does not perform pwdModify exop, I expect ppolicy to fail at least some of its features. > > Would it not be possible to use a non-default realm ? > The overlay uses the krb(5)PrincipalName as given in the user object. If it includes a realm, that is used. > > Finally, would it be possible to provide any information on what is required > on the AD side for this to work (I assume some account for the OpenLDAP > server to use)? > The current design intentionally has absolutely no requirements on the AD side. The overlay does no server authentication. Regards, Sebastian
