-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/10/2011 08:29 AM, Pierre Carrier wrote: > Documented on http://msdn.microsoft.com/en-us/library/cc220785(v=prot.10).aspx > > Introduced in nss_ldap 208: > * add support for native Active Directory password > policy attributes (enabled if shadowLastChange is > mapped to pwdLastSet) > ---
First of all, thank you very much for your contribution! I have a few minor corrections, but we'll get this upstream very soon. I have a question, first. Does Active Directory ALWAYS use this attribute, or can shadowLastChange also exist? If they can both exist, which one should be the primary for best compatibility (i.e. does AD define that one of them should overrule the other?) Manpage rephrase: When using ldap_pwd_policy=shadow, this parameter contains the name of an LDAP attribute corresponding to the Active Directory pwdLastSet attribute. If the ldap_user_shadow_last_change attribute does not exist on the server, it will fall back to using ldap_user_ads_last_change. Please suppress whitespace on empty lines. It's very painful for those of us with editors that highlight this in red :) In ads_pwdlastset_to_shadowpw_days(), please add a comment explaining the conversion to days. (Identify that the time is a count of 100ns periods since 1601). Please also change the actual conversion so that it reads more easily. i.e., instead of days = ll / 864000000000LL - 134774LL use: /* pwdLastSet uses 100ns slices */ #define HUNDRED_NS_PER_DAY (24LL * 60LL * 60LL * 1000000000LL)/100LL /* Days from January 1, 1601 to January 1, 1970 */ #define AD_DAYS_BEFORE_THE_EPOCH 134774LL days = (ll / HUNDRED_NS_PER_DAY) - DAYS_BEFORE_THE_EPOCH I note also that your calculation was wrong, because it was dealing in nanoseconds, but pwdLastSet is a count of HUNDRED nanosecond blocks. Finally, your assignment to the 'days' variable (which is a long) from an action involving two long long variables is risky. It would be wiser for 'days' to be a long long which you then test for whether it exceeds LONG_MAX. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2jK6UACgkQeiVVYja6o6NPcgCfbgQUodIft5IlKr6FLVtPlqcW yMEAnjKO9va/BW5aBJleAzYOkrW8HSoq =fc8f -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
