On 10/31/18 3:26 PM, Bartłomiej Solarz-Niesłuchowski wrote: > On my network we use ldap to "aging" password. > > Every user is definied in ldap server (openldap) with 5 attributes: > > shadowLastChange: 15308 > shadowInactive: 30 > shadowMin: 0 > shadowMax: 120 > shadowWarning: 30
The shadowAccount concept is broken. You should use OpenLDAP's ppolicy overlay to implement proper password expiry. The advantage is also that password expiry is applied to all uses of LDAP bind and not only with a NSS client. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
