Jason Russler
2006-May-19 13:35 UTC
[Fedora-directory-users] Shadow account vs. password policy
Hi all, I imported our Unix/Linux password and shadow files into FDS recently (using LdapImport.pl) and I''m trying to figure out the difference or conflicts between the shadowaccount object class attributes (shdowmax, shadowwarning etc.) and the passwordexpiriationtime and passwordexpiredwarned etc. attributes that I assume come from the Password policy settings features of the directory. I''m having trouble getting inconsistent results when expiring accounts to test whether or not the PAM ldap client (on RedHat Enterprise 4 systems) weighs one set of attributes more more over the other or even cares about them at all. Does anyone have experience with the PAM clients and the directory''s password policy settings vs. the shadowaccount attributes? Should I quit using the password and password expiration features and just use the shadowaccount attributes or ditch the shadowaccount object class altogether? If PAM will honor the password expiration policy then I may just write a little something to set the policy attributes from the shadow attributes of the imported files and then remove shadowaccount OC altogether. Any thoughts?
Richard Megginson
2006-May-19 14:18 UTC
Re: [Fedora-directory-users] Shadow account vs. password policy
Jason Russler wrote:> Hi all, > I imported our Unix/Linux password and shadow files into FDS recently > (using LdapImport.pl) and I''m trying to figure out the difference or > conflicts between the shadowaccount object class attributes (shdowmax, > shadowwarning etc.) and the passwordexpiriationtime and > passwordexpiredwarned etc. attributes that I assume come from the > Password policy settings features of the directory. > > I''m having trouble getting inconsistent results when expiring accounts > to test whether or not the PAM ldap client (on RedHat Enterprise 4 > systems) weighs one set of attributes more more over the other or even > cares about them at all. Does anyone have experience with the PAM > clients and the directory''s password policy settings vs. the > shadowaccount attributes? Should I quit using the password and > password expiration features and just use the shadowaccount attributes > or ditch the shadowaccount object class altogether? > > If PAM will honor the password expiration policy then I may just write > a little something to set the policy attributes from the shadow > attributes of the imported files and then remove shadowaccount OC > altogether. Any thoughts?PAM should honor the Fedora DS password policy, so I don''t think you need the shadow stuff anymore.> > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
George Holbert
2006-May-19 16:46 UTC
Re: [Fedora-directory-users] Shadow account vs. password policy
> PAM should honor the Fedora DS password policy, so I don''t think you > need the shadow stuff anymore.I agree with Rich. Also, in my testing I found that Solaris 8 native LDAP clients ignore the shadow attributes, which meant the shadow method is useless for my particular situation. Richard Megginson wrote:> Jason Russler wrote: >> Hi all, >> I imported our Unix/Linux password and shadow files into FDS recently >> (using LdapImport.pl) and I''m trying to figure out the difference or >> conflicts between the shadowaccount object class attributes >> (shdowmax, shadowwarning etc.) and the passwordexpiriationtime and >> passwordexpiredwarned etc. attributes that I assume come from the >> Password policy settings features of the directory. >> >> I''m having trouble getting inconsistent results when expiring >> accounts to test whether or not the PAM ldap client (on RedHat >> Enterprise 4 systems) weighs one set of attributes more more over the >> other or even cares about them at all. Does anyone have experience >> with the PAM clients and the directory''s password policy settings vs. >> the shadowaccount attributes? Should I quit using the password and >> password expiration features and just use the shadowaccount >> attributes or ditch the shadowaccount object class altogether? >> >> If PAM will honor the password expiration policy then I may just >> write a little something to set the policy attributes from the shadow >> attributes of the imported files and then remove shadowaccount OC >> altogether. Any thoughts? > PAM should honor the Fedora DS password policy, so I don''t think you > need the shadow stuff anymore. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >