Howard Chu wrote:
> Michael Ströder wrote:
>> While I agree that slapo-ppolicy is the better solution in the long run I
>> see no reason why to not set both attributes at the server's side to
>> make older LDAP clients happy.
> This is not a realistic use case. smbk5pwd was written starting in 2004;
> pam_ldap started supporting LDAP password policy long before then.
Yes, pam_ldap supports enforcing the password policy probably by correcty
handling the response controls. Grepping through the source of recent versions
it seems to me it does not read attribute pwdChangedTime nor does nss_ldap.
> Anyone running LDAP clients (pam_ldap, nss_ldap) older than that has far
> worse problems to worry about.
AFAICS nss_ldap cannot deliver the correct value for 'shadowLastChange' when
someone or something invokes a call like this
getent shadow michael
'pwdChangedTime' is of syntax Generalized Time whereas 'shadowLastChange' is
Integer with seconds since epoch. In theory nss_ldap could convert it. But
AFAICs it doesn't. Also if an older client would search for
(shadowLastChange<=<value>) this wouldn't work either.
> This ITS will be closed.
Well, you're the OpenLDAP boss and free to refuse anything you want. But
personally I don't understand your strong objections.