Michael Ströder wrote:
Howard Chu wrote:
michael@stroeder.com wrote:
michael@stroeder.com wrote:
I'd rather argue that for Samba 3 'sambaPwdLastSet' should be set.
Uumpf! This is already set. Sorry for the noise.
'shadowLastChange' is rather a POSIX account attribute which from my understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be extended...
But still it's the question whether we want to have this functionality for various password-related attribute all in on overlay or whether there should be distinct overlays for each account type (posixAccount/shadowAccount, sambaSAMAccount, Kerberos user).
shadowAccount is deprecated. LDAP ppolicy already provides a pwdChangedTime attribute.
While I agree that slapo-ppolicy is the better solution in the long run I see no reason why to not set both attributes at the server's side to make older LDAP clients happy.
This is not a realistic use case. smbk5pwd was written starting in 2004; pam_ldap started supporting LDAP password policy long before then. Anyone running LDAP clients (pam_ldap, nss_ldap) older than that has far worse problems to worry about.
Ultimately both Kerberos and Samba will just be using LDAP ppolicy.
Yes. But there is indeed a real need for a solution in the meantime...
Yes, in the meantime both Heimdal and Samba use the smbPwdLastSet attribute which is already taken care of.
This ITS will be closed.
-
hyc@symas.com