On Tue, Aug 07, 2007 at 08:50:37AM +0200, Buchan Milne wrote:
Would it not be better to just use the smbk5pwd overlay as well ?
smbk5pwd hooks into the PasswordModify extended operation while adpwc hooks into bind. So both address different situations.
Would it be possible to apply password expiry (using the local password policy via ppolicy) as well ?
Since adpwc does not perform pwdModify exop, I expect ppolicy to fail at least some of its features.
Would it not be possible to use a non-default realm ?
The overlay uses the krb(5)PrincipalName as given in the user object. If it includes a realm, that is used.
Finally, would it be possible to provide any information on what is required on the AD side for this to work (I assume some account for the OpenLDAP server to use)?
The current design intentionally has absolutely no requirements on the AD side. The overlay does no server authentication.
Regards,
Sebastian