On Thursday 11 October 2007 22:34:33 Kurt Zeilenga wrote:
On Oct 11, 2007, at 1:05 PM, Buchan Milne wrote:
The OpenLDAP-specific solution would be write modules that would, after update of a directory password, would update whatever other systems you want updated.
As discussed in the first email in this thread, the combination of modules (ppolicy, smbk5passwd) is not more than the sum of the two parts. Thus, password expiry times aren't updated in the samba-specific attributes (only the password, and time of last password change) or heimdal-specific attributes.
So, the OpenLDAP-specific solution I had in mind was one of: -ppolicy, on seeing smbk5passwd has also changed sambaNTPassword and krb5Key, updates sambaPwdMustChange and krb5PasswordEnd according to the same policy or -smbk5passwd, on seeing pwdChangedTime being updated, assumes the times for sambaPwdMustChange and krb5PasswordEnd should be the same, and sets them. or -a third module, which applies the time in pwdChangedTime to sambaPwdMustChange and krb5PasswordEnd if sambaNTPassword or krb5Key have changed.
I'm happy to try and assist in implementing whichever of the 3 options is preferable ...
Regards, Buchan