Buchan,
pwdutils should perform the exop for you, in addition to the following:
Make use of the chage command to maintain shadowMin, shadowMax, shadowWarning and shadowExpire attributes, assuming your users have shadowAccount.
Update shadow expiry information when the passwd command is executed (the passwd command from pwdutils).
That should help handle shell/PAM authentications.
That doesn't solve your situation with samba/kerberos expirations, but you may be able to wrap passwd with a script and update the appropriate attributes based on the existing shadow attrs.
- Dan White
Buchan Milne wrote:
On Thursday 11 October 2007 20:55:51 Dan White wrote:
Buchan,
You may want to investigate pwdutils:
http://www.thkukuk.de/pam/pwdutils/
The website it a little dated, but the software appears to be more actively maintained at:
ftp://ftp.us.kernel.org/pub/linux/utils/net/NIS
I don't see anything in the current version that would alleviate my problems.
Maybe I was not clear enough. I am not looking for a tool to just change an LDAP password (I use ldappasswd for that currently, and it changes Samba passwords too via the smbk5passwd overlay) or provision accounts to LDAP etc. . I am looking for a solution to ensure that, whichever mechanisms I decide to allow for password changes (e.g. LDAP password change exop), all aspects related to the use of that password are updated consistently, for use via simple binds, authentication via Samba/NTLM/MSCHAPv2, and Kerberos. At present I see no means to accomplish this (at most you can get 2/3).
pwdutils seems mostly to be similar in function to what I am currently using smbldap-tools for (but this function will probably be moved to some in-house software).
Regards, Buchan