On 23/09/2011 14:42, Christopher Wood wrote:
On Fri, Sep 23, 2011 at 12:19:17PM +0200, Simone Piccardi wrote:
On 22/09/2011 16:10, Christopher Wood wrote:
Debian/Ubuntu: install nslcd, libnss-ldapd, libpam-ldapd, configure your /etc/nslcd.conf, and ensure you have "compat ldap" as lookups listed in /etc/nsswitch.conf for passwd, group, shadow. (I figure on the whole nss-pam-ldapd arrangement for CentOS6 too, but I haven't gotten that far yet.)
This, at least for Debian Stable and Ubuntu LTS has an important shortcoming, it does not update shadowLastChange on password change. So if you set a password expiration they will stay expired forever.
This depends where passwords are maintained. Certainly in your case it sounds like the authoritative password copy is maintained in the directory.
The problem I'm talking is not about password, they are just in userPassword.
Problem arise form the lack of managament of shadowLastChange in the current version of nslcd, libnss-ldapd, libpam-ldapd, for both Squeeze and Lucid.
It should work if you use the old libpam-ldap.
Simone