Hi!

 

I’m writing a tool that checks password policy provided by LDAP against the attributes defines in shadowAccount.

For example shadowLastChange vs. pwdChangedTime.

 

For one account I see:

pwdChangedTime	20240806150232Z
shadowLastChange	16000

 

(I have no idea where that 16000 came from, but the difference is almost 10 years if I understood it correctly)

 

Sorry, for the ignorance, but *who* is expected to update those attributes on password change (assuming UNIX/Linux “passwd” is being used)?

Could it be a permission problem when isn’t updated?

 

Also it seems to me that the “old LDAP client” is using shadowAccount attributes to display an expiration warning, while the newer sssd seems to use the LDAP password policy attributes instead.

 

The original reason for writing the tool was users complaining that they didn’t get a warning when their password was expired and grace logins were being used (and eventually the account being locked).

 

I have a similar question:

How many failed login attempts (pwdFailureTime) are being stored, and who will remove the attributes? We have a setting that at most 10 bad authentication attempts (pwdMaxFailure ) are allowed, and that the failed attempts will be deleted after two weeks (pwdFailureCountInterval).

However one user has 15 authentication failures recorded, and the first one is like 10 years old.

 

Our platform is Linux (SLES 12/15), BTW.

 

Regards,

Ulrich