Buchan Milne wrote:
Or, you can have one default policy, and override it (by setting the pwdPolicySubentry to the other policy) on all the entries which should not use the default policy. Which one you make the default, you will have to decide.
I am curious how the mechanism of enforcing the policy through various login "points" works. For example ssh, subversion, email and ftp all authenticate to LDAP, via pam. Some people use ssh, all people use email and some people use subversion. Ftp is mostly used by external clients, who have no way of acting upon a password expiration.
Email seems to be the common thing amongst all users whose password "should" expire and who can change it. How can LDAP tell an email client, through pam that the password is about to expire, or has expired? Or does this happen automagically?
Thanks, Jeroen