-----Original Message----- From: Travis Bean tbean74@gmail.com Sent: Thursday, October 31, 2024 3:05 PM To: openldap-technical@openldap.org Subject: [EXT] Re: multi-master OpenLDAP with SASL/GSSAPI
...
I recently replaced libpam-ldap and libnss-ldap with sssd-ldap and sssd-krb5 for LinuxHA, since SSSD is a much better solution for identity and authentication.
As we are running a mix of PAM-LDAP and SSSD, I want to point out that the standard sssd configuration does not update shadowLastChange. So if some client check the shadow attribute, while others check the policy attribute, you may run into inconsistencies unless the configuration is fixed to update the shadow attribute on password change. Obviously ldappasswd never updates the shadow attribute (at least not the version we use ).
Regards, Ulrich ...