On Fri, Sep 23, 2011 at 12:19:17PM +0200, Simone Piccardi wrote:
On 22/09/2011 16:10, Christopher Wood wrote:
Debian/Ubuntu: install nslcd, libnss-ldapd, libpam-ldapd, configure your /etc/nslcd.conf, and ensure you have "compat ldap" as lookups listed in /etc/nsswitch.conf for passwd, group, shadow. (I figure on the whole nss-pam-ldapd arrangement for CentOS6 too, but I haven't gotten that far yet.)
This, at least for Debian Stable and Ubuntu LTS has an important shortcoming, it does not update shadowLastChange on password change. So if you set a password expiration they will stay expired forever.
This depends where passwords are maintained. Certainly in your case it sounds like the authoritative password copy is maintained in the directory.
It can be made working with a patched smbk5pwd overlay in the openldap server, but that's not present in Debian or Ubuntu.
Simone
Simone Piccardi Truelite Srl piccardi@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-1032433 50142 Firenze http://www.truelite.it Tel. +39-055-7879597 Fax. +39-055-7333336