Ondřej,
from what I remember is that password expiry worked well, BUT users were not warned about the password expiring (they claimed) unless that information was provided via the shadow attribute. Maybe that's due to the fact that we use a mixture of local users and LDAP users typically. Obviously both need some common interface....
Mit freundlichen Grüßen Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Thursday, May 8, 2025 10:12 AM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Re: Re: Re: changing password with otp active
On Thu, May 08, 2025 at 05:31:02AM +0000, Windl, Ulrich wrote:
Hi!
The industry has an interest on providing short-lived product cycles, but in an enterprise environment five to 10 years are not uncommon. Also "new" products are usually full of new bugs, and it's not clear whether they are actually better than what had proved stable over many years. There are even rumors that people using vi are still alive 😉 SSSD has advantages when you are aiming towards MS-Windows IMHO,
but
(for example) the resource footprint is much larger than that of the old PAM or services method.
Currently we still need those for a few systems that aren't upgraded yet.
Hi Ulrich, ppolicy draft 9 was issued 20 years ago in July 2005, draft 10 was issued 16 years ago in 2009. As I mentioned even nslcd (pam-ldap(d)) has supported these for well over a decade. So I'm not sure what sort of system you're trying to make work but either you give up on ppolicy and manage everything yourself or embrace the tools at your disposal. Anything else would require a "new" product usually full of new bugs.
Not even sure how you got it to work with OpenLDAP 2.4 because that's what I hear you implying and it's not like the interfaces have changed in this regard in 2.5/2.6. Perhaps you had some bespoke integration in-house you haven't mentioned that was doing what you suggest and now isn't?
We only know what you choose to share...
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP