Ulrich,
Yes, I already have nis.ldif loaded. What else do you suggest?
Thank you, Liz
From: Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de Date: Monday, October 24, 2016 at 11:17 PM To: "Real, Elizabeth (392K)" Elizabeth.Real@jpl.nasa.gov, "openldap-technical@openldap.org" openldap-technical@openldap.org Subject: Antw: openldap 2.4.40 ppolicy module and shadowInactive equivalent
"Real, Elizabeth (392K)" <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov> schrieb am 24.10.2016 um 20:43 in Nachricht <0C90A104-2EF4-4AA6-8748-05B07154A54D@jpl.nasa.govmailto:0C90A104-2EF4-4AA6-8748-05B07154A54D@jpl.nasa.gov>: Hello, I setup a password policy overlay on my openldap 2.4.40 servers running RHEL7. I need to enforce the following: disable accounts that have been inactive for 180 days. In the past we were able to do this by simply adding the shadowInactive attribute to each account: shadowInactive 180. But with the new openldap, it appears there is no equivalent attribute??
Why didn't you "grep shadowInactive /etc/openldap/schema/*"? It appears in nis.ldif, nis.schema, and rfc2307bis.schema. (I only have SLES11 SP4 here, but there shouldn't be a big difference)
Ulrich
http://www.openldap.org/doc/admin24/ http://www.zytrax.com/books/ldap/ch6/ppolicy.html Thank you, Liz
Ulrich, Yes, I already have nis.ldif loaded. What else do you suggest? Thank you, Liz
From: Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de Date: Monday, October 24, 2016 at 11:17 PM To: "Real, Elizabeth (392K)" Elizabeth.Real@jpl.nasa.gov, "openldap-technical@openldap.org" openldap-technical@openldap.org Subject: Antw: openldap 2.4.40 ppolicy module and shadowInactive equivalent
"Real, Elizabeth (392K)" <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov> schrieb am 24.10.2016 um 20:43 in Nachricht <0C90A104-2EF4-4AA6-8748-05B07154A54D@jpl.nasa.govmailto:0C90A104-2EF4-4AA6-8748-05B07154A54D@jpl.nasa.gov>: Hello, I setup a password policy overlay on my openldap 2.4.40 servers running RHEL7. I need to enforce the following: disable accounts that have been inactive for 180 days. In the past we were able to do this by simply adding the shadowInactive attribute to each account: shadowInactive 180. But with the new openldap, it appears there is no equivalent attribute??
Why didn't you "grep shadowInactive /etc/openldap/schema/*"? It appears in nis.ldif, nis.schema, and rfc2307bis.schema. (I only have SLES11 SP4 here, but there shouldn't be a big difference)
Ulrich
http://www.openldap.org/doc/admin24/ http://www.zytrax.com/books/ldap/ch6/ppolicy.html Thank you, Liz
openldap-technical@openldap.org
-
Real, Elizabeth (392K)