On Tuesday, 3 April 2012 23:16:43 Collins, Cris wrote:
The problem was resolved by adding the following per the nis schema.
statement below was incorrect. shadowLastChange was not updating, as
"getent shadow username" showed me.
access to attrs=shadowLastChange,shadowMax
by dn="cn=Manager,dc=domain,dc=com" write
by self write
by * read
Thank you for your response.
Yes, it will work, for applications that look for shadowAccount attributes.
My approach is to remove ldap from the shadow line of nsswitch.conf, configure
ppolicy on the LDAP server, and ensure PAM is setup correctly to enforce
password expiration via ppolicy.
Then, even if users never login to a shell on a server configured for LDAP,
they will be locked out of all other LDAP-using services (except for WiFi
access points via FreeRADIUS EAP PEAP with MSCHAPv2 against samba attributes,
since even if the samba attributes are updated, FreeRADIUS doesn't currently
seem to respect them).