On 10/31/18 3:26 PM, Bartłomiej Solarz-Niesłuchowski wrote:
On my network we use ldap to "aging" password.
Every user is definied in ldap server (openldap) with 5 attributes:
shadowLastChange: 15308
shadowInactive: 30
shadowMin: 0
shadowMax: 120
shadowWarning: 30
The shadowAccount concept is broken. You should use OpenLDAP's ppolicy
overlay to implement proper password expiry. The advantage is also that
password expiry is applied to all uses of LDAP bind and not only with a
NSS client.
Ciao, Michael.