On Tue, 2006-12-05 at 13:31 -0500, Kyle Tucker wrote: > > The problem we had with using the shadow attributes is that not all > > platforms honor them (I don't recall seeing Solaris update > > shadowLastChange). > > Well that's unsettling. I'd have thought the nss_ldap would provide > adherence to RFC2307, where I believe shadowAccount to be outlined, > across platforms. And I'd have thought Solaris to support it foremost. > My implementations have been all Linux, but I know what I am going to > test next. I was testing in conjunction with password policies enforced by the directory since I don't consider using the shadow attributes a full- proof means of handling password aging (nothing to stop the user from updating shadowLastChange if they don't feel like changing their password every x days). IIRC, Solaris wanted every account to be a shadowAccount, but it didn't seem to care about any of the values that shadow provides. Maybe it ignores shadow if their is a password policy in place... All of the platforms I've tested (RHEL 3, RHEL 4, Solaris 8/9, and Irix) were happy with the password policies enforced by the directory. -Steve
