Hi all, I imported our Unix/Linux password and shadow files into FDS recently (using LdapImport.pl) and I'm trying to figure out the difference or conflicts between the shadowaccount object class attributes (shdowmax, shadowwarning etc.) and the passwordexpiriationtime and passwordexpiredwarned etc. attributes that I assume come from the Password policy settings features of the directory. I'm having trouble getting inconsistent results when expiring accounts to test whether or not the PAM ldap client (on RedHat Enterprise 4 systems) weighs one set of attributes more more over the other or even cares about them at all. Does anyone have experience with the PAM clients and the directory's password policy settings vs. the shadowaccount attributes? Should I quit using the password and password expiration features and just use the shadowaccount attributes or ditch the shadowaccount object class altogether? If PAM will honor the password expiration policy then I may just write a little something to set the policy attributes from the shadow attributes of the imported files and then remove shadowaccount OC altogether. Any thoughts?
