Sorry for the delay, I thought I'd replied to this, but I guess I forgot to send the draft.
On Thu, 2012-06-07 at 15:00 +0200, Angel Bosch wrote:
----- Original Message -----
You should be able to configure this using: ldap_pwd_policy = shadow
thanks, there was a little typo in my config.
:)
ldap_user_shadow_last_change ldap_user_shadow_min ldap_user_shadow_max ldap_user_shadow_warning ldap_user_shadow_inactive ldap_user_shadow_expire
can you explain how these attributes are interpreted?
They just allow you to specify which attribute in LDAP represents this attribute for "shadow".
now I only get two estates from the point of view of user: user can login or user can't.
I don't get any warning about expiration or any chance to change expired passwords.
I've opened a bug regarding info on lightdm package because I think is client job to understand pam messages: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1009013
Yeah, that's likely the case. We mainly test with GDM, which does support the PAM conversation properly. One thing you can try is directly logging in on the console (ctrl-alt-f2) or via SSH. If those both warn you appropriately, it's a lightdm bug. If they don't, something else is wrong. (Please try both, SSH has some gotchas in configuration that make it easy for just it to be wrong where other login mechanisms are correct).
but I wonder if there's another aproach to shadow management.
We've been considering adding support for retrieving the shadow map, but in general we consider it best for our users to properly configure their server-side policies instead. After all, client-side security... isn't.
also, I would like to know if there's any way to configure Firefox/Chrome in linux to honour pam credentials, just as it does in Windows with NTLM and apache.
This is actually done through Kerberos, and yes Firefox and Chrome can be configured to honor this (and apache can be configured with mod_auth_krb5 to respect it). For an example, take a look at the FreeIPA project. That's how they manage SSO to their administrative web interface.