On 10/31/18 3:26 PM, Bartłomiej Solarz-Niesłuchowski wrote:
On my network we use ldap to "aging" password.
Every user is definied in ldap server (openldap) with 5 attributes:
shadowLastChange: 15308 shadowInactive: 30 shadowMin: 0 shadowMax: 120 shadowWarning: 30
The shadowAccount concept is broken. You should use OpenLDAP's ppolicy overlay to implement proper password expiry. The advantage is also that password expiry is applied to all uses of LDAP bind and not only with a NSS client.
Ciao, Michael.