lists.arthurdejong.org
RSS feed

Re: nss-pam-ldapd and the pwdExpireWarning attribute of OpenLDAP's ppolicy overlay

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nss-pam-ldapd and the pwdExpireWarning attribute of OpenLDAP's ppolicy overlay



On Tue, 2010-12-28 at 15:05 -0500, Ryan Steele wrote:
> Actually, it seems worse than that - none of the ppolicy controls
> relevant to expiry seem to be honored at login.  This means that users
> have no idea their account passwords are going to expire until it's
> too late and they can't log in.  Is this just a use case that isn't
> supported at this time?  Thanks as always for the advice.

nss-pam-ldapd does not support these controls at this time. In principle
the PAM module should already pass this information if it's generated by
nslcd but nslcd does not request or handle any password policies.

I believe that the nssov overlay in slapd can do this but so far it
hasn't been implemented in nslcd. Patches are welcome though. I think
the call to ldap_simple_bind_s() will need to be replaces with
ldap_sasl_bind_s() and the right controls generated, and returned
controls parsed.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users