Using Shadow Attributes in LDAP
Hi,
We recently migrated our system from a NIS based Solaris Environment to an LDAP one. This has worked quite well except in the area of password policies. Our old NIS based system used the shadow attributes, lastchange, min, max, warn, expire etc to enforce policies.
We have now migrated to LDAP and normal password changing works ok. I can see that the following attributes exist for each migrated user....
shadowexpire
shadowflag
shadowinactive
shadowlastchange
shadowmax
shadowmin
shadowwarning
However these attributes do not seem to work in the LDAP Environment as they did in the NIS Environment. For example if the user logs into the LDAP client and the max number of days allowed since lastchange has been exceeded, then the user is not prompted to change password.
Commands like "passwd -f <user>" executed on the LDAP client do not force the user to do a password reset on login.
Also passwd -e | -w | -x etc do not work, all I get on teh client console is...
# passwd -x 5 <user>
passwd: Sorry, wrong passwd
Permission Denied
My passwd entries in /etc/pam.conf looks like this on the client...
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1 use_first_pass
Can anyone see where I might be going wrong here?
Any help much appreciated !
Thanks,
Jon