Date: Fri, 09 Sep 2016 20:32:59 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 212538] [net/nss-pam-ldapd] [security] shadowExpire is not propagated to pw_expire Message-ID: <bug-212538-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212538 Bug ID: 212538 Summary: [net/nss-pam-ldapd] [security] shadowExpire is not propagated to pw_expire Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: zi@FreeBSD.org Reporter: wollman@FreeBSD.org Flags: maintainer-feedback?(zi@FreeBSD.org) Assignee: zi@FreeBSD.org The standard way for handling account expiration when using LDAP for "passw= ord database" purposes is to define a shadowExpire attribute on the user. On L= inux and Solaris, this is implemented by the goofy bag-on-the-side "shadow" mechanism, which is treated as a separate database in NSS, and the architec= ture of nss-pam-ldapd reflects this. Account expiration in FreeBSD is implement= ed in the standard password database, but the nslcd stubs in nss-pam-ldapd's nsswitch module do not do the extra RPC to look up the expiration informati= on via the "shadow" stuff and merge it into the passwd entry. As a result, you cannot use nss-pam-ldapd in a FreeBSD environment if your directory operator uses shadowExpire to disable logins. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-212538-13>