[Bug 212538] [net/nss-pam-ldapd] [security] shadowExpire is not propagated to pw_expire

Fri Sep 9 20:32:59 UTC 2016

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212538

            Bug ID: 212538
           Summary: [net/nss-pam-ldapd] [security] shadowExpire is not
                    propagated to pw_expire
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: zi at FreeBSD.org
          Reporter: wollman at FreeBSD.org
             Flags: maintainer-feedback?(zi at FreeBSD.org)
          Assignee: zi at FreeBSD.org

The standard way for handling account expiration when using LDAP for "password
database" purposes is to define a shadowExpire attribute on the user.  On Linux
and Solaris, this is implemented by the goofy bag-on-the-side "shadow"
mechanism, which is treated as a separate database in NSS, and the architecture
of nss-pam-ldapd reflects this.  Account expiration in FreeBSD is implemented
in the standard password database, but the nslcd stubs in nss-pam-ldapd's
nsswitch module do not do the extra RPC to look up the expiration information
via the "shadow" stuff and merge it into the passwd entry.

As a result, you cannot use nss-pam-ldapd in a FreeBSD environment if your
directory operator uses shadowExpire to disable logins.

-- 
You are receiving this mail because:
You are the assignee for the bug.