Gary Winiger wrote:
>>> If you don't want an account to be able to login at
>>> all it should be
>>> *LK* (passwd -l) not NP (passwd -N).
>> I have to say i'm confused about this. My prior understanding of *LK* and
>> NP was that:
>>
>> 1) *LK* prohibited login and execution of scheduled jobs vi
> NP as I understood it means "Not Participating" rather than "No
> Password" and the reason we can't use *LK* is because pam_unix_account
> will not allow cron to run.
#define LOCKSTRING "*LK*" /* prefix to/string in sp_pwdp to lock acct */
#define NOLOGINSTRING "NP"/* sp_pwdp for n
> > If you don't want an account to be able to login at
> > all it should be
> > *LK* (passwd -l) not NP (passwd -N).
>
> I have to say i'm confused about this. My prior understanding of *LK* and NP
> was that:
>
> 1) *LK* prohibited login and execution of scheduled jobs via cron/at
> 2) NP pr
Thanks Gary. I think the source of my problems is really in naming services,
i.e. trying to fuse ldap authentication on top of file-based account
authorization. nolock is working the way I understood it to work from the
documentation, but my mistake was in thinking that lock_after_retries woul
Hi Darren,
Thanks for the feedback. Makes sense now that lock_after_retries only applies
to files, and if using ldap for authorization then ldap will introduce it's own
password aging/locking mechanism independent of files.
> What behavior are you looking for here ? How would
> you like this
