The value of ShadowAccount:If an entry contains the shadowAccount objectclass, the shadowAccount attributes are automatically filled with the values derived from the password policy. Please note that even if any password policy is not configured, default passwordMinAge: 0, passwordMaxAge: 8640000, passwordWarning: 86400 are set in the configuration.
shadowLastChange - Indicates the number of days between January 1, 1970 and the day when the user password was last changed. (single-valued)
shadowExpire - Indicates the date on which the user login will be disabled. (single-valued)
shadowFlag - not currently in use.
shadowInactive - Indicates the number of days of inactivity allowed for the user. (single-valued)
shadowMax - Indicates the maximum number of days for which the user password remains valid. (single-valued)
shadowMin - Indicates the minimum number of days required between password changes. (single-valued)
shadowWarning - The number of days of advance warning given to the user before the user password expires. (single-valued)
dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=People,dc=example,dc=com passwordMustChange: on dn: uid=tuser,ou=People,dc=example,dc=com shadowLastChange: 0
When a user password is updated, the value of shadowLastChange is
replaced with the number of days between January 1, 1970 and the
day when the user password is updated.
dn: uid=tuser,ou=People,dc=example,dc=com shadowLastChange: 16724
If an entry being added does not contain a user password, even if it is a shadowAccount entry, shadowLastChange is not added.
Note: the shadowLastChange is now the target of Windows Synchronization with Active Directory.
Other shadowAccount attributes
The other values are automatically filled with the password
policy values as follows.
shadowMin = passwordMinAge / (60 * 60 *24) shadowMax = passwordMaxAge / (60 * 60 *24) shadowWarning = passwordWarning / (60 * 60 *24) shadowExpire = (current_time() + passwordMaxAge) / (60 * 60 *24) shadowFlag = 0 ## not currently in use. shadowInactive is not auto-filled since there is no corresponding policy.