Description Felix Botner 2024-04-11 14:33:21 CEST

Currently we use the shadowbind LDAP overlay to disable LDAP binds for accounts with password/account expired by shadow attributes (shadowExpire, shadowMax,shadowLastChange).

As of UCS 5.2 the shadow information will no longer be checked by PAM, we rely solely on pam_krb5 and its attributes and settings (krb5PasswordEnd, krb5ValidEnd).

But for keycloak we still need the shadowbind overlay. Keycloak authentications expects the LDAP bind to fail before checking expired passwords/accounts.

So we have to maintain the shadow attributes just to make the LDAP bind fail for keycloak.

To make all of this a bit more transparent we should replace the current shadowbind LDAP overlay with one that checks krb5PasswordEnd, krb5ValidEnd. If the password or account is expired, bind is rejected.

This would be the first step to start removing the shadow attributes from UCS.