[Freeipa-devel] [PATCH] 586 kerberos password policy
Rob Crittenden
rcritten at redhat.com
Mon Oct 25 22:05:46 UTC 2010
Use kerberos password policy.
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.
There currently is no way to unlock a locked account across a replica.
MIT Kerberos 1.9 is adding support for doing so. Once that is available
unlock will be added.
The concept of a "global" password policy has changed. When we were
managing the policy using the IPA password plugin it was smart enough to
search up the tree looking for a policy. The KDC is not so smart and
relies on the krbpwdpolicyreference to find the policy. For this reason
every user entry requires this attribute. I've created a new
global_policy entry to store the default password policy. All users
point at this now. The group policy works the same and can override this
setting.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-586-pwpolicy.patch
Type: application/mbox
Size: 13925 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101025/55c35f75/attachment.mbox>
More information about the Freeipa-devel
mailing list