Simo Sorce wrote:
On Mon, 25 Oct 2010 18:05:46 -0400 Rob Crittenden<rcritten redhat com> wrote:Use kerberos password policy. This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC>= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. robAlmost but have to NACK because ipa pwpolicy-show --user=user1 returns the wrong group name (always GLOBAL apparently). Everything else works fine. Simo.
Fixed. I dropped the special renaming of GLOBAL. We now show the actual entry name, global_policy.