[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] [PATCH] 586 kerberos password policy

Simo Sorce wrote:
On Mon, 25 Oct 2010 18:05:46 -0400
Rob Crittenden<rcritten redhat com>  wrote:

Use kerberos password policy.

This lets the KDC count password failures and can lock out accounts
for a period of time. This only works for KDC>= 1.8.

There currently is no way to unlock a locked account across a
replica. MIT  Kerberos 1.9 is adding support for doing so. Once that
is available unlock will be added.

The concept of a "global" password policy has changed. When we were
managing the policy using the IPA password plugin it was smart enough
to search up the tree looking for a policy. The KDC is not so smart
and relies on the krbpwdpolicyreference to find the policy. For this
reason every user entry requires this attribute. I've created a new
global_policy entry to store the default password policy. All users
point at this now. The group policy works the same and can override
this setting.

Almost but have to NACK because ipa pwpolicy-show --user=user1 returns
the wrong group name (always GLOBAL apparently).

Everything else works fine.


Fixed. I dropped the special renaming of GLOBAL. We now show the actual entry name, global_policy.


Attachment: freeipa-rcrit-586-2-pwpolicy.patch
Description: application/mbox

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]