[Freeipa-devel] [PATCH] Updated default Kerberos password policy
Rob Crittenden
rcritten at redhat.com
Wed Feb 16 13:38:02 UTC 2011
Jan Zelený wrote:
> Jan Zeleny<jzeleny at redhat.com> wrote:
>> Rob Crittenden<rcritten at redhat.com> wrote:
>>> Jan Zelený wrote:
>>>> https://fedorahosted.org/freeipa/ticket/930
>>>>
>>>> I put there a value Dmitri suggested. Feel free to change it before
>>>> pushing if you think there should be the originally suggested 10 login
>>>> attempts.
>>>
>>> We want to increase krbPwdLockoutDuration too, to 600.
>>>
>>> rob
>>
>> Sorry, I didn't realize it was in seconds. I just saw 10 and figured it's
>> ok it's already there. Anyway, I'm sending the updated patch.
>
> Just a reminder that this patch needs to be re-reviewed.
>
> Thanks
> Jan
I think we need to fix this as an update file rather than changing the
default install. It would look something like:
dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
replace:krbPwdLockoutDuration: 10: 600
replace: krbPwdMaxFailure: 3: 6
I'm ok with fixing it in both places.
rob
More information about the Freeipa-devel
mailing list