[Freeipa-devel] Expired passwords cannot be changed via LDAP

[Martin Kosek]

On 06/09/2014 05:54 PM, Dmitri Pal wrote:
> On 06/09/2014 10:03 AM, Nathaniel McCallum wrote:
>> On Mon, 2014-06-09 at 09:01 -0400, Simo Sorce wrote:
>>>>>>> From: "Martin Kosek" <mkosek at redhat.com>
>>>>>>> Given all sort of issues we get, I am thinking we should just revert it
>>>>>>> unless
>>>>>>> there is a quick fix available.
>>> Instead of reverting I am thinking we may want to make this optional by
>>> adding a configuration parameter that defaults to False for now. Once we can
>>> manage better the password change we can turn it on by deault, in the
>>> meanwhile admins can choose by themselves the lesser evil.
>>>
>>> Thoughts?
>> I'm not a fan of introducing a new configuration parameter for a
>> temporary workaround.
>>
>> My preference is to revert it and have a small project for the next
>> release which handles all the "non-authenticated" corner cases. This
>> would include:
>> * Expired passwords
>> * Password changes
>> * Token syncing
>> * Unauthenticated RPCs (rpcserver.py rework)
>> * others?
>>
>> I think there is some value to be gained by thinking about these
>> problems as a whole and devising a set of consistent mechanisms for
>> them.
>>
>> Nathaniel
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> +1
> 

This is my preference as well, as written in other part of this thread.

I reverted the patch, added an appropriate description (attached) and pushed to
master.

I updated the ticket, added Nathaniel's suggestions and moved it to needs triage.

Thanks,
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Revert-Check-for-password-expiration-in-pre-bind.patch
Type: text/x-patch
Size: 3866 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140610/9cd193a2/attachment.bin>