[Freeipa-devel] [PATCH] 586 kerberos password policy
Adam Young
ayoung at redhat.com
Mon Nov 1 19:28:49 UTC 2010
On 10/29/2010 04:39 PM, Rob Crittenden wrote:
> Simo Sorce wrote:
>> On Mon, 25 Oct 2010 18:05:46 -0400
>> Rob Crittenden<rcritten at redhat.com> wrote:
>>
>>> Use kerberos password policy.
>>>
>>> This lets the KDC count password failures and can lock out accounts
>>> for a period of time. This only works for KDC>= 1.8.
>>>
>>> There currently is no way to unlock a locked account across a
>>> replica. MIT Kerberos 1.9 is adding support for doing so. Once that
>>> is available unlock will be added.
>>>
>>> The concept of a "global" password policy has changed. When we were
>>> managing the policy using the IPA password plugin it was smart enough
>>> to search up the tree looking for a policy. The KDC is not so smart
>>> and relies on the krbpwdpolicyreference to find the policy. For this
>>> reason every user entry requires this attribute. I've created a new
>>> global_policy entry to store the default password policy. All users
>>> point at this now. The group policy works the same and can override
>>> this setting.
>>> rob
>>
>> Almost but have to NACK because ipa pwpolicy-show --user=user1 returns
>> the wrong group name (always GLOBAL apparently).
>>
>> Everything else works fine.
>>
>> Simo.
>>
>
> Fixed. I dropped the special renaming of GLOBAL. We now show the
> actual entry name, global_policy.
>
> rob
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
ACK and pushed to master
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101101/0e86b3b7/attachment.htm>
More information about the Freeipa-devel
mailing list