[Freeipa-devel] [PATCH] 586 kerberos password policy
Rob Crittenden
rcritten at redhat.com
Fri Oct 29 20:39:24 UTC 2010
Simo Sorce wrote:
> On Mon, 25 Oct 2010 18:05:46 -0400
> Rob Crittenden<rcritten at redhat.com> wrote:
>
>> Use kerberos password policy.
>>
>> This lets the KDC count password failures and can lock out accounts
>> for a period of time. This only works for KDC>= 1.8.
>>
>> There currently is no way to unlock a locked account across a
>> replica. MIT Kerberos 1.9 is adding support for doing so. Once that
>> is available unlock will be added.
>>
>> The concept of a "global" password policy has changed. When we were
>> managing the policy using the IPA password plugin it was smart enough
>> to search up the tree looking for a policy. The KDC is not so smart
>> and relies on the krbpwdpolicyreference to find the policy. For this
>> reason every user entry requires this attribute. I've created a new
>> global_policy entry to store the default password policy. All users
>> point at this now. The group policy works the same and can override
>> this setting.
>> rob
>
> Almost but have to NACK because ipa pwpolicy-show --user=user1 returns
> the wrong group name (always GLOBAL apparently).
>
> Everything else works fine.
>
> Simo.
>
Fixed. I dropped the special renaming of GLOBAL. We now show the actual
entry name, global_policy.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-586-2-pwpolicy.patch
Type: application/mbox
Size: 14903 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101029/ce40bf7b/attachment.mbox>
More information about the Freeipa-devel
mailing list