[Freeipa-devel] [PATCH] pwpolicy: Do not expire passwords when maxlife is set to 0 (infinity).
David Kupka
dkupka at redhat.com
Fri Jul 1 07:38:04 UTC 2016
On 30/06/16 21:34, David Kupka wrote:
> On 04/05/16 17:22, Pavel Vomacka wrote:
>>
>>
>> On 05/04/2016 04:36 PM, Simo Sorce wrote:
>>> On Wed, 2016-05-04 at 15:39 +0200, Martin Kosek wrote:
>>>> On 05/02/2016 02:28 PM, David Kupka wrote:
>>>>> https://fedorahosted.org/freeipa/ticket/2795
>>>> That patch looks suspiciously short given the struggles I saw in
>>>> http://www.redhat.com/archives/freeipa-devel/2015-June/msg00198.html
>>>> :-)
>>>>
>>>> Instead of setting to IPAPWD_END_OF_TIME, should we instead avoid
>>>> filling
>>>> "krbPasswordExpiration" attribute at all, i.e. have password *without*
>>>> expiration? Or is krbPasswordExpiration mandatory?
>>> So I looked at the MIT code, and it seem like they are coping just fine
>>> with a missing (ie value = 0 internally) pw_expiration attribute.
>>>
>>> So if we make our code cope with omitting any expiration if the
>>> attribute is missing then yes, we can mark no expiration with simply
>>> removing (or not setting) the krbPasswordExpiration attribute.
>>> The attribute itself is optional and can be omitted.
>>>
>>> I think this is a good idea, and is definitely better than inventing a a
>>> magic value.
>>>
>>> Simo.
>>>
>> Just a note: I tested David's patch and it actually doesn't work when
>> the new password policy for ipausers group is created (priority = 0,
>> which should be the highest priority). The maxlife and minlife values
>> are empty. Even if I set the new password policy maxlife and minlife to
>> 0 the result was that password will expire in 90 days. The patch worked
>> correctly when I changed value of maxlife and minlife to 0 in
>> 'global_policy'. Then the password expiration was set to 2038-01-01.
>>
>
> Hello!
>
> I hope I've finally find all the places in ipa-kdb and ipa-pwd-extop
> plugins to tickle in order to have password that don't expire. Updated
> patch attached.
>
> https://fedorahosted.org/freeipa/ticket/2795
Updated patch attached.
--
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-dkupka-0100.2-Allow-unexpiring-passwords.patch
Type: text/x-patch
Size: 6676 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160701/968dbbca/attachment.bin>
More information about the Freeipa-devel
mailing list