[Freeipa-devel] [PATCH] pwpolicy: Do not expire passwords when maxlife is set to 0 (infinity).
Simo Sorce
ssorce at redhat.com
Wed May 4 14:36:00 UTC 2016
On Wed, 2016-05-04 at 15:39 +0200, Martin Kosek wrote:
> On 05/02/2016 02:28 PM, David Kupka wrote:
> > https://fedorahosted.org/freeipa/ticket/2795
>
> That patch looks suspiciously short given the struggles I saw in
> http://www.redhat.com/archives/freeipa-devel/2015-June/msg00198.html
> :-)
>
> Instead of setting to IPAPWD_END_OF_TIME, should we instead avoid filling
> "krbPasswordExpiration" attribute at all, i.e. have password *without*
> expiration? Or is krbPasswordExpiration mandatory?
So I looked at the MIT code, and it seem like they are coping just fine
with a missing (ie value = 0 internally) pw_expiration attribute.
So if we make our code cope with omitting any expiration if the
attribute is missing then yes, we can mark no expiration with simply
removing (or not setting) the krbPasswordExpiration attribute.
The attribute itself is optional and can be omitted.
I think this is a good idea, and is definitely better than inventing a a
magic value.
Simo.
More information about the Freeipa-devel
mailing list