[Freeipa-devel] [PATCH] pwpolicy: Do not expire passwords when maxlife is set to 0 (infinity).
Pavel Vomacka
pvomacka at redhat.com
Wed May 4 15:22:28 UTC 2016
On 05/04/2016 04:36 PM, Simo Sorce wrote:
> On Wed, 2016-05-04 at 15:39 +0200, Martin Kosek wrote:
>> On 05/02/2016 02:28 PM, David Kupka wrote:
>>> https://fedorahosted.org/freeipa/ticket/2795
>> That patch looks suspiciously short given the struggles I saw in
>> http://www.redhat.com/archives/freeipa-devel/2015-June/msg00198.html
>> :-)
>>
>> Instead of setting to IPAPWD_END_OF_TIME, should we instead avoid filling
>> "krbPasswordExpiration" attribute at all, i.e. have password *without*
>> expiration? Or is krbPasswordExpiration mandatory?
> So I looked at the MIT code, and it seem like they are coping just fine
> with a missing (ie value = 0 internally) pw_expiration attribute.
>
> So if we make our code cope with omitting any expiration if the
> attribute is missing then yes, we can mark no expiration with simply
> removing (or not setting) the krbPasswordExpiration attribute.
> The attribute itself is optional and can be omitted.
>
> I think this is a good idea, and is definitely better than inventing a a
> magic value.
>
> Simo.
>
Just a note: I tested David's patch and it actually doesn't work when
the new password policy for ipausers group is created (priority = 0,
which should be the highest priority). The maxlife and minlife values
are empty. Even if I set the new password policy maxlife and minlife to
0 the result was that password will expire in 90 days. The patch worked
correctly when I changed value of maxlife and minlife to 0 in
'global_policy'. Then the password expiration was set to 2038-01-01.
More information about the Freeipa-devel
mailing list