<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 10/29/2010 04:39 PM, Rob Crittenden wrote:
<blockquote cite="mid:4CCB30FC.2060109@redhat.com" type="cite">Simo
Sorce wrote:
<br>
<blockquote type="cite">On Mon, 25 Oct 2010 18:05:46 -0400
<br>
Rob Crittenden<a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a> wrote:
<br>
<br>
<blockquote type="cite">Use kerberos password policy.
<br>
<br>
This lets the KDC count password failures and can lock out accounts
<br>
for a period of time. This only works for KDC>= 1.8.
<br>
<br>
There currently is no way to unlock a locked account across a
<br>
replica. MIT Kerberos 1.9 is adding support for doing so. Once that
<br>
is available unlock will be added.
<br>
<br>
The concept of a "global" password policy has changed. When we were
<br>
managing the policy using the IPA password plugin it was smart enough
<br>
to search up the tree looking for a policy. The KDC is not so smart
<br>
and relies on the krbpwdpolicyreference to find the policy. For this
<br>
reason every user entry requires this attribute. I've created a new
<br>
global_policy entry to store the default password policy. All users
<br>
point at this now. The group policy works the same and can override
<br>
this setting.
<br>
rob
<br>
</blockquote>
<br>
Almost but have to NACK because ipa pwpolicy-show --user=user1 returns
<br>
the wrong group name (always GLOBAL apparently).
<br>
<br>
Everything else works fine.
<br>
<br>
Simo.
<br>
<br>
</blockquote>
<br>
Fixed. I dropped the special renaming of GLOBAL. We now show the actual
entry name, global_policy.
<br>
<br>
rob
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
ACK and pushed to master<br>
</body>
</html>