<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi David,</p>
<p>I did a functional review, and everything works well, so
functional-ACK. But I did not do the code review.<br>
</p>
<div class="moz-cite-prefix">On 07/01/2016 10:26 AM, thierry bordaz
wrote:<br>
</div>
<blockquote cite="mid:5776291B.30301@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
Hi David,<br>
<br>
The patch looks good but being not familiar with that code, my
comments may be absolutely wrong <br>
<br>
In ipadb_get_pwd_expiration, if it is not 'self' we set
'*export=mod_time'.<br>
If for some reason 'mod_time==0', it has now a specific meaning
'not expiring' . Does it match the comment '* not 'self', so reset
*/'<br>
<br>
In ipadb_entry_to_mods, it deletes krbPasswordExpiration. But just
before it adds in the mods krbPasswordExpiration=0 or
krbPasswordExpiration=entry->pw_expiration<br>
Could we skip those mods if entry->pw_expiration==0 or
expire_time==0 ?<br>
<br>
In ipapwd_SetPassword, ipapwd_post_modadd, same remark as above.<br>
<br>
Something that I am not sure is what is the expected relation
between passwordexpirationtime and krbPasswordExpiration<br>
<br>
thanks<br>
thierry<br>
<br>
<div class="moz-cite-prefix">On 06/30/2016 09:34 PM, David Kupka
wrote:<br>
</div>
<blockquote
cite="mid:1777358e-8acf-fd18-6714-f705a4a48de8@redhat.com"
type="cite">On 04/05/16 17:22, Pavel Vomacka wrote: <br>
<blockquote type="cite"> <br>
<br>
On 05/04/2016 04:36 PM, Simo Sorce wrote: <br>
<blockquote type="cite">On Wed, 2016-05-04 at 15:39 +0200,
Martin Kosek wrote: <br>
<blockquote type="cite">On 05/02/2016 02:28 PM, David Kupka
wrote: <br>
<blockquote type="cite"><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://fedorahosted.org/freeipa/ticket/2795">https://fedorahosted.org/freeipa/ticket/2795</a>
<br>
</blockquote>
That patch looks suspiciously short given the struggles I
saw in <br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.redhat.com/archives/freeipa-devel/2015-June/msg00198.html">http://www.redhat.com/archives/freeipa-devel/2015-June/msg00198.html</a>
<br>
:-) <br>
<br>
Instead of setting to IPAPWD_END_OF_TIME, should we
instead avoid <br>
filling <br>
"krbPasswordExpiration" attribute at all, i.e. have
password *without* <br>
expiration? Or is krbPasswordExpiration mandatory? <br>
</blockquote>
So I looked at the MIT code, and it seem like they are
coping just fine <br>
with a missing (ie value = 0 internally) pw_expiration
attribute. <br>
<br>
So if we make our code cope with omitting any expiration if
the <br>
attribute is missing then yes, we can mark no expiration
with simply <br>
removing (or not setting) the krbPasswordExpiration
attribute. <br>
The attribute itself is optional and can be omitted. <br>
<br>
I think this is a good idea, and is definitely better than
inventing a a <br>
magic value. <br>
<br>
Simo. <br>
<br>
</blockquote>
Just a note: I tested David's patch and it actually doesn't
work when <br>
the new password policy for ipausers group is created
(priority = 0, <br>
which should be the highest priority). The maxlife and minlife
values <br>
are empty. Even if I set the new password policy maxlife and
minlife to <br>
0 the result was that password will expire in 90 days. The
patch worked <br>
correctly when I changed value of maxlife and minlife to 0 in
<br>
'global_policy'. Then the password expiration was set to
2038-01-01. <br>
<br>
</blockquote>
<br>
Hello! <br>
<br>
I hope I've finally find all the places in ipa-kdb and
ipa-pwd-extop plugins to tickle in order to have password that
don't expire. Updated patch attached. <br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://fedorahosted.org/freeipa/ticket/2795">https://fedorahosted.org/freeipa/ticket/2795</a>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Pavel^3 Vomacka</pre>
</body>
</html>