[Freeipa-devel] [PATCH] Updated default Kerberos password policy
Rob Crittenden
rcritten at redhat.com
Thu Feb 17 03:29:22 UTC 2011
Jan Zeleny wrote:
> Rob Crittenden<rcritten at redhat.com> wrote:
>> Jan Zelený wrote:
>>> Jan Zeleny<jzeleny at redhat.com> wrote:
>>>> Rob Crittenden<rcritten at redhat.com> wrote:
>>>>> Jan Zelený wrote:
>>>>>> https://fedorahosted.org/freeipa/ticket/930
>>>>>>
>>>>>> I put there a value Dmitri suggested. Feel free to change it before
>>>>>> pushing if you think there should be the originally suggested 10 login
>>>>>> attempts.
>>>>>
>>>>> We want to increase krbPwdLockoutDuration too, to 600.
>>>>>
>>>>> rob
>>>>
>>>> Sorry, I didn't realize it was in seconds. I just saw 10 and figured
>>>> it's ok it's already there. Anyway, I'm sending the updated patch.
>>>
>>> Just a reminder that this patch needs to be re-reviewed.
>>>
>>> Thanks
>>> Jan
>>
>> I think we need to fix this as an update file rather than changing the
>> default install. It would look something like:
>>
>> dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
>> replace:krbPwdLockoutDuration: 10: 600
>> replace: krbPwdMaxFailure: 3: 6
>>
>> I'm ok with fixing it in both places.
>>
>> rob
>
> Here it is, hopefully I got it right this time. I wasn't sure about the file
> number, but from guidelines in README I guess it's ok.
>
> Jan
I removed the spaces before the integers, I guess the updater was
sending ' 600' as the update instead of '600'.
ack, pushed to master
rob
More information about the Freeipa-devel
mailing list