Use kerberos password policy.

This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8.

There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added.

The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting.

Attachment: freeipa-586-pwpolicy.patch
Description: application/mbox

Freeipa-devel mailing list

Reply via email to