On Mon, 25 Oct 2010 18:05:46 -0400
Rob Crittenden <rcrit...@redhat.com> wrote:

> Use kerberos password policy.
> 
> This lets the KDC count password failures and can lock out accounts
> for a period of time. This only works for KDC >= 1.8.
> 
> There currently is no way to unlock a locked account across a
> replica. MIT  Kerberos 1.9 is adding support for doing so. Once that
> is available unlock will be added.
> 
> The concept of a "global" password policy has changed. When we were 
> managing the policy using the IPA password plugin it was smart enough
> to search up the tree looking for a policy. The KDC is not so smart
> and relies on the krbpwdpolicyreference to find the policy. For this
> reason every user entry requires this attribute. I've created a new 
> global_policy entry to store the default password policy. All users 
> point at this now. The group policy works the same and can override
> this setting.
> rob

Almost but have to NACK because ipa pwpolicy-show --user=user1 returns
the wrong group name (always GLOBAL apparently).

Everything else works fine.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to