On Mon, 25 Oct 2010 18:05:46 -0400
Rob Crittenden <rcrit...@redhat.com> wrote:

> Use kerberos password policy.
> This lets the KDC count password failures and can lock out accounts
> for a period of time. This only works for KDC >= 1.8.
> There currently is no way to unlock a locked account across a
> replica. MIT  Kerberos 1.9 is adding support for doing so. Once that
> is available unlock will be added.
> The concept of a "global" password policy has changed. When we were 
> managing the policy using the IPA password plugin it was smart enough
> to search up the tree looking for a policy. The KDC is not so smart
> and relies on the krbpwdpolicyreference to find the policy. For this
> reason every user entry requires this attribute. I've created a new 
> global_policy entry to store the default password policy. All users 
> point at this now. The group policy works the same and can override
> this setting.
> rob

Almost but have to NACK because ipa pwpolicy-show --user=user1 returns
the wrong group name (always GLOBAL apparently).

Everything else works fine.


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to