On 10/29/2010 04:39 PM, Rob Crittenden wrote:
Simo Sorce wrote:
On Mon, 25 Oct 2010 18:05:46 -0400
Rob Crittenden<rcrit...@redhat.com> wrote:
Use kerberos password policy.
This lets the KDC count password failures and can lock out accounts
for a period of time. This only works for KDC>= 1.8.
There currently is no way to unlock a locked account across a
replica. MIT Kerberos 1.9 is adding support for doing so. Once that
is available unlock will be added.
The concept of a "global" password policy has changed. When we were
managing the policy using the IPA password plugin it was smart enough
to search up the tree looking for a policy. The KDC is not so smart
and relies on the krbpwdpolicyreference to find the policy. For this
reason every user entry requires this attribute. I've created a new
global_policy entry to store the default password policy. All users
point at this now. The group policy works the same and can override
this setting.
rob
Almost but have to NACK because ipa pwpolicy-show --user=user1 returns
the wrong group name (always GLOBAL apparently).
Everything else works fine.
Simo.
Fixed. I dropped the special renaming of GLOBAL. We now show the
actual entry name, global_policy.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
ACK and pushed to master
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
