Jakub Hrozek wrote:
On Fri, Feb 11, 2011 at 01:34:39PM -0500, Rob Crittenden wrote:
Add a replace verb to ipa-ldap-updater so an existing value can be
replaced, but only if the value matches the old value in the update.

This would be used for us to replace default values that the
end-user hasn't already updated. The first one of these would be for
the kerberos password policy where our default values are on the low
side. We don't want to interfere with anything already set.

The update file would look like:

dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
replace:krbPwdLockoutDuration: 10: 600

dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
replace:krbPwdMaxFailure: 3: 6

This patch would obsolete Jan's patch titled 'Updated default
Kerberos password policy". Simo and I had discussed doing something
like this in IRC and hadn't communicated our intentions to the rest
of the team, sorry about that.



pushe to master

Freeipa-devel mailing list

Reply via email to