On Mon, 2013-01-14 at 16:46 +0100, Tomas Babej wrote: > Hi, > > Since in Kerberos V5 are used 32-bit unix timestamps, setting > maxlife in pwpolicy to values such as 9999 days would cause > integer overflow in krbPasswordExpiration attribute. > > This would result into unpredictable behaviour such as users > not being able to log in after password expiration if password > policy was changed (#3114) or new users not being able to log > in at all (#3312). > > https://fedorahosted.org/freeipa/ticket/3312 > https://fedorahosted.org/freeipa/ticket/3114
Given that we control the KDC LDAP driver I think we should not limit the time in LDAP but rather 'fix-it-up' for the KDC in the DAL driver. So I would like to Nack this one, sorry. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel