Dmitri Pal wrote:
On 01/15/2013 08:48 AM, Simo Sorce wrote:
On Mon, 2013-01-14 at 16:46 +0100, Tomas Babej wrote:
Hi,

Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.

This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).

https://fedorahosted.org/freeipa/ticket/3312
https://fedorahosted.org/freeipa/ticket/3114
Given that we control the KDC LDAP driver I think we should not limit
the time in LDAP but rather 'fix-it-up' for the KDC in the DAL driver.

Fix how? Truncate to max in the driver itself if it was entered beyond max?
Shouldn't we also prevent entering the invalid value into the attribute?


I've been mulling the same question for a while. Why would we want to let bad data get into the directory?

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to