On Wed, 2016-05-04 at 15:39 +0200, Martin Kosek wrote:
> On 05/02/2016 02:28 PM, David Kupka wrote:
> > https://fedorahosted.org/freeipa/ticket/2795
> That patch looks suspiciously short given the struggles I saw in
> http://www.redhat.com/archives/freeipa-devel/2015-June/msg00198.html
> :-)
> Instead of setting to IPAPWD_END_OF_TIME, should we instead avoid filling
> "krbPasswordExpiration" attribute at all, i.e. have password *without*
> expiration? Or is krbPasswordExpiration mandatory?

So I looked at the MIT code, and it seem like they are coping just fine
with a missing (ie value = 0 internally) pw_expiration attribute.

So if we make our code cope with omitting any expiration if the
attribute is missing then yes, we can mark no expiration with simply
removing (or not setting) the krbPasswordExpiration attribute.
The attribute itself is optional and can be omitted.

I think this is a good idea, and is definitely better than inventing a a
magic value.


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to