On Wed, 2016-05-04 at 15:39 +0200, Martin Kosek wrote: > On 05/02/2016 02:28 PM, David Kupka wrote: > > https://fedorahosted.org/freeipa/ticket/2795 > > That patch looks suspiciously short given the struggles I saw in > http://www.redhat.com/archives/freeipa-devel/2015-June/msg00198.html > :-) > > Instead of setting to IPAPWD_END_OF_TIME, should we instead avoid filling > "krbPasswordExpiration" attribute at all, i.e. have password *without* > expiration? Or is krbPasswordExpiration mandatory?
So I looked at the MIT code, and it seem like they are coping just fine with a missing (ie value = 0 internally) pw_expiration attribute. So if we make our code cope with omitting any expiration if the attribute is missing then yes, we can mark no expiration with simply removing (or not setting) the krbPasswordExpiration attribute. The attribute itself is optional and can be omitted. I think this is a good idea, and is definitely better than inventing a a magic value. Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code