On Fri, 28 Jan 2011 09:20:37 -0500
James Roman <james.ro...@ssaihq.com> wrote:
> OK. Now I feel like an idiot. I swear that was the first thing I
> checked. It seems the password policy on this server was set at the
> base, instead of cn=users. We have a script that reports on expiring
> accounts in the cn=accounts branch, but not under cn=etc. I now know
> what to fix. Thanks.
Rirst of all.
I am glad this was resolved, it looked puzzling indeed.
I just want to note that we do not support using the DS password policy
in ipa as we already have the kerberos pw policy, that's why the uid=kdc
was not "protected" against it.
In v2 we perfected the pw policies check so that the kerberos policies
covers also binds done against DS directly.
I also am adding a patch so that uid=kdc is protected in case DS policy
is enabled nonetheless for whatever reason.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list