On Fri, 28 Jan 2011 09:20:37 -0500
James Roman <james.ro...@ssaihq.com> wrote:

> OK. Now I feel like an idiot. I swear that was the first thing I 
> checked. It seems the password policy on this server was set at the 
> base, instead of cn=users. We have a script that reports on expiring 
> accounts in the cn=accounts branch, but not under cn=etc. I now know 
> what to fix. Thanks.

Rirst of all.
I am glad this was resolved, it looked puzzling indeed.

I just want to note that we do not support using the DS password policy
in ipa as we already have the kerberos pw policy, that's why the uid=kdc
was not "protected" against it.

In v2 we perfected the pw policies check so that the kerberos policies
covers also binds done against DS directly.

I also am adding a patch so that uid=kdc is protected in case DS policy
is enabled nonetheless for whatever reason.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to