On 01/28/2011 10:39 AM, Simo Sorce wrote:

Rirst of all.
I am glad this was resolved, it looked puzzling indeed.

I just want to note that we do not support using the DS password policy
in ipa as we already have the kerberos pw policy, that's why the uid=kdc
was not "protected" against it.

In v2 we perfected the pw policies check so that the kerberos policies
covers also binds done against DS directly.
Just to clarify, in v2 Kerberos password policies also cover ldap binds?
I also am adding a patch so that uid=kdc is protected in case DS policy
is enabled nonetheless for whatever reason.


Freeipa-users mailing list

Reply via email to