On Fri, 28 Jan 2011 17:39:14 -0500
James Roman <james.ro...@ssaihq.com> wrote:
> On 01/28/2011 10:39 AM, Simo Sorce wrote:
> > Rirst of all.
> > I am glad this was resolved, it looked puzzling indeed.
> > I just want to note that we do not support using the DS password
> > policy in ipa as we already have the kerberos pw policy, that's why
> > the uid=kdc was not "protected" against it.
> > In v2 we perfected the pw policies check so that the kerberos
> > policies covers also binds done against DS directly.
> Just to clarify, in v2 Kerberos password policies also cover ldap
Yes with have a bind pre/post op plugin that enforces the same
account/password policies for ldap binds too.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list