Re: [Freeipa-devel] krbpwdpolicypreference issues
On Fri, 2013-12-20 at 15:16 +0100, Petr Viktorin wrote: > On 12/20/2013 03:07 PM, Simo Sorce wrote: > > On Fri, 2013-12-20 at 14:59 +0100, Petr Viktorin wrote: > >> On 12/20/2013 02:46 PM, Simo Sorce wrote: > >>> On Fri, 2013-12-20 at 10:22 +0100, Petr Viktorin wrote: > On 12/19/2013 10:24 PM, Simo Sorce wrote: > > I have been looking at how we deal with krbpwdpolicypreference as we > > found issues with AD synced users, which get no password policy :/ > > > > I found out that we do not rely on CoS anymore for setting the attribute > > (origin of this bug I would guess), but instead explicitly set the > > policy on user objects. > > > > Why is that ? > > > > Also I still see in bootstrap-template.ldif that we create a Password > > Policy object in cn=accounts in theory, but I do not have this object on > > my server, what happens to it, what removes it ? Why ? > > I don't see it in any update file. Was your server installed before this > was added (2009-10-02)? > >>> > >>> Actually it is indeed possible, but then why there was no update file > >>> with the change ? > >> > >> Maybe Rob can tell us a reason. It was added in commit dac224c2. > >> Most likely it's a bug, please file a ticket. > > > > Ok, anyway this part was not interesting, I am more interested in why we > > explicitly add krbpwdpolicypreference to the user object and do not use > > CoS for the default ? > > I found some discussion at https://fedorahosted.org/freeipa/ticket/51. > For further questions I guess you'll need to wait for Rob. Alexander found the commit, and had a pretty explanatory message. I opened a bug because the reason that prompted that change is actually no more. We'll discuss after the holidays break how to best address the whole issue. Thanks for digging up stuff :) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] krbpwdpolicypreference issues
On 12/20/2013 03:07 PM, Simo Sorce wrote: On Fri, 2013-12-20 at 14:59 +0100, Petr Viktorin wrote: On 12/20/2013 02:46 PM, Simo Sorce wrote: On Fri, 2013-12-20 at 10:22 +0100, Petr Viktorin wrote: On 12/19/2013 10:24 PM, Simo Sorce wrote: I have been looking at how we deal with krbpwdpolicypreference as we found issues with AD synced users, which get no password policy :/ I found out that we do not rely on CoS anymore for setting the attribute (origin of this bug I would guess), but instead explicitly set the policy on user objects. Why is that ? Also I still see in bootstrap-template.ldif that we create a Password Policy object in cn=accounts in theory, but I do not have this object on my server, what happens to it, what removes it ? Why ? I don't see it in any update file. Was your server installed before this was added (2009-10-02)? Actually it is indeed possible, but then why there was no update file with the change ? Maybe Rob can tell us a reason. It was added in commit dac224c2. Most likely it's a bug, please file a ticket. Ok, anyway this part was not interesting, I am more interested in why we explicitly add krbpwdpolicypreference to the user object and do not use CoS for the default ? I found some discussion at https://fedorahosted.org/freeipa/ticket/51. For further questions I guess you'll need to wait for Rob. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] krbpwdpolicypreference issues
On Fri, 2013-12-20 at 14:59 +0100, Petr Viktorin wrote: > On 12/20/2013 02:46 PM, Simo Sorce wrote: > > On Fri, 2013-12-20 at 10:22 +0100, Petr Viktorin wrote: > >> On 12/19/2013 10:24 PM, Simo Sorce wrote: > >>> I have been looking at how we deal with krbpwdpolicypreference as we > >>> found issues with AD synced users, which get no password policy :/ > >>> > >>> I found out that we do not rely on CoS anymore for setting the attribute > >>> (origin of this bug I would guess), but instead explicitly set the > >>> policy on user objects. > >>> > >>> Why is that ? > >>> > >>> Also I still see in bootstrap-template.ldif that we create a Password > >>> Policy object in cn=accounts in theory, but I do not have this object on > >>> my server, what happens to it, what removes it ? Why ? > >> > >> I don't see it in any update file. Was your server installed before this > >> was added (2009-10-02)? > > > > Actually it is indeed possible, but then why there was no update file > > with the change ? > > Maybe Rob can tell us a reason. It was added in commit dac224c2. > Most likely it's a bug, please file a ticket. Ok, anyway this part was not interesting, I am more interested in why we explicitly add krbpwdpolicypreference to the user object and do not use CoS for the default ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] krbpwdpolicypreference issues
On 12/20/2013 02:46 PM, Simo Sorce wrote: On Fri, 2013-12-20 at 10:22 +0100, Petr Viktorin wrote: On 12/19/2013 10:24 PM, Simo Sorce wrote: I have been looking at how we deal with krbpwdpolicypreference as we found issues with AD synced users, which get no password policy :/ I found out that we do not rely on CoS anymore for setting the attribute (origin of this bug I would guess), but instead explicitly set the policy on user objects. Why is that ? Also I still see in bootstrap-template.ldif that we create a Password Policy object in cn=accounts in theory, but I do not have this object on my server, what happens to it, what removes it ? Why ? I don't see it in any update file. Was your server installed before this was added (2009-10-02)? Actually it is indeed possible, but then why there was no update file with the change ? Maybe Rob can tell us a reason. It was added in commit dac224c2. Most likely it's a bug, please file a ticket. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] krbpwdpolicypreference issues
On Fri, 2013-12-20 at 10:22 +0100, Petr Viktorin wrote: > On 12/19/2013 10:24 PM, Simo Sorce wrote: > > I have been looking at how we deal with krbpwdpolicypreference as we > > found issues with AD synced users, which get no password policy :/ > > > > I found out that we do not rely on CoS anymore for setting the attribute > > (origin of this bug I would guess), but instead explicitly set the > > policy on user objects. > > > > Why is that ? > > > > Also I still see in bootstrap-template.ldif that we create a Password > > Policy object in cn=accounts in theory, but I do not have this object on > > my server, what happens to it, what removes it ? Why ? > > I don't see it in any update file. Was your server installed before this > was added (2009-10-02)? Actually it is indeed possible, but then why there was no update file with the change ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] krbpwdpolicypreference issues
On 12/19/2013 10:24 PM, Simo Sorce wrote: I have been looking at how we deal with krbpwdpolicypreference as we found issues with AD synced users, which get no password policy :/ I found out that we do not rely on CoS anymore for setting the attribute (origin of this bug I would guess), but instead explicitly set the policy on user objects. Why is that ? Also I still see in bootstrap-template.ldif that we create a Password Policy object in cn=accounts in theory, but I do not have this object on my server, what happens to it, what removes it ? Why ? I don't see it in any update file. Was your server installed before this was added (2009-10-02)? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel