On Tue, Feb 17, 2015 at 10:56:43PM +0100, Pavel Reichl wrote:
> Hello,
>
> please see attached patches resolving
> https://fedorahosted.org/sssd/ticket/2167
>
> 1st patch contains some minor refactoring useful for 2nd patch.
>
> How to test:
> On OpenLDAP following attributes should be set:
> * shadowMax - how many days after shadowLastChange will password expire
> * shadowWarning - how many days before password expires should warning be
> displayed.
>
> In sssd.conf domain section should contain something similar to:
>
> access_provider = ldap
> ldap_access_order = expire, expire_policy
> ldap_account_expire_policy = shadow
> ldap_pwd_policy = shadow
>
> Thanks!
Hi Pavel,
I've tested the patch with FreeIPA and ldap_pwd_policy = mit_kerberos
and it is working as expected. Nevertheless I have a few comments.
First, I would recommend to rename the option 'expire_policy' is
ambiguous because it is not clear which expiration is meant, account or
password. Since it is tightly related to ldap_pwd_policy I would prefer
'pwd_policy' or 'pwd_expire_policy' ('ldap_pwd_policy' might not be a
good choice be because then we have an option name and an option value
with the same name which might be confusing).
My main comment is about moving the check if configured. Although I see
the point of doing the check only once I think it should be done in the
auth and access provider. Since it is run from the cache there shouldn't
be any great delay for the user. This will make your patch easier and
the check is still done for applications only calling pam_authenticate.
In the man page you should explicitly mention that ldap_pwd_policy must
be set to make the new option work, because the default for
ldap_pwd_policy is 'none'.
bye,
Sumit
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
