Set default LDAP password grace period to -1

This will retain existing behavior where LDAP passwords are allowed to bind past expiration. Fixes: https://pagure.io/freeipa/issue/1539 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2022-06-01 11:17:41 -04:00
parent d2b296454c
commit 9b0fbdc37b
3 changed files with 10 additions and 5 deletions
--- a/API.txt
+++ b/API.txt
@@ -4075,7 +4075,7 @@ option: Int('krbpwdlockoutduration?', cli_name='lockouttime')
 option: Int('krbpwdmaxfailure?', cli_name='maxfail')
 option: Int('krbpwdmindiffchars?', cli_name='minclasses')
 option: Int('krbpwdminlength?', cli_name='minlength')
-option: Int('passwordgracelimit?', cli_name='gracelimit', default=0)
+option: Int('passwordgracelimit?', cli_name='gracelimit', default=-1)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('setattr*', cli_name='setattr')
 option: Str('version?')
@@ -4108,7 +4108,7 @@ option: Int('krbpwdlockoutduration?', autofill=False, cli_name='lockouttime')
 option: Int('krbpwdmaxfailure?', autofill=False, cli_name='maxfail')
 option: Int('krbpwdmindiffchars?', autofill=False, cli_name='minclasses')
 option: Int('krbpwdminlength?', autofill=False, cli_name='minlength')
-option: Int('passwordgracelimit?', autofill=False, cli_name='gracelimit', default=0)
+option: Int('passwordgracelimit?', autofill=False, cli_name='gracelimit', default=-1)
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Int('sizelimit?', autofill=False)
@@ -4137,7 +4137,7 @@ option: Int('krbpwdlockoutduration?', autofill=False, cli_name='lockouttime')
 option: Int('krbpwdmaxfailure?', autofill=False, cli_name='maxfail')
 option: Int('krbpwdmindiffchars?', autofill=False, cli_name='minclasses')
 option: Int('krbpwdminlength?', autofill=False, cli_name='minlength')
-option: Int('passwordgracelimit?', autofill=False, cli_name='gracelimit', default=0)
+option: Int('passwordgracelimit?', autofill=False, cli_name='gracelimit', default=-1)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Flag('rights', autofill=True, default=False)
 option: Str('setattr*', cli_name='setattr')
--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@@ -39,6 +39,7 @@ changetype: add
 objectClass: top
 objectClass: nsContainer
 objectClass: krbPwdPolicy
+objectClass: ipaPwdPolicy
 krbMinPwdLife: 3600
 krbPwdMinDiffChars: 0
 krbPwdMinLength: 8
@@ -47,4 +48,4 @@ krbMaxPwdLife: 7776000
 krbPwdMaxFailure: 6
 krbPwdFailureCountInterval: 60
 krbPwdLockoutDuration: 600
-
+passwordGraceLimit: -1
--- a/ipaserver/plugins/pwpolicy.py
+++ b/ipaserver/plugins/pwpolicy.py
@@ -62,6 +62,10 @@ policy.
 Group password policies are automatically removed when the groups they
 are associated with are removed.

+Grace period defines the number of LDAP logins allowed after expiration.
+-1 means do not enforce expiration to match previous behavior. 0 allows
+no additional logins after expiration.
+
 EXAMPLES:

 Modify the global policy:
@@ -403,7 +407,7 @@ class pwpolicy(LDAPObject):
            doc=_('Number of LDAP authentications allowed after expiration'),
            minvalue=-1,
            maxvalue=Int.MAX_UINT32,
-            default=0,
+            default=-1,
        ),
    )