doc: Update LDAP grace period design with default values

New group password policies will get -1 (unlimited) on creation by default. Existing group password policies will remain untouched and those created prior will be treated as no BIND allowed. Fixes: https://pagure.io/freeipa/issue/9212 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-02-03 04:01:27 -06:00 · 2022-08-18 08:21:58 -04:00 · 2022-08-18 08:21:58 -04:00 · b6587d3361
commit b6587d3361
parent 77803587d6
1 changed files with 16 additions and 1 deletions
--- a/doc/designs/ldap_grace_period.md
+++ b/doc/designs/ldap_grace_period.md
@ -51,7 +51,22 @@ The basic flow is:

 On successful password reset (by anyone) reset the user's passwordGraceUserTime to 0.

-The default value on install/upgrade will be -1 to retail existing behavior.
+Range values for passwordgracelimit are:
+
+-1 : password grace checking is disabled
+ 0 : no grace BIND are allowed at all post-expiration
+ 1..MAXINT: the number of BIND allowed post-expiration
+
+The default value for the global policy on install/upgrade will be -1 to
+retain existing behavior.
+
+New group password policies will default to -1 to retain previous
+behavior.
+
+Existing group policies with no grace limit set are updated to use
+the default unlimited value, -1. This is done because lack of value in
+LDAP is treated as 0 so any existing group policies would not allow
+post-expiration BIND so this will avoid confusion.

 The per-user attempts will not be replicated.