pwpolicy: do not run klist on import

On pwpolicy module import, "klist -V" is run to determine if the installed krb5 version supports account lockout (>= 1.8). Remove the check, as we require a krb5 version which does support account lockout (1.12). https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-08-24 13:32:29 +02:00
parent 9477e39b4b
commit cc5ad6b3f9
2 changed files with 22 additions and 38 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -86,7 +86,6 @@ BuildRequires:  python-lesscpy
 #
 # Build dependencies for makeapi/makeaci
 #
-BuildRequires:  krb5-workstation
 BuildRequires:  python-ldap
 BuildRequires:  python-nss
 BuildRequires:  python-netaddr
--- a/ipaserver/plugins/pwpolicy.py
+++ b/ipaserver/plugins/pwpolicy.py
@@ -31,9 +31,7 @@ from .baseldap import (
 from ipalib import _
 from ipalib.plugable import Registry
 from ipalib.request import context
-from ipapython.ipautil import run
 from ipapython.dn import DN
-from distutils import version

 import six

@@ -282,40 +280,6 @@ class pwpolicy(LDAPObject):
        },
    }

-    MIN_KRB5KDC_WITH_LOCKOUT = "1.8"
-    has_lockout = False
-    lockout_params = ()
-
-    result = run(['klist', '-V'], raiseonerr=False, capture_output=True)
-    if result.returncode == 0:
-        verstr = result.output.split()[-1]
-        ver = version.LooseVersion(verstr)
-        min = version.LooseVersion(MIN_KRB5KDC_WITH_LOCKOUT)
-        if ver >= min:
-                has_lockout = True
-
-    if has_lockout:
-        lockout_params = (
-            Int('krbpwdmaxfailure?',
-                cli_name='maxfail',
-                label=_('Max failures'),
-                doc=_('Consecutive failures before lockout'),
-                minvalue=0,
-            ),
-            Int('krbpwdfailurecountinterval?',
-                cli_name='failinterval',
-                label=_('Failure reset interval'),
-                doc=_('Period after which failure count will be reset (seconds)'),
-                minvalue=0,
-            ),
-            Int('krbpwdlockoutduration?',
-                cli_name='lockouttime',
-                label=_('Lockout duration'),
-                doc=_('Period for which lockout is enforced (seconds)'),
-                minvalue=0,
-            ),
-        )
-
    label = _('Password Policies')
    label_singular = _('Password Policy')

@@ -365,7 +329,28 @@ class pwpolicy(LDAPObject):
            minvalue=0,
            flags=('virtual_attribute',),
        ),
-    ) + lockout_params
+        Int(
+            'krbpwdmaxfailure?',
+            cli_name='maxfail',
+            label=_('Max failures'),
+            doc=_('Consecutive failures before lockout'),
+            minvalue=0,
+        ),
+        Int(
+            'krbpwdfailurecountinterval?',
+            cli_name='failinterval',
+            label=_('Failure reset interval'),
+            doc=_('Period after which failure count will be reset (seconds)'),
+            minvalue=0,
+        ),
+        Int(
+            'krbpwdlockoutduration?',
+            cli_name='lockouttime',
+            label=_('Lockout duration'),
+            doc=_('Period for which lockout is enforced (seconds)'),
+            minvalue=0,
+        ),
+    )

    def get_dn(self, *keys, **options):
        if keys[-1] is not None: