IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Set default LDAP password grace period to -1

Browse Source 
This will retain existing behavior where LDAP passwords are
allowed to bind past expiration.

Fixes: https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Rob Crittenden 2022-06-01 11:17:41 -04:00
parent 08ab274744
commit deb0c76556
3 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
API.txt
View File

@ -4075,7 +4075,7 @@ option: Int('krbpwdlockoutduration?', cli_name='lockouttime')
option: Int('krbpwdmaxfailure?', cli_name='maxfail')
option: Int('krbpwdmindiffchars?', cli_name='minclasses')
option: Int('krbpwdminlength?', cli_name='minlength')
option: Int('passwordgracelimit?', cli_name='gracelimit', default=0)
option: Int('passwordgracelimit?', cli_name='gracelimit', default=-1)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('setattr*', cli_name='setattr')
option: Str('version?')
@ -4108,7 +4108,7 @@ option: Int('krbpwdlockoutduration?', autofill=False, cli_name='lockouttime')
option: Int('krbpwdmaxfailure?', autofill=False, cli_name='maxfail')
option: Int('krbpwdmindiffchars?', autofill=False, cli_name='minclasses')
option: Int('krbpwdminlength?', autofill=False, cli_name='minlength')
option: Int('passwordgracelimit?', autofill=False, cli_name='gracelimit', default=0)
option: Int('passwordgracelimit?', autofill=False, cli_name='gracelimit', default=-1)
option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Int('sizelimit?', autofill=False)
@ -4137,7 +4137,7 @@ option: Int('krbpwdlockoutduration?', autofill=False, cli_name='lockouttime')
option: Int('krbpwdmaxfailure?', autofill=False, cli_name='maxfail')
option: Int('krbpwdmindiffchars?', autofill=False, cli_name='minclasses')
option: Int('krbpwdminlength?', autofill=False, cli_name='minlength')
option: Int('passwordgracelimit?', autofill=False, cli_name='gracelimit', default=0)
option: Int('passwordgracelimit?', autofill=False, cli_name='gracelimit', default=-1)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Flag('rights', autofill=True, default=False)
option: Str('setattr*', cli_name='setattr')

3
install/share/kerberos.ldif
View File

@ -39,6 +39,7 @@ changetype: add
objectClass: top
objectClass: nsContainer
objectClass: krbPwdPolicy
objectClass: ipaPwdPolicy
krbMinPwdLife: 3600
krbPwdMinDiffChars: 0
krbPwdMinLength: 8
@ -47,4 +48,4 @@ krbMaxPwdLife: 7776000
krbPwdMaxFailure: 6
krbPwdFailureCountInterval: 60
krbPwdLockoutDuration: 600
passwordGraceLimit: -1

6
ipaserver/plugins/pwpolicy.py
View File

@ -62,6 +62,10 @@ policy.
Group password policies are automatically removed when the groups they
are associated with are removed.
Grace period defines the number of LDAP logins allowed after expiration.
-1 means do not enforce expiration to match previous behavior. 0 allows
no additional logins after expiration.
EXAMPLES:
Modify the global policy:
@ -403,7 +407,7 @@ class pwpolicy(LDAPObject):
doc=_('Number of LDAP authentications allowed after expiration'),
minvalue=-1,
maxvalue=Int.MAX_UINT32,
default=0,
default=-1,
),
)