IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-11 00:31:56 -06:00
Code Issues Packages Projects Releases Wiki Activity
d3481449ee
freeipa/daemons/ipa-slapi-plugins
History
Rob Crittenden f347c3f230 Implement LDAP bind grace period 389-ds plugin 
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06

389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.

passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.

passwordGraceUserTime is a count per-user of the number of binds.

When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.

If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.

Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.

Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.

The passwordGraceUserTime attribute is reset to 0 upon a password
reset.

user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.

Note that passwordGraceUserTime is an operational attribute.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-30 17:24:22 +03:00
..
common Migrate from #ifndef guards to #pragma once 2016-05-29 14:04:45 +02:00
ipa-cldap ipa_cldap: fix memory leak 2022-02-11 13:31:34 +02:00
ipa-dns slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-enrollment slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-extdom-extop extdom: user getorigby{user|group}name if available 2022-03-16 11:08:39 +02:00
ipa-graceperiod Implement LDAP bind grace period 389-ds plugin 2022-05-30 17:24:22 +03:00
ipa-lockout slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-modrdn slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-otp-counter slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-otp-lasttoken User must not be able to delete his last active otp token 2018-02-15 14:10:48 +01:00
ipa-pwd-extop Implement LDAP bind grace period 389-ds plugin 2022-05-30 17:24:22 +03:00
ipa-range-check slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-sidgen ipa-sidgen: make internal fetch_attr helper really internal 2018-12-14 14:04:02 +01:00
ipa-uuid 389-ds-base crashed as part of ipa-server-intall in ipa-uuid 2017-11-08 08:06:35 +01:00
ipa-version ds: Support renaming of a replication plugin in 389-ds 2021-06-01 17:09:28 +03:00
ipa-winsync Fix use of comparison functions to avoid GCC bug 95189 2021-11-23 10:31:34 +01:00
libotp Fix compiler warnings in libotp 2020-09-26 10:43:42 +03:00
topology Fix use of comparison functions to avoid GCC bug 95189 2021-11-23 10:31:34 +01:00
Makefile.am Implement LDAP bind grace period 389-ds plugin 2022-05-30 17:24:22 +03:00
README Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00

README