Alexander Bokovoy d9c41df6fd ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager ... Password changes performed by cn=Directory Manager are excluded from password policy checks according to [1]. This is correctly handled by ipa-pwd-extop in case of a normal Kerberos principal in IPA. However, non-kerberos accounts were not excluded from the check. As result, password updates for PKI CA admin account in o=ipaca were failing if a password policy does not allow a password reuse. We are re-setting the password for PKI CA admin in ipa-replica-prepare in case the original directory manager's password was updated since creation of `cacert.p12`. Do password policy check for non-Kerberos accounts only if it was set by a regular user or admin. Changes performed by a cn=Directory Manager and passsync managers should be excluded from the policy check. Fixes: https://pagure.io/freeipa/issue/7181 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> [1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/user_account_management-managing_the_password_policy Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>		2020-03-25 10:11:48 +01:00
..
dnssec	Support OpenDNSSEC 2.1: new ods-signer protocol	2020-03-12 21:48:25 +01:00
ipa-kdb	kdb: make sure audit_as_req callback signature change is preserved	2020-02-17 16:03:11 +02:00
ipa-otpd	Py3: Replace six.moves imports	2018-10-05 12:06:19 +02:00
ipa-sam	Add local helpers to handle unixid structure	2019-10-01 10:38:00 -04:00
ipa-slapi-plugins	ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager	2020-03-25 10:11:48 +01:00
ipa-version.h.in	Build: move version handling from Makefile to configure	2016-11-09 13:08:32 +01:00
Makefile.am	Build: properly integrate ipa-version.h.in into build system	2016-11-29 15:28:24 +01:00