freeipa/ipaserver/install
Rob Crittenden f347c3f230 Implement LDAP bind grace period 389-ds plugin
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06

389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.

passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.

passwordGraceUserTime is a count per-user of the number of binds.

When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.

If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.

Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.

Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.

The passwordGraceUserTime attribute is reset to 0 upon a password
reset.

user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.

Note that passwordGraceUserTime is an operational attribute.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-30 17:24:22 +03:00
..
plugins ipatests: extend AES keyset to SHA2-based ones 2022-03-08 12:54:47 +01:00
server Installer: add --subid option to select the sssd profile with-subid 2022-05-25 08:11:39 +03:00
__init__.py Remove __all__ specifications in ipaclient and ipaserver.install 2013-09-06 15:42:33 +02:00
adtrust.py adtrust install: define constants for rid bases 2021-11-02 10:11:28 +01:00
adtrustinstance.py SMB: switch IPA domain controller role 2021-11-10 15:00:27 -05:00
bindinstance.py LDAP autobind authenticateAsDN for BIND named 2021-06-15 14:13:16 +03:00
ca.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
cainstance.py pylint: Drop never used __remove_lightweight_ca_key_retrieval_custodia 2022-03-11 13:37:08 -05:00
certs.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
conncheck.py install: introduce installer class hierarchy 2016-11-11 12:17:25 +01:00
custodiainstance.py pylint: Fix unused-private-member 2022-03-11 13:37:08 -05:00
dns.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
dnskeysyncinstance.py dnskeysyncinstance: use late binding for UID/GID resolution 2020-12-22 14:05:13 +02:00
dogtag.py Verify pki ini override early 2019-04-10 13:43:23 +02:00
dogtaginstance.py pylint: Fix consider-using-dict-items 2022-03-11 13:37:08 -05:00
dsinstance.py Implement LDAP bind grace period 389-ds plugin 2022-05-30 17:24:22 +03:00
httpinstance.py Enable the ccache sweep timer during installation 2022-02-09 10:41:56 -05:00
installutils.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
ipa_acme_manage.py ipa-acme-manage: user a cookie created for the communication with dogtag REST endpoints 2020-11-17 18:48:24 +02:00
ipa_backup.py BIND: Setup logging 2021-05-25 10:45:49 +03:00
ipa_cacert_manage.py ipa-cacert-manage: add prune option 2021-02-12 14:08:11 -05:00
ipa_cert_fix.py ipa-cert-fix man page: add note about certmonger renewal 2021-06-10 20:59:27 +02:00
ipa_crlgen_manage.py CRL generation master: new utility to enable|disable 2019-03-14 09:39:55 +01:00
ipa_kra_install.py Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
ipa_ldap_updater.py Remove -s option from ipa-ldap-updater usage 2021-05-20 14:45:27 -04:00
ipa_otptoken_import.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
ipa_pkinit_manage.py Allow PKINIT to be enabled when updating from a pre-PKINIT IPA CA server 2021-06-17 17:28:48 -04:00
ipa_replica_install.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
ipa_restore.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
ipa_server_certinstall.py Require an ipa-ca SAN on 3rd party certs if ACME is enabled 2020-11-02 14:01:05 -05:00
ipa_server_install.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
ipa_server_upgrade.py ipa commands: print 'IPA is not configured' when ipa is not setup 2018-08-23 12:08:45 +02:00
ipa_subids.py pylint: Fix arguments-renamed 2022-03-11 13:37:08 -05:00
ipa_trust_enable_agent.py ipa-adtrust-install: run remote configuration for new agents 2020-03-05 14:40:58 +01:00
ipa_winsync_migrate.py ipa commands: print 'IPA is not configured' when ipa is not setup 2018-08-23 12:08:45 +02:00
ipactl.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
kra.py ipa-kra-install: exit if ca_host is overriden 2021-07-27 13:27:36 +02:00
krainstance.py ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency 2021-07-13 16:52:57 +02:00
krbinstance.py Kerberos instance: default to AES256-SHA2 for master key encryption 2022-03-16 11:14:35 +02:00
ldapupdate.py pylint: Fix unused-variable 2022-03-11 13:37:08 -05:00
odsexporterinstance.py odsexporterinstance: use late binding for UID/GID resolution 2020-12-22 14:05:13 +02:00
opendnssecinstance.py opendnssecinstance: use late binding for UID/GID resolution 2020-12-22 14:05:13 +02:00
otpdinstance.py Enable pylint missing-final-newline check 2015-12-23 07:59:22 +01:00
replication.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
schemaupdate.py Unify access to FQDN 2020-10-26 17:11:19 +11:00
service.py LDAP autobind authenticateAsDN for BIND named 2021-06-15 14:13:16 +03:00
sysupgrade.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00
upgradeinstance.py Use get_replication_plugin_name in LDAP updater 2021-06-21 10:58:02 +02:00