freeipa/ipatests
Rob Crittenden f347c3f230 Implement LDAP bind grace period 389-ds plugin
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06

389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.

passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.

passwordGraceUserTime is a count per-user of the number of binds.

When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.

If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.

Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.

Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.

The passwordGraceUserTime attribute is reset to 0 upon a password
reset.

user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.

Note that passwordGraceUserTime is an operational attribute.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-30 17:24:22 +03:00
..
azure js tests: use latest grunt 2022-05-05 15:04:28 +03:00
man Simplify ipa-run-tests script 2019-07-16 13:23:21 +03:00
prci_definitions ipatests: update definitions for custom COPR nightlies 2022-05-25 22:38:11 +02:00
pytest_ipa ipatests: Add integration tests for External IdP support 2022-05-23 08:38:40 +03:00
test_cmdline Make the schema cache TTL user-configurable 2021-11-03 10:59:10 +01:00
test_custodia pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
test_install Unify access to FQDN 2020-10-26 17:11:19 +11:00
test_integration Implement LDAP bind grace period 389-ds plugin 2022-05-30 17:24:22 +03:00
test_ipaclient Remove support for csrgen 2021-01-21 13:51:45 +01:00
test_ipalib pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
test_ipaplatform ipatests/test_ipaplatform: Skip test_ipa_version on Debian 2021-11-25 21:02:56 -05:00
test_ipapython pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
test_ipaserver pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
test_ipatests_plugins ipatests: Don't turn Pytest IPA deprecation warnings into errors 2020-07-29 15:10:00 -04:00
test_webui external-idp: add XMLRPC tests for External IdP objects and idp indicator 2022-05-10 15:52:41 +03:00
test_xmlrpc Implement LDAP bind grace period 389-ds plugin 2022-05-30 17:24:22 +03:00
__init__.py Make an ipa-tests package 2013-06-17 19:22:50 +02:00
conftest.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
create_external_ca.py Test external CA with DNS name constraints 2019-08-06 12:39:46 +02:00
data.py Fix more bytes/unicode issues 2015-10-22 18:34:46 +02:00
i18n.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
ipa-run-tests ipatests: Specify shell implementation 2020-04-21 13:24:50 +02:00
ipa-test-config Rename pytest_plugins to ipatests.pytest_ipa 2018-08-02 17:07:43 +02:00
ipa-test-task ipatests: Fetch sudo rules without time offset 2021-06-03 09:21:45 +03:00
Makefile.am Build: fix distribution of static files for web UI 2016-11-09 13:08:32 +01:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Add Custodia tests 2021-06-16 10:28:17 -04:00
test_util.py pylint: Skip unused-private-member for property case 2022-03-11 13:37:08 -05:00
util.py pylint: Drop no longer used __home 2022-03-11 13:37:08 -05:00