freeipa/daemons/ipa-slapi-plugins/Makefile.am
Rob Crittenden f347c3f230 Implement LDAP bind grace period 389-ds plugin
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06

389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.

passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.

passwordGraceUserTime is a count per-user of the number of binds.

When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.

If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.

Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.

Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.

The passwordGraceUserTime attribute is reset to 0 upon a password
reset.

user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.

Note that passwordGraceUserTime is an operational attribute.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-30 17:24:22 +03:00

29 lines
387 B
Makefile

NULL =
SUBDIRS = \
libotp \
ipa-cldap \
ipa-dns \
ipa-enrollment \
ipa-graceperiod \
ipa-lockout \
ipa-modrdn \
ipa-otp-counter \
ipa-otp-lasttoken \
ipa-pwd-extop \
ipa-extdom-extop \
ipa-uuid \
ipa-version \
ipa-winsync \
ipa-sidgen \
ipa-range-check \
topology \
$(NULL)
noinst_HEADERS = \
common/util.h
EXTRA_DIST = \
README \
$(NULL)