diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-10-25 17:58:37 -0400 |
|---|---|---|
| committer | Adam Young <ayoung@redhat.com> | 2010-11-01 14:15:42 -0400 |
| commit | 813dfe501348a671eeb3655cc7406c8e37a3860c (patch) | |
| tree | 419a3d28ec0112aa00217c8e866152aa3f6391e3 /install/share/Makefile.am | |
| parent | aff2816d2021a5c15dfb93bfb78263f41992582a (diff) | |
| download | freeipa-813dfe501348a671eeb3655cc7406c8e37a3860c.tar.gz freeipa-813dfe501348a671eeb3655cc7406c8e37a3860c.tar.xz freeipa-813dfe501348a671eeb3655cc7406c8e37a3860c.zip | |
Use kerberos password policy.
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.
There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.
The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.
As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.
ticket 51
Diffstat (limited to 'install/share/Makefile.am')
| -rw-r--r-- | install/share/Makefile.am | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/install/share/Makefile.am b/install/share/Makefile.am index e5fd64d19..06f81cb64 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -15,6 +15,7 @@ app_DATA = \ default-aci.ldif \ default-hbac.ldif \ default-keytypes.ldif \ + default-pwpolicy.ldif \ delegation.ldif \ dns.ldif \ kerberos.ldif \ |