From 813dfe501348a671eeb3655cc7406c8e37a3860c Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 25 Oct 2010 17:58:37 -0400 Subject: Use kerberos password policy. This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51 --- tests/test_xmlrpc/test_group_plugin.py | 4 ++-- tests/test_xmlrpc/test_user_plugin.py | 11 ++++++----- 2 files changed, 8 insertions(+), 7 deletions(-) (limited to 'tests') diff --git a/tests/test_xmlrpc/test_group_plugin.py b/tests/test_xmlrpc/test_group_plugin.py index 10d3f674..3ec17b30 100644 --- a/tests/test_xmlrpc/test_group_plugin.py +++ b/tests/test_xmlrpc/test_group_plugin.py @@ -335,8 +335,8 @@ class test_group(Declarative): 'gidnumber': [fuzzy_digits], 'cn': [u'admins'], 'description': [u'Account administrators group'], - 'memberof_rolegroup': [u'replicaadmin'], - 'memberof_taskgroup': [u'managereplica', u'deletereplica'], + 'memberof_rolegroup': [u'hostadmin', u'replicaadmin'], + 'memberof_taskgroup': [u'addhosts', u'removehosts', u'modifyhosts', u'manage_host_keytab', u'enroll_host', u'managereplica', u'deletereplica'], }, { 'dn': u'cn=ipausers,cn=groups,cn=accounts,%s' % api.env.basedn, diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py index 8c2bae49..a1346f58 100644 --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -150,7 +150,8 @@ class test_user(Declarative): 'uidnumber': [fuzzy_digits], 'gidnumber': [fuzzy_digits], 'ipauniqueid': [fuzzy_uuid], - 'mepmanagedentry': [u'cn=%s,cn=groups,cn=accounts,%s' % (user1, api.env.basedn)] + 'mepmanagedentry': [u'cn=%s,cn=groups,cn=accounts,%s' % (user1, api.env.basedn)], + 'krbpwdpolicyreference': [u'cn=global_policy,cn=%s,cn=kerberos,%s' % (api.env.realm, api.env.basedn)], }, ], summary=u'1 user matched', @@ -197,8 +198,8 @@ class test_user(Declarative): sn=[u'Administrator'], uid=[u'admin'], memberof_group=[u'admins'], - memberof_rolegroup=[u'replicaadmin'], - memberof_taskgroup=[u'managereplica', u'deletereplica'], + memberof_rolegroup=[u'hostadmin', u'replicaadmin'], + memberof_taskgroup=[u'addhosts', u'removehosts', u'modifyhosts', u'manage_host_keytab', u'enroll_host', u'managereplica', u'deletereplica'], ), dict( dn=u'uid=tuser1,cn=users,cn=accounts,' + api.env.basedn, @@ -231,8 +232,8 @@ class test_user(Declarative): sn=[u'Administrator'], uid=[u'admin'], memberof_group=[u'admins'], - memberof_rolegroup=[u'replicaadmin'], - memberof_taskgroup=[u'managereplica', u'deletereplica'], + memberof_rolegroup=[u'hostadmin', u'replicaadmin'], + memberof_taskgroup=[u'addhosts', u'removehosts', u'modifyhosts', u'manage_host_keytab', u'enroll_host', u'managereplica', u'deletereplica'], ), ], summary=u'1 user matched', -- cgit