diff options
author | Simo Sorce <simo@redhat.com> | 2015-11-24 15:39:08 -0500 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-03-08 18:48:40 +0100 |
commit | 3e45c9be0aefb03751665a951f426ac59c50a551 (patch) | |
tree | ff888d8ab2f80c65b0cb2325c3ba4d5118440609 /ipalib | |
parent | de63e16922c4f9926752016a2105bee4b974ba32 (diff) | |
download | freeipa-3e45c9be0aefb03751665a951f426ac59c50a551.tar.gz freeipa-3e45c9be0aefb03751665a951f426ac59c50a551.tar.xz freeipa-3e45c9be0aefb03751665a951f426ac59c50a551.zip |
Allow admins to disable preauth for SPNs.
Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.
This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/3860
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/plugins/config.py | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 4c8c2dd44..848b41e7b 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -205,7 +205,8 @@ class config(LDAPObject): label=_('Password plugin features'), doc=_('Extra hashes to generate in password plug-in'), values=(u'AllowNThash', - u'KDC:Disable Last Success', u'KDC:Disable Lockout'), + u'KDC:Disable Last Success', u'KDC:Disable Lockout', + u'KDC:Disable Default Preauth for SPNs'), csv=True, ), Str('ipaselinuxusermaporder', |