diff options
author | Jan Zeleny <jzeleny@redhat.com> | 2012-05-01 03:36:37 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-05-04 13:36:42 -0400 |
commit | bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11 (patch) | |
tree | ba1da22bd4f400edf1ba50563c80ab290e0987bb /src/util/sss_krb5.h | |
parent | 9fd2775fe1ced6ff6a9a3ff7db124fcb52dade5d (diff) | |
download | sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.tar.gz sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.tar.xz sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.zip |
Modify behavior of pam_pwd_expiration_warning
New option pwd_expiration_warning is introduced which can be set per
domain and can override the value specified by the original
pam_pwd_expiration_warning.
If the value of expiration warning is set to zero, the filter isn't
apllied at all - if backend server returns the warning, it will be
automatically displayed.
Default value for Kerberos: 7 days
Default value for LDAP: don't apply the filter
Technical note: default value when creating the domain is -1. This is
important so we can distinguish between "no value set" and 0. Without
this possibility it would be impossible to set different values for LDAP
and Kerberos provider.
Diffstat (limited to 'src/util/sss_krb5.h')
-rw-r--r-- | src/util/sss_krb5.h | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h index 50c4b696f..6ad80806c 100644 --- a/src/util/sss_krb5.h +++ b/src/util/sss_krb5.h @@ -34,6 +34,11 @@ #include "util/util.h" +/* MIT Kerberos has the same hardcoded warning interval of 7 days. Due to the + * fact that using the expiration time of a Kerberos password with LDAP + * authentication is presumably a rare case a separate config option is not + * necessary. */ +#define KERBEROS_PWEXPIRE_WARNING_TIME (7 * 24 * 60 * 60) #define KEYTAB_CLEAN_NAME keytab_name ? keytab_name : "default" const char * KRB5_CALLCONV sss_krb5_get_error_message (krb5_context, |