diff options
author | Jan Cholasta <jcholast@redhat.com> | 2016-08-24 13:32:29 +0200 |
---|---|---|
committer | David Kupka <dkupka@redhat.com> | 2016-10-24 14:11:08 +0200 |
commit | cc5ad6b3f951a6cb8298181690248d680c39922b (patch) | |
tree | e1f24393a85d4da726172e1f248c4a7b27d887f2 /ipaserver/plugins/pwpolicy.py | |
parent | 9477e39b4b267922dbdd86a65869f773d980df8e (diff) | |
download | freeipa-cc5ad6b3f951a6cb8298181690248d680c39922b.tar.gz freeipa-cc5ad6b3f951a6cb8298181690248d680c39922b.tar.xz freeipa-cc5ad6b3f951a6cb8298181690248d680c39922b.zip |
pwpolicy: do not run klist on import
On pwpolicy module import, "klist -V" is run to determine if the installed
krb5 version supports account lockout (>= 1.8).
Remove the check, as we require a krb5 version which does support account
lockout (1.12).
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipaserver/plugins/pwpolicy.py')
-rw-r--r-- | ipaserver/plugins/pwpolicy.py | 59 |
1 files changed, 22 insertions, 37 deletions
diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py index e5e68fb58..d0e6b19be 100644 --- a/ipaserver/plugins/pwpolicy.py +++ b/ipaserver/plugins/pwpolicy.py @@ -31,9 +31,7 @@ from .baseldap import ( from ipalib import _ from ipalib.plugable import Registry from ipalib.request import context -from ipapython.ipautil import run from ipapython.dn import DN -from distutils import version import six @@ -282,40 +280,6 @@ class pwpolicy(LDAPObject): }, } - MIN_KRB5KDC_WITH_LOCKOUT = "1.8" - has_lockout = False - lockout_params = () - - result = run(['klist', '-V'], raiseonerr=False, capture_output=True) - if result.returncode == 0: - verstr = result.output.split()[-1] - ver = version.LooseVersion(verstr) - min = version.LooseVersion(MIN_KRB5KDC_WITH_LOCKOUT) - if ver >= min: - has_lockout = True - - if has_lockout: - lockout_params = ( - Int('krbpwdmaxfailure?', - cli_name='maxfail', - label=_('Max failures'), - doc=_('Consecutive failures before lockout'), - minvalue=0, - ), - Int('krbpwdfailurecountinterval?', - cli_name='failinterval', - label=_('Failure reset interval'), - doc=_('Period after which failure count will be reset (seconds)'), - minvalue=0, - ), - Int('krbpwdlockoutduration?', - cli_name='lockouttime', - label=_('Lockout duration'), - doc=_('Period for which lockout is enforced (seconds)'), - minvalue=0, - ), - ) - label = _('Password Policies') label_singular = _('Password Policy') @@ -365,7 +329,28 @@ class pwpolicy(LDAPObject): minvalue=0, flags=('virtual_attribute',), ), - ) + lockout_params + Int( + 'krbpwdmaxfailure?', + cli_name='maxfail', + label=_('Max failures'), + doc=_('Consecutive failures before lockout'), + minvalue=0, + ), + Int( + 'krbpwdfailurecountinterval?', + cli_name='failinterval', + label=_('Failure reset interval'), + doc=_('Period after which failure count will be reset (seconds)'), + minvalue=0, + ), + Int( + 'krbpwdlockoutduration?', + cli_name='lockouttime', + label=_('Lockout duration'), + doc=_('Period for which lockout is enforced (seconds)'), + minvalue=0, + ), + ) def get_dn(self, *keys, **options): if keys[-1] is not None: |