pwpolicy: do not run klist on import

On pwpolicy module import, "klist -V" is run to determine if the installed
krb5 version supports account lockout (>= 1.8).

Remove the check, as we require a krb5 version which does support account
lockout (1.12).

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>

1 files changed, 22 insertions, 37 deletions

diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py
index e5e68fb58..d0e6b19be 100644
--- a/ipaserver/plugins/pwpolicy.py
+++ b/ipaserver/plugins/pwpolicy.py
@@ -31,9 +31,7 @@ from .baseldap import (
 from ipalib import _
 from ipalib.plugable import Registry
 from ipalib.request import context
-from ipapython.ipautil import run
 from ipapython.dn import DN
-from distutils import version
 
 import six
 
@@ -282,40 +280,6 @@ class pwpolicy(LDAPObject):
         },
     }
 
-    MIN_KRB5KDC_WITH_LOCKOUT = "1.8"
-    has_lockout = False
-    lockout_params = ()
-
-    result = run(['klist', '-V'], raiseonerr=False, capture_output=True)
-    if result.returncode == 0:
-        verstr = result.output.split()[-1]
-        ver = version.LooseVersion(verstr)
-        min = version.LooseVersion(MIN_KRB5KDC_WITH_LOCKOUT)
-        if ver >= min:
-                has_lockout = True
-
-    if has_lockout:
-        lockout_params = (
-            Int('krbpwdmaxfailure?',
-                cli_name='maxfail',
-                label=_('Max failures'),
-                doc=_('Consecutive failures before lockout'),
-                minvalue=0,
-            ),
-            Int('krbpwdfailurecountinterval?',
-                cli_name='failinterval',
-                label=_('Failure reset interval'),
-                doc=_('Period after which failure count will be reset (seconds)'),
-                minvalue=0,
-            ),
-            Int('krbpwdlockoutduration?',
-                cli_name='lockouttime',
-                label=_('Lockout duration'),
-                doc=_('Period for which lockout is enforced (seconds)'),
-                minvalue=0,
-            ),
-        )
-
     label = _('Password Policies')
     label_singular = _('Password Policy')
 
@@ -365,7 +329,28 @@ class pwpolicy(LDAPObject):
             minvalue=0,
             flags=('virtual_attribute',),
         ),
-    ) + lockout_params
+        Int(
+            'krbpwdmaxfailure?',
+            cli_name='maxfail',
+            label=_('Max failures'),
+            doc=_('Consecutive failures before lockout'),
+            minvalue=0,
+        ),
+        Int(
+            'krbpwdfailurecountinterval?',
+            cli_name='failinterval',
+            label=_('Failure reset interval'),
+            doc=_('Period after which failure count will be reset (seconds)'),
+            minvalue=0,
+        ),
+        Int(
+            'krbpwdlockoutduration?',
+            cli_name='lockouttime',
+            label=_('Lockout duration'),
+            doc=_('Period for which lockout is enforced (seconds)'),
+            minvalue=0,
+        ),
+    )
 
     def get_dn(self, *keys, **options):
         if keys[-1] is not None: