Users being synced via winsync have no password policy aplpied as they lack the krbpwdpolicyreference attribute. We changed the behavior of IPA to explicitly add the attribute to user we crate with this commit: 813dfe5 However the behavior described there doesn't really apply anymore as we do control fully how the DAL finds the password policy, so we could revert the behavior to walk up the tree in the DAL and restore the previous method. This would fix synecd in users without any change to winsync or any other component.
Also we could completely avois CoS by letting the DAL search for the password policy by turning password policy objects in to groups and making users direct members of these groups.
I discussed the matter with Rob after we analized the code.
I think the simple fix here is to hard code the default global_policy dn as a fallback in ipapwd_getPolicy() and remove from that function the code that walks the tree as we stopped storing policies in parent suffixes.
The ipakdb KDC driver already does this (hardcodes fallback and does not walk tree).
At the same time we can also remove the framework code that explicitly adds krbpwdpolicyreference, as it will be not needed since the password plugin already uses the default as fallback. This will make ipa users and synced users the same in this respect so no surprises arise in future.
master:[[BR]] 088fbad Stop adding a default password policy reference[[BR]] d0ed25c Harmonize policy discovery to kdb driver[[BR]]
ipa-3-3:[[BR]] 50a6430 Stop adding a default password policy reference[[BR]] cd3715a Harmonize policy discovery to kdb driver[[BR]]
I found a regression caused by this ticket - ipa-lockout plugin does not fall back to the global policy.
master: d85e2c9[[BR]] ipa-3-3: 11ebbe3
There was a regression in ipa-lockout which did not start on clean IPA installation.
master: b351b21[[BR]] ipa-3-3: 4307035
Metadata Update from @simo: - Issue assigned to simo - Issue set to the milestone: FreeIPA 3.3.x - 2014/01 (bug fixing)
Login to comment on this ticket.