See the description of the feature here: http://k5wiki.kerberos.org/wiki/Projects/Lockout
- Make sure the schema is loaded - The status can be viewed & modified (cleared) via CLI - The status can be viewed & modified (cleared) via UI
Ticket can be split in several if deems necessary.
From what I can tell locked_time/pwdAccountLockedTime/krbPwdPrincipalLockedTime has not been implemented yet. I can find no mention of these in the krb5 1.8.2 source.
Somewhat blocked for now by https://bugzilla.redhat.com/show_bug.cgi?id=627022
Basically it completely ignores the password expiration time so it will always use krbLastPwdChange + krbMaxPwdLife (if krbMaxPwdLife is set in the policy) to determine if the password is expired. This means that an admin resetting a password won't require a password reset if max life is set to any sort of reasonable value.
The KDC only looks at policy in cn=$REALM,cn=kerberos,$SUFFIX so we're going to need to create a cn for global policy under this and move the current global policy from cn=accounts,$SUFFIX here. This will require some pwpolicy plugin changes.
I also need to always set krbPwdPolicyReference for all users and modify the CoS entry for group password policy to override krbPwdPolicyReference.
Nalin fixed the bug and things seem to be working as expected.
The only things left to do are:
We are going to have a namespace collision because we already have an account lock/unlock feature.
Is there any way to combine the two? How they are different?
The current lockout completely locks an account out until it is unlocked (if ever)
The Kerberos lockout policy locks an account out for a period of time after a number of login failures within a time frame (all 3 values are configurable).
So if someone says "my account is locked out" it could mean either of these and the unlock procedure is different for both.
I would if we want to call the current lockout "account activation". That is what we call it under the hood. An account is either active or inactive. It would be a very minor change to rename the CLI functions to reflect this.
Then there is the problem of showing KRB lockout status. If status is only maintained per server then it is going to be quite the chore to figure out which server(s) they are locked out on.
MIT is going to add this to 1.9.
first cut freeipa-586-pwpolicy.patch
master: 813dfe5
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.0 - 2010/10
Login to comment on this ticket.