#5418 Remove /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases
Closed: Fixed None Opened 8 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1276351

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
IPA update file /usr/share/ipa/updates/50-lockout-policy.update updates value
of attribute krbPwdMaxFailure from 3 to 6 when IPA is upgraded

Version-Release number of selected component (if applicable):
ipa-server-4.1.0

How reproducible:
Always, when IPA server is upgraded.


Steps to Reproduce:
1. Set value of krbPwdMaxFailure attribute to '3'
2. Upgrade IPA server
3. Check value of krbPwdMaxFailure, it should show '6'

Actual results:
Value of krbPwdMaxFailure is changed from 3 to 6

Expected results:
Value of krbPwdMaxFailure should NOT changed to '6', it should the value which
was set before upgrade

Additional info:
From test IPA server:
---
# rpm -q ipa-server
ipa-server-4.1.0-18.el7_1.4.x86_64

# rpm -ql ipa-server | grep policy
/usr/share/ipa/updates/50-lockout-policy.update

# cat /usr/share/ipa/updates/50-lockout-policy.update
dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
replace:krbPwdLockoutDuration:10::600
replace: krbPwdMaxFailure:3::6  <------------------------------
---

Note: defaults for global_policy were changed and this update file was added in IPA 2.0 RC2: #930 which means that all existing RHEL 6/7 IPA installation run this update or were installed with changed defaults. If krbPwdMaxFailure is 3 then it is a deliberate change.

Therefore removal of this update file should be fine.

master:

  • 7ef827e Remove 50-lockout-policy.update file

Metadata Update from @pvoborni:
- Issue assigned to rga
- Issue set to the milestone: FreeIPA 4.3

7 years ago

Login to comment on this ticket.

Metadata