From deb0c765561bc5dbc42c509005e4aab57d0b4a0b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jun 06 2022 15:24:21 +0000
Subject: Set default LDAP password grace period to -1


This will retain existing behavior where LDAP passwords are
allowed to bind past expiration.

Fixes: https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

diff --git a/API.txt b/API.txt
index be3479d..c8e1daf 100644
--- a/API.txt
+++ b/API.txt
@@ -4075,7 +4075,7 @@ option: Int('krbpwdlockoutduration?', cli_name='lockouttime')
 option: Int('krbpwdmaxfailure?', cli_name='maxfail')
 option: Int('krbpwdmindiffchars?', cli_name='minclasses')
 option: Int('krbpwdminlength?', cli_name='minlength')
-option: Int('passwordgracelimit?', cli_name='gracelimit', default=0)
+option: Int('passwordgracelimit?', cli_name='gracelimit', default=-1)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('setattr*', cli_name='setattr')
 option: Str('version?')
@@ -4108,7 +4108,7 @@ option: Int('krbpwdlockoutduration?', autofill=False, cli_name='lockouttime')
 option: Int('krbpwdmaxfailure?', autofill=False, cli_name='maxfail')
 option: Int('krbpwdmindiffchars?', autofill=False, cli_name='minclasses')
 option: Int('krbpwdminlength?', autofill=False, cli_name='minlength')
-option: Int('passwordgracelimit?', autofill=False, cli_name='gracelimit', default=0)
+option: Int('passwordgracelimit?', autofill=False, cli_name='gracelimit', default=-1)
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Int('sizelimit?', autofill=False)
@@ -4137,7 +4137,7 @@ option: Int('krbpwdlockoutduration?', autofill=False, cli_name='lockouttime')
 option: Int('krbpwdmaxfailure?', autofill=False, cli_name='maxfail')
 option: Int('krbpwdmindiffchars?', autofill=False, cli_name='minclasses')
 option: Int('krbpwdminlength?', autofill=False, cli_name='minlength')
-option: Int('passwordgracelimit?', autofill=False, cli_name='gracelimit', default=0)
+option: Int('passwordgracelimit?', autofill=False, cli_name='gracelimit', default=-1)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Flag('rights', autofill=True, default=False)
 option: Str('setattr*', cli_name='setattr')
diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
index 51e5cf9..3a5c30e 100644
--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@@ -39,6 +39,7 @@ changetype: add
 objectClass: top
 objectClass: nsContainer
 objectClass: krbPwdPolicy
+objectClass: ipaPwdPolicy
 krbMinPwdLife: 3600
 krbPwdMinDiffChars: 0
 krbPwdMinLength: 8
@@ -47,4 +48,4 @@ krbMaxPwdLife: 7776000
 krbPwdMaxFailure: 6
 krbPwdFailureCountInterval: 60
 krbPwdLockoutDuration: 600
-
+passwordGraceLimit: -1
diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py
index b044659..3893dc0 100644
--- a/ipaserver/plugins/pwpolicy.py
+++ b/ipaserver/plugins/pwpolicy.py
@@ -62,6 +62,10 @@ policy.
 Group password policies are automatically removed when the groups they
 are associated with are removed.
 
+Grace period defines the number of LDAP logins allowed after expiration.
+-1 means do not enforce expiration to match previous behavior. 0 allows
+no additional logins after expiration.
+
 EXAMPLES:
 
  Modify the global policy:
@@ -403,7 +407,7 @@ class pwpolicy(LDAPObject):
             doc=_('Number of LDAP authentications allowed after expiration'),
             minvalue=-1,
             maxvalue=Int.MAX_UINT32,
-            default=0,
+            default=-1,
         ),
     )