Issue #862: set default DS password expiration time for core accounts - freeipa

freeipa

#862 set default DS password expiration time for core accounts

Closed: Fixed None Opened 13 years ago by simo.

DS be configured to perform it's own policy checks on ldap binds.
If someone does that then DS will provide to set default expiration time on any account that authenticates with an ldap bind (like uid=kdc) that doesn't already have an expiration time set.

Although ipa uses its own password policy plugin, and does not activate DS password policy, we should 'defend' some core accounts in case the admins goes around and try DS policies, so that core services are not disrupted.

Add passwordExpirationTime to the uid=kdc account so that the kdc don't stop inexplicably working just because someone messed with DS policies.

simo commented 13 years ago

Also set nsIdleTimeout = 0 on uid=kdc as the DS Admin istration Guide recommends for service accounts.

simo commented 13 years ago

Fixed in: 86209d5

Metadata Update from @simo:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 2.0 - 2011/01 (cleanup)

7 years ago

Metadata

Assignee

simo

Tags

None

Blocking

None

Depending on

None

Priority

low

Milestone

FreeIPA 2.0 - 2011/01 (cleanup)

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#862 set default DS password expiration time for core accounts Closed: Fixed None Opened 13 years ago by simo.

Metadata

#862 set default DS password expiration time for core accounts

Closed: Fixed None Opened 13 years ago by simo.