DS be configured to perform it's own policy checks on ldap binds. If someone does that then DS will provide to set default expiration time on any account that authenticates with an ldap bind (like uid=kdc) that doesn't already have an expiration time set.
Although ipa uses its own password policy plugin, and does not activate DS password policy, we should 'defend' some core accounts in case the admins goes around and try DS policies, so that core services are not disrupted.
Add passwordExpirationTime to the uid=kdc account so that the kdc don't stop inexplicably working just because someone messed with DS policies.
Also set nsIdleTimeout = 0 on uid=kdc as the DS Admin istration Guide recommends for service accounts.
Fixed in: 86209d5
Metadata Update from @simo: - Issue assigned to simo - Issue set to the milestone: FreeIPA 2.0 - 2011/01 (cleanup)
Login to comment on this ticket.