URL: https://github.com/freeipa/freeipa/pull/4417 Author: rcritten Title: #4417: ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager Action: opened
PR body: """ Password changes performed by cn=Directory Manager are excluded from password policy checks according to [1]. This is correctly handled by ipa-pwd-extop in case of a normal Kerberos principal in IPA. However, non-kerberos accounts were not excluded from the check.
As result, password updates for PKI CA admin account in o=ipaca were failing if a password policy does not allow a password reuse. We are re-setting the password for PKI CA admin in ipa-replica-prepare in case the original directory manager's password was updated since creation of cacert.p12.
Do password policy check for non-Kerberos accounts only if it was set by a regular user or admin. Changes performed by a cn=Directory Manager and passsync managers should be excluded from the policy check.
Fixes: https://pagure.io/freeipa/issue/7181 Signed-off-by: Alexander Bokovoy abokovoy@redhat.com
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
Replaces https://github.com/freeipa/freeipa/pull/2106 """
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4417/head:pr4417 git checkout pr4417