On (25/03/15 14:00), Jakub Hrozek wrote:
On Wed, Mar 25, 2015 at 01:51:05PM +0100, Lukas Slebodnik wrote:
> On (25/03/15 12:01), Pavel Reichl wrote:
> >Hello please see attached patch.
> >
> >The need for this patch was discussed in thread: SDAP: Lock out ssh keys when
> >account naturally expires
> >This patch implements point number 3.
> >
> >>>I would prefer if we didn't add a new option as well, but since we
> >>>released
> >>>a version that only supported the lockout and not any other semantics,
> >>>I don't think we can get away with just changing the functionality.
A
> >>>minor version can break functionality. But a major version can
> >>>
> >>>So I propose the following:
> >>>1) Add a new value for ldap_access_order called "ppolicy" that
would
> >>>evaluate the pwdAccountLockedTime fully, including the new
> >>>functionality in this patchset
> >>>2) In 1.12, deprecate the "lockout" option and log a warning
that it
> >>>will be removed in future relase and users should migrate to
"ppolicy"
> >>>option
> The feature was introduced in sssd-1.12.1 and deprecated in sssd-1.12.5
> That's really fast progres. The deprecating the features
> after half a year.
>
> Could someone exaplain me why do we need to do such ritual dances?
Because, at least I didn't realize we were going to include another
feature that's essentially a superset of this one.
As part of review I proposed
to include new feature into existing one.
It was not accepted. And now it's fine becuase it was proposed by QE.
LS