8:45 a.m.
URL: https://github.com/SSSD/sssd/pull/5928
Author: elkoniu
Title: #5928: IPA: Add password expire warning
Action: opened
PR body:
"""
When LDAP is used as an access provider it can be configured
to show user password expiration warning.
This commit enables similar behaviour for IPA access provider.
Resolves: https://github.com/SSSD/sssd/issues/5080
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5928/head:pr5928
git checkout pr5928
5:17 a.m.
New subject: [sssd PR#5928][+Waiting for review] IPA: Add password expire warning
URL: https://github.com/SSSD/sssd/pull/5928
Title: #5928: IPA: Add password expire warning
Label: +Waiting for review
5:17 a.m.
New subject: [sssd PR#5928][+Bugzilla] IPA: Add password expire warning
URL: https://github.com/SSSD/sssd/pull/5928
Title: #5928: IPA: Add password expire warning
Label: +Bugzilla
5:22 a.m.
New subject: [sssd PR#5928][comment] IPA: Add password expire warning
URL: https://github.com/SSSD/sssd/pull/5928
Title: #5928: IPA: Add password expire warning
alexey-tikhonov commented:
"""
Hi @elkoniu,
does this also resolve #3635 or is this PR IPA specific while that ticket is more
general?
"""
See the full comment at https://github.com/SSSD/sssd/pull/5928#issuecomment-997836077
3:37 a.m.
New subject: [sssd PR#5928][comment] IPA: Add password expire warning
URL: https://github.com/SSSD/sssd/pull/5928
Title: #5928: IPA: Add password expire warning
elkoniu commented:
"""
Hi @elkoniu,
does this also resolve #3635 or is this PR IPA specific while that ticket is more
general?
Hi @alexey-tikhonov , I will try to check this and post note here.
"""
See the full comment at https://github.com/SSSD/sssd/pull/5928#issuecomment-1009764036
3:38 a.m.
New subject: [sssd PR#5928][comment] IPA: Add password expire warning
URL: https://github.com/SSSD/sssd/pull/5928
Title: #5928: IPA: Add password expire warning
elkoniu commented:
"""
@sumit-bose if there is a chance you can take a look at the code of this PR and tell me if
approach with hard coded options is OK in this case?
"""
See the full comment at https://github.com/SSSD/sssd/pull/5928#issuecomment-1009764935
3:41 a.m.
New subject: [sssd PR#5928][-Waiting for review] IPA: Add password expire warning
URL: https://github.com/SSSD/sssd/pull/5928
Title: #5928: IPA: Add password expire warning
Label: -Waiting for review
3:41 a.m.
New subject: [sssd PR#5928][+Changes requested] IPA: Add password expire warning
URL: https://github.com/SSSD/sssd/pull/5928
Title: #5928: IPA: Add password expire warning
Label: +Changes requested
4:53 a.m.
New subject: [sssd PR#5928][comment] IPA: Add password expire warning
URL: https://github.com/SSSD/sssd/pull/5928
Title: #5928: IPA: Add password expire warning
sumit-bose commented:
"""
@sumit-bose if there is a chance you can take a look at the code of
this PR and tell me if approach with hard coded options is OK in this case?
Hi,
using a hardcoded default is ok, but you only have to add
`LDAP_ACCESS_EXPIRE_POLICY_WARN`. Nevertheless it would be good if the IPA provider can
check `ldap_access_order` as well because I would expect that sooner or later someone will
ask to not only warn but reject the user which would be
`LDAP_ACCESS_EXPIRE_POLICY_DENY`.
Related to Alexey's question about #3635, currently the fix would be limited to IPA
users where `ldap_pwd_policy = mit_kerberos` applies. For AD users we currently do not
read or evaluate the `msDS-UserPasswordExpiryTimeComputed` attribute. So this attribute
should be added to the list of user attributes and a new e.g. `ldap_pwd_policy = ad`
should be added to evaluate it. For IPA an `ldap_pwd_policy = ipa` might be needed as well
since we might have to check IPA and AD users.
bye,
Sumit
"""
See the full comment at https://github.com/SSSD/sssd/pull/5928#issuecomment-1009843750
836
days inactive
861
days old
sssd-devel@lists.fedorahosted.org
8 comments
4 participants
participants (4)
-
alexey-tikhonov -
elkoniu
-
sumit-bose
-
thalman