On Fri, 28 Jan 2011 09:20:37 -0500 James Roman <james.ro...@ssaihq.com> wrote:
> OK. Now I feel like an idiot. I swear that was the first thing I > checked. It seems the password policy on this server was set at the > base, instead of cn=users. We have a script that reports on expiring > accounts in the cn=accounts branch, but not under cn=etc. I now know > what to fix. Thanks. Rirst of all. I am glad this was resolved, it looked puzzling indeed. I just want to note that we do not support using the DS password policy in ipa as we already have the kerberos pw policy, that's why the uid=kdc was not "protected" against it. In v2 we perfected the pw policies check so that the kerberos policies covers also binds done against DS directly. I also am adding a patch so that uid=kdc is protected in case DS policy is enabled nonetheless for whatever reason. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
