Re: [Freeipa-devel] [PATCH] Updated default Kerberos password policy
Jan Zeleny wrote: Rob Crittenden wrote: Jan Zelený wrote: Jan Zeleny wrote: Rob Crittenden wrote: Jan Zelený wrote: https://fedorahosted.org/freeipa/ticket/930 I put there a value Dmitri suggested. Feel free to change it before pushing if you think there should be the originally suggested 10 login attempts. We want to increase krbPwdLockoutDuration too, to 600. rob Sorry, I didn't realize it was in seconds. I just saw 10 and figured it's ok it's already there. Anyway, I'm sending the updated patch. Just a reminder that this patch needs to be re-reviewed. Thanks Jan I think we need to fix this as an update file rather than changing the default install. It would look something like: dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX replace:krbPwdLockoutDuration: 10: 600 replace: krbPwdMaxFailure: 3: 6 I'm ok with fixing it in both places. rob Here it is, hopefully I got it right this time. I wasn't sure about the file number, but from guidelines in README I guess it's ok. Jan I removed the spaces before the integers, I guess the updater was sending ' 600' as the update instead of '600'. ack, pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Updated default Kerberos password policy
Rob Crittenden wrote: > Jan Zelený wrote: > > Jan Zeleny wrote: > >> Rob Crittenden wrote: > >>> Jan Zelený wrote: > https://fedorahosted.org/freeipa/ticket/930 > > I put there a value Dmitri suggested. Feel free to change it before > pushing if you think there should be the originally suggested 10 login > attempts. > >>> > >>> We want to increase krbPwdLockoutDuration too, to 600. > >>> > >>> rob > >> > >> Sorry, I didn't realize it was in seconds. I just saw 10 and figured > >> it's ok it's already there. Anyway, I'm sending the updated patch. > > > > Just a reminder that this patch needs to be re-reviewed. > > > > Thanks > > Jan > > I think we need to fix this as an update file rather than changing the > default install. It would look something like: > > dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX > replace:krbPwdLockoutDuration: 10: 600 > replace: krbPwdMaxFailure: 3: 6 > > I'm ok with fixing it in both places. > > rob Here it is, hopefully I got it right this time. I wasn't sure about the file number, but from guidelines in README I guess it's ok. Jan From ed3cf75981adad2c21fc87185bb90933283a1273 Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Thu, 10 Feb 2011 08:02:27 -0500 Subject: [PATCH] Updated default Kerberos password policy https://fedorahosted.org/freeipa/ticket/930 --- install/share/default-pwpolicy.ldif |4 ++-- install/updates/50-lockout-policy.update |4 install/updates/Makefile.am |1 + 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 install/updates/50-lockout-policy.update diff --git a/install/share/default-pwpolicy.ldif b/install/share/default-pwpolicy.ldif index 9d3d8a755f38ee2db9ad0eb6df32dff3dea187db..1bb4a096efbdeba26b48d2e3a2935228da10bf23 100644 --- a/install/share/default-pwpolicy.ldif +++ b/install/share/default-pwpolicy.ldif @@ -8,7 +8,7 @@ krbPwdMinDiffChars: 0 krbPwdMinLength: 8 krbPwdHistoryLength: 0 krbMaxPwdLife: 7776000 -krbPwdMaxFailure: 3 +krbPwdMaxFailure: 6 krbPwdFailureCountInterval: 60 -krbPwdLockoutDuration: 10 +krbPwdLockoutDuration: 600 diff --git a/install/updates/50-lockout-policy.update b/install/updates/50-lockout-policy.update new file mode 100644 index ..12fe7a6f931cde0e9e47441d0620d1b8f15ee588 --- /dev/null +++ b/install/updates/50-lockout-policy.update @@ -0,0 +1,4 @@ +dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX +replace:krbPwdLockoutDuration: 10: 600 +replace: krbPwdMaxFailure: 3: 6 + diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index b474cd1c58881030112d8f52d08a4ff5f7b6595a..26318e17ef55d500137e691462e43a529325 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -10,6 +10,7 @@ app_DATA =\ 20-replication.update \ 20-winsync_index.update \ 40-delegation.update \ + 50-lockout-policy.update \ $(NULL) EXTRA_DIST =\ -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Updated default Kerberos password policy
Jan Zelený wrote: Jan Zeleny wrote: Rob Crittenden wrote: Jan Zelený wrote: https://fedorahosted.org/freeipa/ticket/930 I put there a value Dmitri suggested. Feel free to change it before pushing if you think there should be the originally suggested 10 login attempts. We want to increase krbPwdLockoutDuration too, to 600. rob Sorry, I didn't realize it was in seconds. I just saw 10 and figured it's ok it's already there. Anyway, I'm sending the updated patch. Just a reminder that this patch needs to be re-reviewed. Thanks Jan I think we need to fix this as an update file rather than changing the default install. It would look something like: dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX replace:krbPwdLockoutDuration: 10: 600 replace: krbPwdMaxFailure: 3: 6 I'm ok with fixing it in both places. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Updated default Kerberos password policy
Jan Zeleny wrote: > Rob Crittenden wrote: > > Jan Zelený wrote: > > > https://fedorahosted.org/freeipa/ticket/930 > > > > > > I put there a value Dmitri suggested. Feel free to change it before > > > pushing if you think there should be the originally suggested 10 login > > > attempts. > > > > We want to increase krbPwdLockoutDuration too, to 600. > > > > rob > > Sorry, I didn't realize it was in seconds. I just saw 10 and figured it's > ok it's already there. Anyway, I'm sending the updated patch. Just a reminder that this patch needs to be re-reviewed. Thanks Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Updated default Kerberos password policy
Rob Crittenden wrote: > Jan Zelený wrote: > > https://fedorahosted.org/freeipa/ticket/930 > > > > I put there a value Dmitri suggested. Feel free to change it before > > pushing if you think there should be the originally suggested 10 login > > attempts. > > We want to increase krbPwdLockoutDuration too, to 600. > > rob Sorry, I didn't realize it was in seconds. I just saw 10 and figured it's ok it's already there. Anyway, I'm sending the updated patch. Jan From 9bfb44ca273268b782c7d52aafb05b32bbcabe54 Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Thu, 10 Feb 2011 08:02:27 -0500 Subject: [PATCH] Updated default Kerberos password policy https://fedorahosted.org/freeipa/ticket/930 --- install/share/default-pwpolicy.ldif |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/share/default-pwpolicy.ldif b/install/share/default-pwpolicy.ldif index 9d3d8a755f38ee2db9ad0eb6df32dff3dea187db..1bb4a096efbdeba26b48d2e3a2935228da10bf23 100644 --- a/install/share/default-pwpolicy.ldif +++ b/install/share/default-pwpolicy.ldif @@ -8,7 +8,7 @@ krbPwdMinDiffChars: 0 krbPwdMinLength: 8 krbPwdHistoryLength: 0 krbMaxPwdLife: 7776000 -krbPwdMaxFailure: 3 +krbPwdMaxFailure: 6 krbPwdFailureCountInterval: 60 -krbPwdLockoutDuration: 10 +krbPwdLockoutDuration: 600 -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Updated default Kerberos password policy
Jan Zelený wrote: https://fedorahosted.org/freeipa/ticket/930 I put there a value Dmitri suggested. Feel free to change it before pushing if you think there should be the originally suggested 10 login attempts. We want to increase krbPwdLockoutDuration too, to 600. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Updated default Kerberos password policy
https://fedorahosted.org/freeipa/ticket/930 I put there a value Dmitri suggested. Feel free to change it before pushing if you think there should be the originally suggested 10 login attempts. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From bc08a4bc646ca7947fad4b91762af98f19cc259f Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Thu, 10 Feb 2011 08:02:27 -0500 Subject: [PATCH] Updated default Kerberos password policy https://fedorahosted.org/freeipa/ticket/930 --- install/share/default-pwpolicy.ldif |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/install/share/default-pwpolicy.ldif b/install/share/default-pwpolicy.ldif index 9d3d8a755f38ee2db9ad0eb6df32dff3dea187db..8c4f8199c0a770b84b4133da5a0d71be2ffebe55 100644 --- a/install/share/default-pwpolicy.ldif +++ b/install/share/default-pwpolicy.ldif @@ -8,7 +8,7 @@ krbPwdMinDiffChars: 0 krbPwdMinLength: 8 krbPwdHistoryLength: 0 krbMaxPwdLife: 7776000 -krbPwdMaxFailure: 3 +krbPwdMaxFailure: 6 krbPwdFailureCountInterval: 60 krbPwdLockoutDuration: 10 -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel