On (25/03/15 14:00), Jakub Hrozek wrote: >On Wed, Mar 25, 2015 at 01:51:05PM +0100, Lukas Slebodnik wrote: >> On (25/03/15 12:01), Pavel Reichl wrote: >> >Hello please see attached patch. >> > >> >The need for this patch was discussed in thread: SDAP: Lock out ssh keys >> >when >> >account naturally expires >> >This patch implements point number 3. >> > >> >>>I would prefer if we didn't add a new option as well, but since we >> >>>released >> >>>a version that only supported the lockout and not any other semantics, >> >>>I don't think we can get away with just changing the functionality. A >> >>>minor version can break functionality. But a major version can >> >>> >> >>>So I propose the following: >> >>>1) Add a new value for ldap_access_order called "ppolicy" that would >> >>>evaluate the pwdAccountLockedTime fully, including the new >> >>>functionality in this patchset >> >>>2) In 1.12, deprecate the "lockout" option and log a warning that it >> >>>will be removed in future relase and users should migrate to "ppolicy" >> >>>option >> The feature was introduced in sssd-1.12.1 and deprecated in sssd-1.12.5 >> That's really fast progres. The deprecating the features >> after half a year. >> >> Could someone exaplain me why do we need to do such ritual dances? > >Because, at least I didn't realize we were going to include another >feature that's essentially a superset of this one. As part of review I proposed to include new feature into existing one. It was not accepted. And now it's fine becuase it was proposed by QE.
LS _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel