On (26/03/15 09:26), Pavel Reichl wrote: > > >On 03/25/2015 09:53 PM, Lukas Slebodnik wrote: >>On (25/03/15 14:35), Pavel Reichl wrote: >>> >>>On 03/25/2015 02:21 PM, Lukas Slebodnik wrote: >>>>On (25/03/15 14:05), Pavel Reichl wrote: >>>>>On 03/25/2015 01:51 PM, Lukas Slebodnik wrote: >>>>>>On (25/03/15 12:01), Pavel Reichl wrote: >>>>>>>Hello please see attached patch. >>>>>>> >>>>>>>The need for this patch was discussed in thread: SDAP: Lock out ssh keys >>>>>>>when >>>>>>>account naturally expires >>>>>>>This patch implements point number 3. >>>>>>> >>>>>>>>>I would prefer if we didn't add a new option as well, but since we >>>>>>>>>released >>>>>>>>>a version that only supported the lockout and not any other semantics, >>>>>>>>>I don't think we can get away with just changing the functionality. A >>>>>>>>>minor version can break functionality. But a major version can >>>>>>>>> >>>>>>>>>So I propose the following: >>>>>>>>>1) Add a new value for ldap_access_order called "ppolicy" that would >>>>>>>>>evaluate the pwdAccountLockedTime fully, including the new >>>>>>>>>functionality in this patchset >>>>>>>>>2) In 1.12, deprecate the "lockout" option and log a warning that it >>>>>>>>>will be removed in future relase and users should migrate to "ppolicy" >>>>>>>>>option >>>>>>The feature was introduced in sssd-1.12.1 and deprecated in sssd-1.12.5 >>>>>>That's really fast progres. The deprecating the features >>>>>>after half a year. >>>>>> >>>>>>Could someone exaplain me why do we need to do such ritual dances? >>>>>> >>>>>>LS >>>>>First there was user ho wanted lockout functionality that is being dropped >>>>>now. https://fedorahosted.org/sssd/ticket/2364 >>>>> >>>>>Then a few months later there came another user with >>>>>https://fedorahosted.org/sssd/ticket/2534 who wished to do something >>>>>similar >>>>>but different. >>>>> >>I checked bugzilla tickets and the same user requested both features. >But we can't be sure there are other users using it, can we? IMO we can't >break their configuration at least not in minor release. You wrote in previous mail: """ First there was user ho wanted lockout functionality that is being dropped now. https://fedorahosted.org/sssd/ticket/2364
Then a few months later there came another user with https://fedorahosted.org/sssd/ticket/2534 who wished to do something similar but different. We think that user case addressed in 1st ticket can be handled by functionality introduced for 2nd ticket. """ So if use case addresed in the 1st ticket can be handled by functionality introduced for 2nd ticket then we can simply drop the 1st functionality and make an alias from "lockout" to "ppolicy". This is very elegant solution which does not break old configurations. LS _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
