On Tue, 2016-05-31 at 17:48 -0700, Noriko Hosoi wrote:
> https://fedorahosted.org/389/ticket/48833
>
> There are 2 proposals. I'd like to have your thoughts which one would
> be preferable.
>
> https://fedorahosted.org/389/attachment/ticket/48833/0001-Ticket-48833-389-showing-inconsistent-values-for-sha.2.patch
> git patch file (master) -- second proposal -- this patch allows the
> password policy values and shadow account values in sync.
> If we choose this option, DS Console Password Policy panel needs to be
> modified to support the larger value than INT_MAX.
>
> https://fedorahosted.org/389/attachment/ticket/48833/0001-Ticket-48833-389-showing-inconsistent-values-for-sha.patch
> git patch file (master) -- first proposal -- shadow account values won't
> be touched if they already exist in an entry.
> Restrictions:
> 1. If objectclass: shadowaccount is set and there is no shadow account
> values in an entry, the shadowmax, min, and warning are filled by
> calculating them from the password policy values. The maximum value of
> calculated shadowMax is 24855 (== 2^31-1 / (24 * 60 * 60)).
> 2. Even if the values of the password policy are updated, shadow account
> values are not effected.
I'm for option 1. I believe our shadow and password policy should be in sync. This prevents admins making mistakes, and allows
clients to gain functionality.
There is no reasonable benefit IMO to having shadow and ldap policy out of sync.
It also means that a seamless upgrade occurs, where existing sites, with existing (bad) shadow data, well begin to get the
benefit of a now *working* shadow value.
Thanks,
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
No comments:
Post a Comment