From 1aa39529cda4ab9620539dbad705cedd23c21b42 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 18 Aug 2022 08:21:58 -0400 Subject: [PATCH] doc: Update LDAP grace period design with default values New group password policies will get -1 (unlimited) on creation by default. Existing group password policies will remain untouched and those created prior will be treated as no BIND allowed. Fixes: https://pagure.io/freeipa/issue/9212 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- doc/designs/ldap_grace_period.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/doc/designs/ldap_grace_period.md b/doc/designs/ldap_grace_period.md index 4b9db34247c1446aec3f5bcce7dfa1bd8a2bd359..e26aedda976b19f3ba26593ba3b3c06c30506a21 100644 --- a/doc/designs/ldap_grace_period.md +++ b/doc/designs/ldap_grace_period.md @@ -51,7 +51,22 @@ The basic flow is: On successful password reset (by anyone) reset the user's passwordGraceUserTime to 0. -The default value on install/upgrade will be -1 to retail existing behavior. +Range values for passwordgracelimit are: + +-1 : password grace checking is disabled + 0 : no grace BIND are allowed at all post-expiration + 1..MAXINT: the number of BIND allowed post-expiration + +The default value for the global policy on install/upgrade will be -1 to +retain existing behavior. + +New group password policies will default to -1 to retain previous +behavior. + +Existing group policies with no grace limit set are updated to use +the default unlimited value, -1. This is done because lack of value in +LDAP is treated as 0 so any existing group policies would not allow +post-expiration BIND so this will avoid confusion. The per-user attempts will not be replicated. -- 2.37.2