From 1aa39529cda4ab9620539dbad705cedd23c21b42 Mon Sep 17 00:00:00 2001

From: Rob Crittenden <rcritten@redhat.com>

Date: Thu, 18 Aug 2022 08:21:58 -0400

Subject: [PATCH] doc: Update LDAP grace period design with default values

New group password policies will get -1 (unlimited) on creation

by default.

Existing group password policies will remain untouched and

those created prior will be treated as no BIND allowed.

Fixes: https://pagure.io/freeipa/issue/9212

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

 doc/designs/ldap_grace_period.md | 17 ++++++++++++++++-

 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/doc/designs/ldap_grace_period.md b/doc/designs/ldap_grace_period.md

index 4b9db34247c1446aec3f5bcce7dfa1bd8a2bd359..e26aedda976b19f3ba26593ba3b3c06c30506a21 100644

--- a/doc/designs/ldap_grace_period.md

+++ b/doc/designs/ldap_grace_period.md

@@ -51,7 +51,22 @@ The basic flow is:

 On successful password reset (by anyone) reset the user's passwordGraceUserTime to 0.

-The default value on install/upgrade will be -1 to retail existing behavior.

+Range values for passwordgracelimit are:

+

+-1 : password grace checking is disabled

+ 0 : no grace BIND are allowed at all post-expiration

+ 1..MAXINT: the number of BIND allowed post-expiration

+

+The default value for the global policy on install/upgrade will be -1 to

+retain existing behavior.

+

+New group password policies will default to -1 to retain previous

+behavior.

+

+Existing group policies with no grace limit set are updated to use

+the default unlimited value, -1. This is done because lack of value in

+LDAP is treated as 0 so any existing group policies would not allow

+post-expiration BIND so this will avoid confusion.

 The per-user attempts will not be replicated.

-- 

2.37.2