freeipa/install/updates/20-default_password_policy.update

178 lines
6.5 KiB
Plaintext
Raw Normal View History

# Default password policies for hosts, services, system accounts, and
# Kerberos services
# Setting all attributes to zero effectively disables any password policy.
# We can do this because hosts and services uses keytabs instead of
# passwords. System accounts with krbPrincipalAux objectClass also use
# keytabs.
# hosts
dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
default:objectClass: krbPwdPolicy
default:objectClass: nsContainer
default:objectClass: top
default:cn: Default Host Password Policy
default:krbMinPwdLife: 0
default:krbPwdMinDiffChars: 0
default:krbPwdMinLength: 0
default:krbPwdHistoryLength: 0
default:krbMaxPwdLife: 0
default:krbPwdMaxFailure: 0
default:krbPwdFailureCountInterval: 0
default:krbPwdLockoutDuration: 0
# services
dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
default:objectClass: krbPwdPolicy
default:objectClass: nsContainer
default:objectClass: top
default:cn: Default Service Password Policy
default:krbMinPwdLife: 0
default:krbPwdMinDiffChars: 0
default:krbPwdMinLength: 0
default:krbPwdHistoryLength: 0
default:krbMaxPwdLife: 0
default:krbPwdMaxFailure: 0
default:krbPwdFailureCountInterval: 0
default:krbPwdLockoutDuration: 0
# kerberos policy container
# this is necessary to avoid mixing the Kerberos sevice password policy
# with group-membership based user password policies
dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
default:objectClass: nsContainer
default:objectClass: top
default:cn: Kerberos Service Password Policy
# kerberos services
dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
default:objectClass: krbPwdPolicy
default:objectClass: nsContainer
default:objectClass: top
default:cn: Default Kerberos Service Password Policy
default:krbMinPwdLife: 0
default:krbPwdMinDiffChars: 0
default:krbPwdMinLength: 0
default:krbPwdHistoryLength: 0
default:krbMaxPwdLife: 0
default:krbPwdMaxFailure: 0
default:krbPwdFailureCountInterval: 0
default:krbPwdLockoutDuration: 0
# system accounts
# Contrary to the other policies this policy has a minimum password length.
dn: cn=Default System Accounts Password Policy,cn=sysaccounts,cn=etc,$SUFFIX
default:objectClass: krbPwdPolicy
default:objectClass: nsContainer
default:objectClass: top
default:cn: Default System Accounts Password Policy
default:krbMinPwdLife: 0
default:krbPwdMinDiffChars: 0
default:krbPwdMinLength: 8
default:krbPwdHistoryLength: 0
default:krbMaxPwdLife: 0
default:krbPwdMaxFailure: 0
default:krbPwdFailureCountInterval: 0
default:krbPwdLockoutDuration: 0
# default password policies for hosts, services, system accounts, and
# kerberos services
# cosPriority is set intentionally to higher number than FreeIPA API allows
# to set to ensure that these password policies have always lower priority
# than any defined by user.
# hosts
dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:cn: cosTemplates
dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: cosTemplate
default:objectclass: extensibleObject
default:objectclass: krbContainer
default:cn: Default Password Policy
default:cosPriority: 10000000000
default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
default:description: Default Password Policy for Hosts
default:objectClass: top
default:objectClass: ldapsubentry
default:objectClass: cosSuperDefinition
default:objectClass: cosPointerDefinition
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
default:cosAttribute: krbPwdPolicyReference default
# services
dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:cn: cosTemplates
dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: cosTemplate
default:objectclass: extensibleObject
default:objectclass: krbContainer
default:cn: Default Password Policy
default:cosPriority: 10000000000
default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
default:description: Default Password Policy for Services
default:objectClass: top
default:objectClass: ldapsubentry
default:objectClass: cosSuperDefinition
default:objectClass: cosPointerDefinition
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
default:cosAttribute: krbPwdPolicyReference default
# kerberos services
dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:cn: cosTemplates
dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
default:objectclass: top
default:objectclass: cosTemplate
default:objectclass: extensibleObject
default:objectclass: krbContainer
default:cn: Default Password Policy
default:cosPriority: 10000000000
default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
default:description: Default Password Policy for Kerberos Services
default:objectClass: top
default:objectClass: ldapsubentry
default:objectClass: cosSuperDefinition
default:objectClass: cosPointerDefinition
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
default:cosAttribute: krbPwdPolicyReference default
# system accounts
dn: cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:cn: cosTemplates
dn: cn=Default Password Policy,cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX
default:objectclass: top
default:objectclass: cosTemplate
default:objectclass: extensibleObject
default:objectclass: krbContainer
default:cn: Default Password Policy
default:cosPriority: 10000000000
default:krbPwdPolicyReference: cn=Default System Accounts Password Policy,cn=sysaccounts,cn=etc,$SUFFIX
dn: cn=Default Password Policy,cn=sysaccounts,cn=etc,$SUFFIX
default:description: Default Password Policy for System Accounts
default:objectClass: top
default:objectClass: ldapsubentry
default:objectClass: cosSuperDefinition
default:objectClass: cosPointerDefinition
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX
default:cosAttribute: krbPwdPolicyReference default