2020-04-17 04:15:56 -05:00
|
|
|
# Default password policies for hosts, services, system accounts, and
|
|
|
|
# Kerberos services
|
|
|
|
# Setting all attributes to zero effectively disables any password policy.
|
|
|
|
# We can do this because hosts and services uses keytabs instead of
|
|
|
|
# passwords. System accounts with krbPrincipalAux objectClass also use
|
|
|
|
# keytabs.
|
2016-09-29 08:59:34 -05:00
|
|
|
|
|
|
|
# hosts
|
|
|
|
dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
|
|
|
|
default:objectClass: krbPwdPolicy
|
|
|
|
default:objectClass: nsContainer
|
|
|
|
default:objectClass: top
|
|
|
|
default:cn: Default Host Password Policy
|
|
|
|
default:krbMinPwdLife: 0
|
|
|
|
default:krbPwdMinDiffChars: 0
|
|
|
|
default:krbPwdMinLength: 0
|
|
|
|
default:krbPwdHistoryLength: 0
|
|
|
|
default:krbMaxPwdLife: 0
|
|
|
|
default:krbPwdMaxFailure: 0
|
|
|
|
default:krbPwdFailureCountInterval: 0
|
|
|
|
default:krbPwdLockoutDuration: 0
|
|
|
|
|
|
|
|
# services
|
|
|
|
dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
|
|
|
|
default:objectClass: krbPwdPolicy
|
|
|
|
default:objectClass: nsContainer
|
|
|
|
default:objectClass: top
|
|
|
|
default:cn: Default Service Password Policy
|
|
|
|
default:krbMinPwdLife: 0
|
|
|
|
default:krbPwdMinDiffChars: 0
|
|
|
|
default:krbPwdMinLength: 0
|
|
|
|
default:krbPwdHistoryLength: 0
|
|
|
|
default:krbMaxPwdLife: 0
|
|
|
|
default:krbPwdMaxFailure: 0
|
|
|
|
default:krbPwdFailureCountInterval: 0
|
|
|
|
default:krbPwdLockoutDuration: 0
|
|
|
|
|
|
|
|
# kerberos policy container
|
|
|
|
# this is necessary to avoid mixing the Kerberos sevice password policy
|
|
|
|
# with group-membership based user password policies
|
|
|
|
dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
|
|
|
default:objectClass: nsContainer
|
|
|
|
default:objectClass: top
|
|
|
|
default:cn: Kerberos Service Password Policy
|
|
|
|
|
|
|
|
# kerberos services
|
|
|
|
dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
|
|
|
default:objectClass: krbPwdPolicy
|
|
|
|
default:objectClass: nsContainer
|
|
|
|
default:objectClass: top
|
|
|
|
default:cn: Default Kerberos Service Password Policy
|
|
|
|
default:krbMinPwdLife: 0
|
|
|
|
default:krbPwdMinDiffChars: 0
|
|
|
|
default:krbPwdMinLength: 0
|
|
|
|
default:krbPwdHistoryLength: 0
|
|
|
|
default:krbMaxPwdLife: 0
|
|
|
|
default:krbPwdMaxFailure: 0
|
|
|
|
default:krbPwdFailureCountInterval: 0
|
|
|
|
default:krbPwdLockoutDuration: 0
|
|
|
|
|
2020-04-17 04:15:56 -05:00
|
|
|
# system accounts
|
|
|
|
# Contrary to the other policies this policy has a minimum password length.
|
|
|
|
dn: cn=Default System Accounts Password Policy,cn=sysaccounts,cn=etc,$SUFFIX
|
|
|
|
default:objectClass: krbPwdPolicy
|
|
|
|
default:objectClass: nsContainer
|
|
|
|
default:objectClass: top
|
|
|
|
default:cn: Default System Accounts Password Policy
|
|
|
|
default:krbMinPwdLife: 0
|
|
|
|
default:krbPwdMinDiffChars: 0
|
|
|
|
default:krbPwdMinLength: 8
|
|
|
|
default:krbPwdHistoryLength: 0
|
|
|
|
default:krbMaxPwdLife: 0
|
|
|
|
default:krbPwdMaxFailure: 0
|
|
|
|
default:krbPwdFailureCountInterval: 0
|
|
|
|
default:krbPwdLockoutDuration: 0
|
|
|
|
|
|
|
|
# default password policies for hosts, services, system accounts, and
|
|
|
|
# kerberos services
|
2016-09-29 08:59:34 -05:00
|
|
|
# cosPriority is set intentionally to higher number than FreeIPA API allows
|
|
|
|
# to set to ensure that these password policies have always lower priority
|
|
|
|
# than any defined by user.
|
|
|
|
|
|
|
|
# hosts
|
|
|
|
dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
|
|
|
|
default:objectclass: top
|
|
|
|
default:objectclass: nsContainer
|
|
|
|
default:cn: cosTemplates
|
|
|
|
|
|
|
|
dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
|
|
|
|
default:objectclass: top
|
|
|
|
default:objectclass: cosTemplate
|
|
|
|
default:objectclass: extensibleObject
|
|
|
|
default:objectclass: krbContainer
|
|
|
|
default:cn: Default Password Policy
|
|
|
|
default:cosPriority: 10000000000
|
|
|
|
default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
|
|
|
|
|
|
|
|
dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
|
|
|
|
default:description: Default Password Policy for Hosts
|
|
|
|
default:objectClass: top
|
|
|
|
default:objectClass: ldapsubentry
|
|
|
|
default:objectClass: cosSuperDefinition
|
|
|
|
default:objectClass: cosPointerDefinition
|
|
|
|
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
|
|
|
|
default:cosAttribute: krbPwdPolicyReference default
|
|
|
|
|
|
|
|
# services
|
|
|
|
dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
|
|
|
|
default:objectclass: top
|
|
|
|
default:objectclass: nsContainer
|
|
|
|
default:cn: cosTemplates
|
|
|
|
|
|
|
|
dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
|
|
|
|
default:objectclass: top
|
|
|
|
default:objectclass: cosTemplate
|
|
|
|
default:objectclass: extensibleObject
|
|
|
|
default:objectclass: krbContainer
|
|
|
|
default:cn: Default Password Policy
|
|
|
|
default:cosPriority: 10000000000
|
|
|
|
default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
|
|
|
|
|
|
|
|
dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
|
|
|
|
default:description: Default Password Policy for Services
|
|
|
|
default:objectClass: top
|
|
|
|
default:objectClass: ldapsubentry
|
|
|
|
default:objectClass: cosSuperDefinition
|
|
|
|
default:objectClass: cosPointerDefinition
|
|
|
|
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
|
|
|
|
default:cosAttribute: krbPwdPolicyReference default
|
|
|
|
|
|
|
|
# kerberos services
|
|
|
|
dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
|
|
|
default:objectclass: top
|
|
|
|
default:objectclass: nsContainer
|
|
|
|
default:cn: cosTemplates
|
|
|
|
|
|
|
|
dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
|
|
|
default:objectclass: top
|
|
|
|
default:objectclass: cosTemplate
|
|
|
|
default:objectclass: extensibleObject
|
|
|
|
default:objectclass: krbContainer
|
|
|
|
default:cn: Default Password Policy
|
|
|
|
default:cosPriority: 10000000000
|
|
|
|
default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
|
|
|
|
|
|
|
dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
|
|
|
default:description: Default Password Policy for Kerberos Services
|
|
|
|
default:objectClass: top
|
|
|
|
default:objectClass: ldapsubentry
|
|
|
|
default:objectClass: cosSuperDefinition
|
|
|
|
default:objectClass: cosPointerDefinition
|
|
|
|
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
|
|
|
default:cosAttribute: krbPwdPolicyReference default
|
2020-04-17 04:15:56 -05:00
|
|
|
|
|
|
|
# system accounts
|
|
|
|
dn: cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX
|
|
|
|
default:objectclass: top
|
|
|
|
default:objectclass: nsContainer
|
|
|
|
default:cn: cosTemplates
|
|
|
|
|
|
|
|
dn: cn=Default Password Policy,cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX
|
|
|
|
default:objectclass: top
|
|
|
|
default:objectclass: cosTemplate
|
|
|
|
default:objectclass: extensibleObject
|
|
|
|
default:objectclass: krbContainer
|
|
|
|
default:cn: Default Password Policy
|
|
|
|
default:cosPriority: 10000000000
|
|
|
|
default:krbPwdPolicyReference: cn=Default System Accounts Password Policy,cn=sysaccounts,cn=etc,$SUFFIX
|
|
|
|
|
|
|
|
dn: cn=Default Password Policy,cn=sysaccounts,cn=etc,$SUFFIX
|
|
|
|
default:description: Default Password Policy for System Accounts
|
|
|
|
default:objectClass: top
|
|
|
|
default:objectClass: ldapsubentry
|
|
|
|
default:objectClass: cosSuperDefinition
|
|
|
|
default:objectClass: cosPointerDefinition
|
|
|
|
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX
|
|
|
|
default:cosAttribute: krbPwdPolicyReference default
|