Define default password policy for sysaccounts

cn=sysaccounts,cn=etc now has a default password policy to permit system accounts with krbPrincipalAux object class. This allows system accounts to have a keytab that does not expire. The "Default System Accounts Password Policy" has a minimum password length in case the password is directly modified with LDAP. Fixes: https://pagure.io/freeipa/issue/8276 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-04-17 11:15:56 +02:00
parent bb24641e8f
commit ca6d6781c7
1 changed files with 48 additions and 4 deletions
--- a/install/updates/20-default_password_policy.update
+++ b/install/updates/20-default_password_policy.update
@@ -1,6 +1,9 @@
-# Default password policies for hosts, services and Kerberos services
-# Setting all attributes to zero effectively disables any password policy
-# We can do this because hosts and services uses keytabs instead of passwords
+# Default password policies for hosts, services, system accounts, and
+# Kerberos services
+# Setting all attributes to zero effectively disables any password policy.
+# We can do this because hosts and services uses keytabs instead of
+# passwords. System accounts with krbPrincipalAux objectClass also use
+# keytabs.

 # hosts
 dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
@@ -55,7 +58,24 @@ default:krbPwdMaxFailure: 0
 default:krbPwdFailureCountInterval: 0
 default:krbPwdLockoutDuration: 0

-# default password policies for hosts, services and kerberos services
+# system accounts
+# Contrary to the other policies this policy has a minimum password length.
+dn: cn=Default System Accounts Password Policy,cn=sysaccounts,cn=etc,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default System Accounts Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 8
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# default password policies for hosts, services, system accounts, and
+# kerberos services
 # cosPriority is set intentionally to higher number than FreeIPA API allows
 # to set to ensure that these password policies have always lower priority
 # than any defined by user.
@@ -131,3 +151,27 @@ default:objectClass: cosSuperDefinition
 default:objectClass: cosPointerDefinition
 default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
 default:cosAttribute: krbPwdPolicyReference default
+
+# system accounts
+dn: cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 10000000000
+default:krbPwdPolicyReference: cn=Default System Accounts Password Policy,cn=sysaccounts,cn=etc,$SUFFIX
+
+dn: cn=Default Password Policy,cn=sysaccounts,cn=etc,$SUFFIX
+default:description: Default Password Policy for System Accounts
+default:objectClass: top
+default:objectClass: ldapsubentry
+default:objectClass: cosSuperDefinition
+default:objectClass: cosPointerDefinition
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX
+default:cosAttribute: krbPwdPolicyReference default