Commit Graph

2 Commits

Author SHA1 Message Date
Christian Heimes
ca6d6781c7 Define default password policy for sysaccounts
cn=sysaccounts,cn=etc now has a default password policy to permit system
accounts with krbPrincipalAux object class. This allows system accounts
to have a keytab that does not expire.

The "Default System Accounts Password Policy" has a minimum password
length in case the password is directly modified with LDAP.

Fixes: https://pagure.io/freeipa/issue/8276
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-28 11:28:29 +02:00
David Kupka
6f1d927467 password policy: Add explicit default password policy for hosts and services
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
CoS so no attributes are really added.

The default policies effectively disable any enforcement or lockout for hosts
and services. Since hosts and services use keytabs passwords enforcements
doesn't make much sense. Also the lockout policy could be used for easy and
cheap DoS.

https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-12-14 17:46:12 +01:00