# Default password policies for hosts, services, system accounts, and # Kerberos services # Setting all attributes to zero effectively disables any password policy. # We can do this because hosts and services uses keytabs instead of # passwords. System accounts with krbPrincipalAux objectClass also use # keytabs. # hosts dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX default:objectClass: krbPwdPolicy default:objectClass: nsContainer default:objectClass: top default:cn: Default Host Password Policy default:krbMinPwdLife: 0 default:krbPwdMinDiffChars: 0 default:krbPwdMinLength: 0 default:krbPwdHistoryLength: 0 default:krbMaxPwdLife: 0 default:krbPwdMaxFailure: 0 default:krbPwdFailureCountInterval: 0 default:krbPwdLockoutDuration: 0 # services dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX default:objectClass: krbPwdPolicy default:objectClass: nsContainer default:objectClass: top default:cn: Default Service Password Policy default:krbMinPwdLife: 0 default:krbPwdMinDiffChars: 0 default:krbPwdMinLength: 0 default:krbPwdHistoryLength: 0 default:krbMaxPwdLife: 0 default:krbPwdMaxFailure: 0 default:krbPwdFailureCountInterval: 0 default:krbPwdLockoutDuration: 0 # kerberos policy container # this is necessary to avoid mixing the Kerberos sevice password policy # with group-membership based user password policies dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX default:objectClass: nsContainer default:objectClass: top default:cn: Kerberos Service Password Policy # kerberos services dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX default:objectClass: krbPwdPolicy default:objectClass: nsContainer default:objectClass: top default:cn: Default Kerberos Service Password Policy default:krbMinPwdLife: 0 default:krbPwdMinDiffChars: 0 default:krbPwdMinLength: 0 default:krbPwdHistoryLength: 0 default:krbMaxPwdLife: 0 default:krbPwdMaxFailure: 0 default:krbPwdFailureCountInterval: 0 default:krbPwdLockoutDuration: 0 # system accounts # Contrary to the other policies this policy has a minimum password length. dn: cn=Default System Accounts Password Policy,cn=sysaccounts,cn=etc,$SUFFIX default:objectClass: krbPwdPolicy default:objectClass: nsContainer default:objectClass: top default:cn: Default System Accounts Password Policy default:krbMinPwdLife: 0 default:krbPwdMinDiffChars: 0 default:krbPwdMinLength: 8 default:krbPwdHistoryLength: 0 default:krbMaxPwdLife: 0 default:krbPwdMaxFailure: 0 default:krbPwdFailureCountInterval: 0 default:krbPwdLockoutDuration: 0 # default password policies for hosts, services, system accounts, and # kerberos services # cosPriority is set intentionally to higher number than FreeIPA API allows # to set to ensure that these password policies have always lower priority # than any defined by user. # hosts dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX default:objectclass: top default:objectclass: nsContainer default:cn: cosTemplates dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX default:objectclass: top default:objectclass: cosTemplate default:objectclass: extensibleObject default:objectclass: krbContainer default:cn: Default Password Policy default:cosPriority: 10000000000 default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX default:description: Default Password Policy for Hosts default:objectClass: top default:objectClass: ldapsubentry default:objectClass: cosSuperDefinition default:objectClass: cosPointerDefinition default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX default:cosAttribute: krbPwdPolicyReference default # services dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX default:objectclass: top default:objectclass: nsContainer default:cn: cosTemplates dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX default:objectclass: top default:objectclass: cosTemplate default:objectclass: extensibleObject default:objectclass: krbContainer default:cn: Default Password Policy default:cosPriority: 10000000000 default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX default:description: Default Password Policy for Services default:objectClass: top default:objectClass: ldapsubentry default:objectClass: cosSuperDefinition default:objectClass: cosPointerDefinition default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX default:cosAttribute: krbPwdPolicyReference default # kerberos services dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX default:objectclass: top default:objectclass: nsContainer default:cn: cosTemplates dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX default:objectclass: top default:objectclass: cosTemplate default:objectclass: extensibleObject default:objectclass: krbContainer default:cn: Default Password Policy default:cosPriority: 10000000000 default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX default:description: Default Password Policy for Kerberos Services default:objectClass: top default:objectClass: ldapsubentry default:objectClass: cosSuperDefinition default:objectClass: cosPointerDefinition default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX default:cosAttribute: krbPwdPolicyReference default # system accounts dn: cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX default:objectclass: top default:objectclass: nsContainer default:cn: cosTemplates dn: cn=Default Password Policy,cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX default:objectclass: top default:objectclass: cosTemplate default:objectclass: extensibleObject default:objectclass: krbContainer default:cn: Default Password Policy default:cosPriority: 10000000000 default:krbPwdPolicyReference: cn=Default System Accounts Password Policy,cn=sysaccounts,cn=etc,$SUFFIX dn: cn=Default Password Policy,cn=sysaccounts,cn=etc,$SUFFIX default:description: Default Password Policy for System Accounts default:objectClass: top default:objectClass: ldapsubentry default:objectClass: cosSuperDefinition default:objectClass: cosPointerDefinition default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX default:cosAttribute: krbPwdPolicyReference default