mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
08e7af9f0f
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's CoS so no attributes are really added. The default policies effectively disable any enforcement or lockout for hosts and services. Since hosts and services use keytabs passwords enforcements doesn't make much sense. Also the lockout policy could be used for easy and cheap DoS. https://fedorahosted.org/freeipa/ticket/6561 Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Ground rules on adding new schema Brand new schema, particularly when written specifically for IPA, should be added in share/*.ldif. Any new files need to be explicitly loaded in ipaserver/install/dsinstance.py. These simply get copied directly into the new instance schema directory. Existing schema (e.g. in an LDAP draft) may either be added as a separate ldif in share or as an update in the updates directory. The advantage of adding the schema as an update is if 389-ds ever adds the schema then the installation won't fail due to existing schema failing to load during bootstrap. If the new schema requires a new container then this should be added to install/bootstrap-template.ldif.