IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity
a21214cb9e
freeipa/install/updates/20-default_password_policy.update
Christian Heimes ca6d6781c7 Define default password policy for sysaccounts 
cn=sysaccounts,cn=etc now has a default password policy to permit system
accounts with krbPrincipalAux object class. This allows system accounts
to have a keytab that does not expire.

The "Default System Accounts Password Policy" has a minimum password
length in case the password is directly modified with LDAP.

Fixes: https://pagure.io/freeipa/issue/8276
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-28 11:28:29 +02:00

178 lines
6.5 KiB
Plaintext
Raw Blame History

# Default password policies for hosts, services, system accounts, and
# Kerberos services
# Setting all attributes to zero effectively disables any password policy.
# We can do this because hosts and services uses keytabs instead of
# passwords. System accounts with krbPrincipalAux objectClass also use
# keytabs.
# hosts
dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
default:objectClass: krbPwdPolicy
default:objectClass: nsContainer
default:objectClass: top
default:cn: Default Host Password Policy
default:krbMinPwdLife: 0
default:krbPwdMinDiffChars: 0
default:krbPwdMinLength: 0
default:krbPwdHistoryLength: 0
default:krbMaxPwdLife: 0
default:krbPwdMaxFailure: 0
default:krbPwdFailureCountInterval: 0
default:krbPwdLockoutDuration: 0
# services
dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
default:objectClass: krbPwdPolicy
default:objectClass: nsContainer
default:objectClass: top
default:cn: Default Service Password Policy
default:krbMinPwdLife: 0
default:krbPwdMinDiffChars: 0
default:krbPwdMinLength: 0
default:krbPwdHistoryLength: 0
default:krbMaxPwdLife: 0
default:krbPwdMaxFailure: 0
default:krbPwdFailureCountInterval: 0
default:krbPwdLockoutDuration: 0
# kerberos policy container
# this is necessary to avoid mixing the Kerberos sevice password policy
# with group-membership based user password policies
dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
default:objectClass: nsContainer
default:objectClass: top
default:cn: Kerberos Service Password Policy
# kerberos services
dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
default:objectClass: krbPwdPolicy
default:objectClass: nsContainer
default:objectClass: top
default:cn: Default Kerberos Service Password Policy
default:krbMinPwdLife: 0
default:krbPwdMinDiffChars: 0
default:krbPwdMinLength: 0
default:krbPwdHistoryLength: 0
default:krbMaxPwdLife: 0
default:krbPwdMaxFailure: 0
default:krbPwdFailureCountInterval: 0
default:krbPwdLockoutDuration: 0
# system accounts
# Contrary to the other policies this policy has a minimum password length.
dn: cn=Default System Accounts Password Policy,cn=sysaccounts,cn=etc,$SUFFIX
default:objectClass: krbPwdPolicy
default:objectClass: nsContainer
default:objectClass: top
default:cn: Default System Accounts Password Policy
default:krbMinPwdLife: 0
default:krbPwdMinDiffChars: 0
default:krbPwdMinLength: 8
default:krbPwdHistoryLength: 0
default:krbMaxPwdLife: 0
default:krbPwdMaxFailure: 0
default:krbPwdFailureCountInterval: 0
default:krbPwdLockoutDuration: 0
# default password policies for hosts, services, system accounts, and
# kerberos services
# cosPriority is set intentionally to higher number than FreeIPA API allows
# to set to ensure that these password policies have always lower priority
# than any defined by user.
# hosts
dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:cn: cosTemplates
dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: cosTemplate
default:objectclass: extensibleObject
default:objectclass: krbContainer
default:cn: Default Password Policy
default:cosPriority: 10000000000
default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
default:description: Default Password Policy for Hosts
default:objectClass: top
default:objectClass: ldapsubentry
default:objectClass: cosSuperDefinition
default:objectClass: cosPointerDefinition
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
default:cosAttribute: krbPwdPolicyReference default
# services
dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:cn: cosTemplates
dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: cosTemplate
default:objectclass: extensibleObject
default:objectclass: krbContainer
default:cn: Default Password Policy
default:cosPriority: 10000000000
default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
default:description: Default Password Policy for Services
default:objectClass: top
default:objectClass: ldapsubentry
default:objectClass: cosSuperDefinition
default:objectClass: cosPointerDefinition
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
default:cosAttribute: krbPwdPolicyReference default
# kerberos services
dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:cn: cosTemplates
dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
default:objectclass: top
default:objectclass: cosTemplate
default:objectclass: extensibleObject
default:objectclass: krbContainer
default:cn: Default Password Policy
default:cosPriority: 10000000000
default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
default:description: Default Password Policy for Kerberos Services
default:objectClass: top
default:objectClass: ldapsubentry
default:objectClass: cosSuperDefinition
default:objectClass: cosPointerDefinition
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
default:cosAttribute: krbPwdPolicyReference default
# system accounts
dn: cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:cn: cosTemplates
dn: cn=Default Password Policy,cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX
default:objectclass: top
default:objectclass: cosTemplate
default:objectclass: extensibleObject
default:objectclass: krbContainer
default:cn: Default Password Policy
default:cosPriority: 10000000000
default:krbPwdPolicyReference: cn=Default System Accounts Password Policy,cn=sysaccounts,cn=etc,$SUFFIX
dn: cn=Default Password Policy,cn=sysaccounts,cn=etc,$SUFFIX
default:description: Default Password Policy for System Accounts
default:objectClass: top
default:objectClass: ldapsubentry
default:objectClass: cosSuperDefinition
default:objectClass: cosPointerDefinition
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX
default:cosAttribute: krbPwdPolicyReference default
Reference in New Issue View Git Blame Copy Permalink