mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
d38dd2680f
RHEL 9 system-wide crypto policies aim at eventual removal of SHA-1 use. Due to bootstrapping process, force explicitly supported encryption types in kdc.conf or we may end up with AES128-SHA1 and AES256-SHA2 only in FIPS mode at bootstrap time which then fails to initialize kadmin principals requiring use of AES256-SHA2 and AES128-SHA2. Camellia ciphers must be filtered out in FIPS mode, we do that already in the kerberos.ldif. At this point we are not changing the master key encryption type to AES256-SHA2 because upgrading existing deployments is complicated and at the time when a replica configuration is deployed, we don't know what is the encryption type of the master key of the original server as well. Fixes: https://pagure.io/freeipa/issue/9119 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Julien Rische <jrische@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
51 lines
1.5 KiB
Plaintext
51 lines
1.5 KiB
Plaintext
#kerberos base object
|
|
dn: cn=kerberos,$SUFFIX
|
|
changetype: add
|
|
objectClass: krbContainer
|
|
objectClass: top
|
|
cn: kerberos
|
|
|
|
#Realm base object
|
|
dn: cn=$REALM,cn=kerberos,$SUFFIX
|
|
changetype: add
|
|
cn: $REALM
|
|
objectClass: top
|
|
objectClass: krbrealmcontainer
|
|
objectClass: krbticketpolicyaux
|
|
krbSubTrees: $SUFFIX
|
|
krbSearchScope: 2
|
|
krbSupportedEncSaltTypes: aes256-cts:normal
|
|
krbSupportedEncSaltTypes: aes256-cts:special
|
|
krbSupportedEncSaltTypes: aes128-cts:normal
|
|
krbSupportedEncSaltTypes: aes128-cts:special
|
|
krbSupportedEncSaltTypes: aes128-sha2:normal
|
|
krbSupportedEncSaltTypes: aes128-sha2:special
|
|
krbSupportedEncSaltTypes: aes256-sha2:normal
|
|
krbSupportedEncSaltTypes: aes256-sha2:special
|
|
${FIPS}krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
|
|
${FIPS}krbSupportedEncSaltTypes: camellia128-cts-cmac:special
|
|
${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
|
|
${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
|
|
krbMaxTicketLife: 86400
|
|
krbMaxRenewableAge: 604800
|
|
krbDefaultEncSaltTypes: aes256-sha2:special
|
|
krbDefaultEncSaltTypes: aes128-sha2:special
|
|
krbDefaultEncSaltTypes: aes256-cts:special
|
|
krbDefaultEncSaltTypes: aes128-cts:special
|
|
|
|
# Default password Policy
|
|
dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
objectClass: krbPwdPolicy
|
|
krbMinPwdLife: 3600
|
|
krbPwdMinDiffChars: 0
|
|
krbPwdMinLength: 8
|
|
krbPwdHistoryLength: 0
|
|
krbMaxPwdLife: 7776000
|
|
krbPwdMaxFailure: 6
|
|
krbPwdFailureCountInterval: 60
|
|
krbPwdLockoutDuration: 600
|
|
|