Use kerberos password policy.

This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.

There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.

The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.

As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.

ticket 51

1 files changed, 1 insertions, 7 deletions

diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 5e8df7771..a9b8b3d93 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -2,13 +2,7 @@ dn: cn=accounts,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: nsContainer
-objectClass: krbPwdPolicy
 cn: accounts
-krbMinPwdLife: 3600
-krbPwdMinDiffChars: 0
-krbPwdMinLength: 8
-krbPwdHistoryLength: 0
-krbMaxPwdLife: 7776000
 
 dn: cn=users,cn=accounts,$SUFFIX
 changetype: add
@@ -271,5 +265,5 @@ objectClass: ldapsubentry
 objectClass: cosSuperDefinition
 objectClass: cosClassicDefinition
 cosTemplateDn: cn=cosTemplates,cn=accounts,$SUFFIX
-cosAttribute: krbPwdPolicyReference
+cosAttribute: krbPwdPolicyReference override
 cosSpecifier: memberOf