diff options
author | Rob Crittenden <rcritten@redhat.com> | 2007-11-16 12:59:32 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2007-11-16 12:59:32 -0500 |
commit | 1967aafa3985fa87e02ae372164abe2524d9bd65 (patch) | |
tree | bfe6d2a5e39d60f5d3b7138bba281dbc770ee5ba /ipa-server/ipa-install | |
parent | 0a3ed697465db8179a15f3b64160d8d545710698 (diff) | |
download | freeipa-1967aafa3985fa87e02ae372164abe2524d9bd65.tar.gz freeipa-1967aafa3985fa87e02ae372164abe2524d9bd65.tar.xz freeipa-1967aafa3985fa87e02ae372164abe2524d9bd65.zip |
Implement the password policy UI and finish IPA policy UI
This includes a default password policy
Custom fields are now read from LDAP. The format is a list of
dicts with keys: label, field, required.
The LDAP-based configuration now specifies:
ipaUserSearchFields: uid,givenName,sn,telephoneNumber,ou,title
ipaGroupSearchFields: cn,description
ipaSearchTimeLimit: 2
ipaSearchRecordsLimit: 0
ipaCustomFields:
ipaHomesRootDir: /home
ipaDefaultLoginShell: /bin/sh
ipaDefaultPrimaryGroup: ipausers
ipaMaxUsernameLength: 8
ipaPwdExpAdvNotify: 4
This could use some optimization.
Diffstat (limited to 'ipa-server/ipa-install')
-rw-r--r-- | ipa-server/ipa-install/share/bootstrap-template.ldif | 21 | ||||
-rw-r--r-- | ipa-server/ipa-install/share/default-aci.ldif | 11 |
2 files changed, 32 insertions, 0 deletions
diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index 8eb42b332..30f6fe8a0 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -9,6 +9,11 @@ changetype: add objectClass: top objectClass: nsContainer cn: accounts +krbMinPwdLife: 3600 +krbPwdMinDiffChars: 0 +krbPwdMinLength: 8 +krbPwdHistoryLength: 0 +krbMaxPwdLife: 864000 dn: cn=users,cn=accounts,$SUFFIX changetype: add @@ -95,3 +100,19 @@ objectClass: posixGroup gidNumber: 1003 description: Limited admins who can edit other users cn: editors + +dn: cn=ipaConfig,cn=etc,dc=greyoak,dc=com +changetype: add +objectClass: nsContainer +objectClass: top +objectClass: ipaGuiConfig +ipaUserSearchFields: uid,givenName,sn,telephoneNumber,ou,title +ipaGroupSearchFields: cn,description +ipaSearchTimeLimit: 2 +ipaSearchRecordsLimit: 0 +ipaCustomFields: +ipaHomesRootDir: /home +ipaDefaultLoginShell: /bin/sh +ipaDefaultPrimaryGroup: ipausers +ipaMaxUsernameLength: 8 +ipaPwdExpAdvNotify: 4 diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index 3eee2ae3e..6e68b0e24 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -9,3 +9,14 @@ aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCo aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "givenName || sn || cn || displayName || initials || loginShell || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || userPassword")(version 3.0;acl "Self service";allow (write) userdn="ldap:///self";) + +dn: cn=ipaConfig,cn=etc,dc=greyoak,dc=com +changetype: modify +add: aci +aci: (targetattr = "ipaUserSearchFields || ipaGroupSearchFields || ipaSearchTimeLimit || ipaSearchRecordsLimit || ipaCustomFields || ipaHomesRootDir || ipaDefaultLoginShell || ipaDefaultPrimaryGroup || ipaMaxUsernameLength || ipaPwdExpAdvNotify")(version 3.0;acl "Admins can write IPA policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) +replace: aci + +dn: cn=accounts,$SUFFIX +changetype: modify +add: aci +aci: (targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) |