diff options
-rw-r--r-- | install/share/60kerberos.ldif | 8 | ||||
-rw-r--r-- | install/share/Makefile.am | 1 | ||||
-rw-r--r-- | install/share/bootstrap-template.ldif | 8 | ||||
-rw-r--r-- | install/share/default-pwpolicy.ldif | 14 | ||||
-rw-r--r-- | ipalib/plugins/pwpolicy.py | 49 | ||||
-rw-r--r-- | ipalib/plugins/user.py | 1 | ||||
-rw-r--r-- | ipaserver/install/krbinstance.py | 4 | ||||
-rw-r--r-- | tests/test_xmlrpc/test_group_plugin.py | 4 | ||||
-rw-r--r-- | tests/test_xmlrpc/test_user_plugin.py | 11 |
9 files changed, 70 insertions, 30 deletions
diff --git a/install/share/60kerberos.ldif b/install/share/60kerberos.ldif index edfdb5702..f08329c48 100644 --- a/install/share/60kerberos.ldif +++ b/install/share/60kerberos.ldif @@ -120,6 +120,12 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQUAL attributetypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) ##### Number of previous versions of passwords that are stored attributetypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) +##### Number of consecutive pre-authentication failures before lockout +attributetypes: ( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) +##### Period after which bad preauthentication count will be reset +attributetypes: ( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) +##### Period in which lockout is enforced +attributetypes: ( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) ##### FDN pointing to a Kerberos Password Policy object attributetypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE) ##### The time at which the principal's password expires @@ -289,7 +295,7 @@ objectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP ( krbSe ##### can be applied to principals when they are created. ##### These policy attributes will be in effect, when the Kerberos ##### passwords are different from users' passwords (UP). -objectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top MUST ( cn ) MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength ) ) +objectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top MUST ( cn ) MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration ) ) ##### The krbTicketPolicyAux holds Kerberos ticket policy attributes. ##### This class can be attached to a principal object or realm object. objectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index e5fd64d19..06f81cb64 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -15,6 +15,7 @@ app_DATA = \ default-aci.ldif \ default-hbac.ldif \ default-keytypes.ldif \ + default-pwpolicy.ldif \ delegation.ldif \ dns.ldif \ kerberos.ldif \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 5e8df7771..a9b8b3d93 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -2,13 +2,7 @@ dn: cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: nsContainer -objectClass: krbPwdPolicy cn: accounts -krbMinPwdLife: 3600 -krbPwdMinDiffChars: 0 -krbPwdMinLength: 8 -krbPwdHistoryLength: 0 -krbMaxPwdLife: 7776000 dn: cn=users,cn=accounts,$SUFFIX changetype: add @@ -271,5 +265,5 @@ objectClass: ldapsubentry objectClass: cosSuperDefinition objectClass: cosClassicDefinition cosTemplateDn: cn=cosTemplates,cn=accounts,$SUFFIX -cosAttribute: krbPwdPolicyReference +cosAttribute: krbPwdPolicyReference override cosSpecifier: memberOf diff --git a/install/share/default-pwpolicy.ldif b/install/share/default-pwpolicy.ldif new file mode 100644 index 000000000..9d3d8a755 --- /dev/null +++ b/install/share/default-pwpolicy.ldif @@ -0,0 +1,14 @@ +dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +objectClass: krbPwdPolicy +krbMinPwdLife: 3600 +krbPwdMinDiffChars: 0 +krbPwdMinLength: 8 +krbPwdHistoryLength: 0 +krbMaxPwdLife: 7776000 +krbPwdMaxFailure: 3 +krbPwdFailureCountInterval: 60 +krbPwdLockoutDuration: 10 + diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py index 893473611..53989def3 100644 --- a/ipalib/plugins/pwpolicy.py +++ b/ipalib/plugins/pwpolicy.py @@ -63,6 +63,7 @@ from ipalib import api from ipalib import Int, Str from ipalib.plugins.baseldap import * from ipalib import _ +from ipapython.ipautil import run class cosentry(LDAPObject): """ @@ -154,8 +155,7 @@ class cosentry_find(LDAPSearch): api.register(cosentry_find) -GLOBAL_POLICY_NAME = u'GLOBAL' - +global_policy_dn = 'cn=global_policy,cn=%s,cn=kerberos,%s' % (api.env.realm, api.env.basedn) class pwpolicy(LDAPObject): """ @@ -168,7 +168,37 @@ class pwpolicy(LDAPObject): default_attributes = [ 'cn', 'cospriority', 'krbmaxpwdlife', 'krbminpwdlife', 'krbpwdhistorylength', 'krbpwdmindiffchars', 'krbpwdminlength', + 'krbpwdmaxfailure', 'krbpwdfailurecountinterval', + 'krbpwdlockoutduration', ] + has_lockout = False + lockout_params = () + (stdout, stderr, rc) = run(['klist', '-V'], raiseonerr=False) + if rc == 0: + if stdout.find('version 1.8') > -1: + has_lockout = True + + if has_lockout: + lockout_params = ( + Int('krbpwdmaxfailure?', + cli_name='maxfail', + label=_('Max failures'), + doc=_('Consecutive failures before lockout'), + minvalue=0, + ), + Int('krbpwdfailurecountinterval?', + cli_name='failinterval', + label=_('Failure reset interval'), + doc=_('Period after which failure count will be reset (seconds)'), + minvalue=0, + ), + Int('krbpwdlockoutduration?', + cli_name='lockouttime', + label=_('Lockout duration'), + doc=_('Period for which lockout is enforced (seconds)'), + minvalue=0, + ), + ) label = _('Password Policy') @@ -216,14 +246,14 @@ class pwpolicy(LDAPObject): doc=_('Priority of the policy (higher number means lower priority'), minvalue=0, ), - ) + ) + lockout_params def get_dn(self, *keys, **options): if keys[-1] is not None: return self.backend.make_dn_from_attr( self.primary_key.name, keys[-1], self.container_dn ) - return self.api.env.container_accounts + return global_policy_dn def convert_time_for_output(self, entry_attrs, **options): # Convert seconds to hours and days for displaying to user @@ -348,8 +378,6 @@ class pwpolicy_mod(LDAPUpdate): if not options.get('raw', False): if options.get('cospriority') is not None: entry_attrs['cospriority'] = [unicode(options['cospriority'])] - if keys[-1] is None: - entry_attrs['cn'] = GLOBAL_POLICY_NAME self.obj.convert_time_for_output(entry_attrs, **options) return dn @@ -394,8 +422,6 @@ class pwpolicy_show(LDAPRetrieve): entry_attrs['cospriority'] = cos_entry['cospriority'] except errors.NotFound: pass - else: - entry_attrs['cn'] = GLOBAL_POLICY_NAME self.obj.convert_time_for_output(entry_attrs, **options) return dn @@ -418,13 +444,6 @@ class pwpolicy_find(LDAPSearch): except errors.NotFound: pass self.obj.convert_time_for_output(e[1], **options) - if not args[-1]: - global_entry = self.api.Command.pwpolicy_show( - all=options.get('all', False), raw=options.get('raw', False) - )['result'] - dn = global_entry['dn'] - del global_entry['dn'] - entries.insert(0, (dn, global_entry)) api.register(pwpolicy_find) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 6bfb7b6fb..086dc3933 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -177,6 +177,7 @@ class user_add(LDAPCreate): home_dir = '%s/%s' % (homes_root, keys[-1]) home_dir = home_dir.replace('//', '/').rstrip('/') entry_attrs['homedirectory'] = home_dir + entry_attrs.setdefault('krbpwdpolicyreference', 'cn=global_policy,cn=%s,cn=kerberos,%s' % (api.env.realm, api.env.basedn)) if ldap.has_upg(): # User Private Groups - uidNumber == gidNumber diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index e78155dc4..d8a5eff24 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -169,6 +169,7 @@ class KrbInstance(service.Service): self.step("adding default ACIs", self.__add_default_acis) self.step("configuring KDC", self.__create_instance) self.step("adding default keytypes", self.__add_default_keytypes) + self.step("adding default password policy", self.__add_default_pwpolicy) self.step("creating a keytab for the directory", self.__create_ds_keytab) self.step("creating a keytab for the machine", self.__create_host_keytab) self.step("exporting the kadmin keytab", self.__export_kadmin_changepw_keytab) @@ -303,6 +304,9 @@ class KrbInstance(service.Service): def __add_default_keytypes(self): self._ldap_mod("default-keytypes.ldif", self.sub_dict) + def __add_default_pwpolicy(self): + self._ldap_mod("default-pwpolicy.ldif", self.sub_dict) + def __create_replica_instance(self): self.__create_instance(replica=True) diff --git a/tests/test_xmlrpc/test_group_plugin.py b/tests/test_xmlrpc/test_group_plugin.py index 10d3f6748..3ec17b30e 100644 --- a/tests/test_xmlrpc/test_group_plugin.py +++ b/tests/test_xmlrpc/test_group_plugin.py @@ -335,8 +335,8 @@ class test_group(Declarative): 'gidnumber': [fuzzy_digits], 'cn': [u'admins'], 'description': [u'Account administrators group'], - 'memberof_rolegroup': [u'replicaadmin'], - 'memberof_taskgroup': [u'managereplica', u'deletereplica'], + 'memberof_rolegroup': [u'hostadmin', u'replicaadmin'], + 'memberof_taskgroup': [u'addhosts', u'removehosts', u'modifyhosts', u'manage_host_keytab', u'enroll_host', u'managereplica', u'deletereplica'], }, { 'dn': u'cn=ipausers,cn=groups,cn=accounts,%s' % api.env.basedn, diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py index 8c2bae499..a1346f58b 100644 --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -150,7 +150,8 @@ class test_user(Declarative): 'uidnumber': [fuzzy_digits], 'gidnumber': [fuzzy_digits], 'ipauniqueid': [fuzzy_uuid], - 'mepmanagedentry': [u'cn=%s,cn=groups,cn=accounts,%s' % (user1, api.env.basedn)] + 'mepmanagedentry': [u'cn=%s,cn=groups,cn=accounts,%s' % (user1, api.env.basedn)], + 'krbpwdpolicyreference': [u'cn=global_policy,cn=%s,cn=kerberos,%s' % (api.env.realm, api.env.basedn)], }, ], summary=u'1 user matched', @@ -197,8 +198,8 @@ class test_user(Declarative): sn=[u'Administrator'], uid=[u'admin'], memberof_group=[u'admins'], - memberof_rolegroup=[u'replicaadmin'], - memberof_taskgroup=[u'managereplica', u'deletereplica'], + memberof_rolegroup=[u'hostadmin', u'replicaadmin'], + memberof_taskgroup=[u'addhosts', u'removehosts', u'modifyhosts', u'manage_host_keytab', u'enroll_host', u'managereplica', u'deletereplica'], ), dict( dn=u'uid=tuser1,cn=users,cn=accounts,' + api.env.basedn, @@ -231,8 +232,8 @@ class test_user(Declarative): sn=[u'Administrator'], uid=[u'admin'], memberof_group=[u'admins'], - memberof_rolegroup=[u'replicaadmin'], - memberof_taskgroup=[u'managereplica', u'deletereplica'], + memberof_rolegroup=[u'hostadmin', u'replicaadmin'], + memberof_taskgroup=[u'addhosts', u'removehosts', u'modifyhosts', u'manage_host_keytab', u'enroll_host', u'managereplica', u'deletereplica'], ), ], summary=u'1 user matched', |