diff options
Diffstat (limited to 'ipa-server/ipa-install')
-rw-r--r-- | ipa-server/ipa-install/share/Makefile.am | 1 | ||||
-rw-r--r-- | ipa-server/ipa-install/share/default-aci.ldif | 5 | ||||
-rw-r--r-- | ipa-server/ipa-install/share/default-keytypes.ldif | 20 | ||||
-rw-r--r-- | ipa-server/ipa-install/share/kdc.conf.template | 2 | ||||
-rw-r--r-- | ipa-server/ipa-install/share/kerberos.ldif | 1 |
5 files changed, 25 insertions, 4 deletions
diff --git a/ipa-server/ipa-install/share/Makefile.am b/ipa-server/ipa-install/share/Makefile.am index 5d117dec5..4908d35a9 100644 --- a/ipa-server/ipa-install/share/Makefile.am +++ b/ipa-server/ipa-install/share/Makefile.am @@ -8,6 +8,7 @@ app_DATA = \ 60ipaconfig.ldif \ bootstrap-template.ldif \ default-aci.ldif \ + default-keytypes.ldif \ kerberos.ldif \ indeces.ldif \ bind.named.conf.template \ diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index 5715259a1..1f1409e13 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -3,8 +3,9 @@ dn: $SUFFIX changetype: modify replace: aci -aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMkey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) -aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMkey")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr = "krbMKey")(version 3.0; acl "Only the kerberos account can access this one"; deny (read, search, compare, write) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) +aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) diff --git a/ipa-server/ipa-install/share/default-keytypes.ldif b/ipa-server/ipa-install/share/default-keytypes.ldif new file mode 100644 index 000000000..9cafacd35 --- /dev/null +++ b/ipa-server/ipa-install/share/default-keytypes.ldif @@ -0,0 +1,20 @@ +#kerberos keytypes +dn: cn=$REALM,cn=kerberos,$SUFFIX +changetype: modify +add: krbSupportedEncSaltTypes +krbSupportedEncSaltTypes: aes256-cts:normal +krbSupportedEncSaltTypes: aes128-cts:normal +krbSupportedEncSaltTypes: des3-hmac-sha1:normal +krbSupportedEncSaltTypes: arcfour-hmac:normal +krbSupportedEncSaltTypes: des-hmac-sha1:normal +krbSupportedEncSaltTypes: des-cbc-md5:normal +krbSupportedEncSaltTypes: des-cbc-crc:normal +krbSupportedEncSaltTypes: des-cbc-crc:v4 +krbSupportedEncSaltTypes: des-cbc-crc:afs3 +krbDefaultEncSaltTypes: aes256-cts:normal +krbDefaultEncSaltTypes: aes128-cts:normal +krbDefaultEncSaltTypes: des3-hmac-sha1:normal +krbDefaultEncSaltTypes: arcfour-hmac:normal +krbDefaultEncSaltTypes: des-hmac-sha1:normal +krbDefaultEncSaltTypes: des-cbc-md5:normal + diff --git a/ipa-server/ipa-install/share/kdc.conf.template b/ipa-server/ipa-install/share/kdc.conf.template index 69e769e34..0ac4d4670 100644 --- a/ipa-server/ipa-install/share/kdc.conf.template +++ b/ipa-server/ipa-install/share/kdc.conf.template @@ -4,7 +4,7 @@ [realms] $REALM = { master_key_type = des3-hmac-sha1 - supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 + supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 max_life = 7d max_renewable_life = 14d acl_file = /var/kerberos/krb5kdc/kadm5.acl diff --git a/ipa-server/ipa-install/share/kerberos.ldif b/ipa-server/ipa-install/share/kerberos.ldif index 75057aa3a..f1b651d5a 100644 --- a/ipa-server/ipa-install/share/kerberos.ldif +++ b/ipa-server/ipa-install/share/kerberos.ldif @@ -14,4 +14,3 @@ objectClass: top cn: kerberos aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) - |