From 813dfe501348a671eeb3655cc7406c8e37a3860c Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 25 Oct 2010 17:58:37 -0400 Subject: Use kerberos password policy. This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51 --- install/share/60kerberos.ldif | 8 +++++++- install/share/Makefile.am | 1 + install/share/bootstrap-template.ldif | 8 +------- install/share/default-pwpolicy.ldif | 14 ++++++++++++++ 4 files changed, 23 insertions(+), 8 deletions(-) create mode 100644 install/share/default-pwpolicy.ldif (limited to 'install/share') diff --git a/install/share/60kerberos.ldif b/install/share/60kerberos.ldif index edfdb5702..f08329c48 100644 --- a/install/share/60kerberos.ldif +++ b/install/share/60kerberos.ldif @@ -120,6 +120,12 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQUAL attributetypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) ##### Number of previous versions of passwords that are stored attributetypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) +##### Number of consecutive pre-authentication failures before lockout +attributetypes: ( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) +##### Period after which bad preauthentication count will be reset +attributetypes: ( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) +##### Period in which lockout is enforced +attributetypes: ( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) ##### FDN pointing to a Kerberos Password Policy object attributetypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE) ##### The time at which the principal's password expires @@ -289,7 +295,7 @@ objectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP ( krbSe ##### can be applied to principals when they are created. ##### These policy attributes will be in effect, when the Kerberos ##### passwords are different from users' passwords (UP). -objectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top MUST ( cn ) MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength ) ) +objectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top MUST ( cn ) MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration ) ) ##### The krbTicketPolicyAux holds Kerberos ticket policy attributes. ##### This class can be attached to a principal object or realm object. objectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index e5fd64d19..06f81cb64 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -15,6 +15,7 @@ app_DATA = \ default-aci.ldif \ default-hbac.ldif \ default-keytypes.ldif \ + default-pwpolicy.ldif \ delegation.ldif \ dns.ldif \ kerberos.ldif \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 5e8df7771..a9b8b3d93 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -2,13 +2,7 @@ dn: cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: nsContainer -objectClass: krbPwdPolicy cn: accounts -krbMinPwdLife: 3600 -krbPwdMinDiffChars: 0 -krbPwdMinLength: 8 -krbPwdHistoryLength: 0 -krbMaxPwdLife: 7776000 dn: cn=users,cn=accounts,$SUFFIX changetype: add @@ -271,5 +265,5 @@ objectClass: ldapsubentry objectClass: cosSuperDefinition objectClass: cosClassicDefinition cosTemplateDn: cn=cosTemplates,cn=accounts,$SUFFIX -cosAttribute: krbPwdPolicyReference +cosAttribute: krbPwdPolicyReference override cosSpecifier: memberOf diff --git a/install/share/default-pwpolicy.ldif b/install/share/default-pwpolicy.ldif new file mode 100644 index 000000000..9d3d8a755 --- /dev/null +++ b/install/share/default-pwpolicy.ldif @@ -0,0 +1,14 @@ +dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +objectClass: krbPwdPolicy +krbMinPwdLife: 3600 +krbPwdMinDiffChars: 0 +krbPwdMinLength: 8 +krbPwdHistoryLength: 0 +krbMaxPwdLife: 7776000 +krbPwdMaxFailure: 3 +krbPwdFailureCountInterval: 60 +krbPwdLockoutDuration: 10 + -- cgit