From 195a65d5c2b2f2a318225a94e734ec41cdc34b1d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 8 Jun 2011 17:21:23 -0400 Subject: ipa-kdb: Change install to use the new ipa-kdb kdc backend Use ipakdb instead of kldap and change install procedures accordingly Note that we do not need to store the master key in a keytab as we can read it off of ldap in our driver. --- install/share/Makefile.am | 2 -- install/share/default-keytypes.ldif | 33 ------------------------------- install/share/default-pwpolicy.ldif | 14 ------------- install/share/kdc.conf.template | 1 - install/share/kerberos.ldif | 39 +++++++++++++++++++++++++++++++++++++ install/share/krb5.conf.template | 7 +------ 6 files changed, 40 insertions(+), 56 deletions(-) delete mode 100644 install/share/default-keytypes.ldif delete mode 100644 install/share/default-pwpolicy.ldif (limited to 'install') diff --git a/install/share/Makefile.am b/install/share/Makefile.am index c6361099b..1ff2a4ea3 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -13,8 +13,6 @@ app_DATA = \ caJarSigningCert.cfg.template \ default-aci.ldif \ default-hbac.ldif \ - default-keytypes.ldif \ - default-pwpolicy.ldif \ delegation.ldif \ replica-acis.ldif \ ds-nfiles.ldif \ diff --git a/install/share/default-keytypes.ldif b/install/share/default-keytypes.ldif deleted file mode 100644 index 8093b6989..000000000 --- a/install/share/default-keytypes.ldif +++ /dev/null @@ -1,33 +0,0 @@ -#kerberos keytypes -dn: cn=$REALM,cn=kerberos,$SUFFIX -changetype: modify -add: krbSupportedEncSaltTypes -krbSupportedEncSaltTypes: aes256-cts:normal -krbSupportedEncSaltTypes: aes256-cts:special -krbSupportedEncSaltTypes: aes128-cts:normal -krbSupportedEncSaltTypes: aes128-cts:special -krbSupportedEncSaltTypes: des3-hmac-sha1:normal -krbSupportedEncSaltTypes: des3-hmac-sha1:special -krbSupportedEncSaltTypes: arcfour-hmac:normal -krbSupportedEncSaltTypes: arcfour-hmac:special -krbSupportedEncSaltTypes: des-hmac-sha1:normal -krbSupportedEncSaltTypes: des-cbc-md5:normal -krbSupportedEncSaltTypes: des-cbc-crc:normal -krbSupportedEncSaltTypes: des-cbc-crc:v4 -krbSupportedEncSaltTypes: des-cbc-crc:afs3 -- -add: krbMaxTicketLife -krbMaxTicketLife: 86400 -- -add: krbMaxRenewableAge -krbMaxRenewableAge: 604800 - -#kerberos keytypes -dn: cn=$REALM,cn=kerberos,$SUFFIX -changetype: modify -add: krbDefaultEncSaltTypes -krbDefaultEncSaltTypes: aes256-cts:special -krbDefaultEncSaltTypes: aes128-cts:special -krbDefaultEncSaltTypes: des3-hmac-sha1:special -krbDefaultEncSaltTypes: arcfour-hmac:special - diff --git a/install/share/default-pwpolicy.ldif b/install/share/default-pwpolicy.ldif deleted file mode 100644 index 1bb4a096e..000000000 --- a/install/share/default-pwpolicy.ldif +++ /dev/null @@ -1,14 +0,0 @@ -dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX -changetype: add -objectClass: top -objectClass: nsContainer -objectClass: krbPwdPolicy -krbMinPwdLife: 3600 -krbPwdMinDiffChars: 0 -krbPwdMinLength: 8 -krbPwdHistoryLength: 0 -krbMaxPwdLife: 7776000 -krbPwdMaxFailure: 6 -krbPwdFailureCountInterval: 60 -krbPwdLockoutDuration: 600 - diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 02f1dc111..0a51162da 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -6,7 +6,6 @@ [realms] $REALM = { master_key_type = aes256-cts - supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 max_life = 7d max_renewable_life = 14d acl_file = /var/kerberos/krb5kdc/kadm5.acl diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif index a4c603d8b..a40b63aa0 100644 --- a/install/share/kerberos.ldif +++ b/install/share/kerberos.ldif @@ -16,3 +16,42 @@ objectClass: top cn: kerberos aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +#Realm base object +dn: cn=$REALM,cn=kerberos,$SUFFIX +changetype: add +cn: $REALM +objectClass: top +objectClass: krbrealmcontainer +objectClass: krbticketpolicyaux +krbSubTrees: $SUFFIX +krbSearchScope: 2 +krbSupportedEncSaltTypes: aes256-cts:normal +krbSupportedEncSaltTypes: aes256-cts:special +krbSupportedEncSaltTypes: aes128-cts:normal +krbSupportedEncSaltTypes: aes128-cts:special +krbSupportedEncSaltTypes: des3-hmac-sha1:normal +krbSupportedEncSaltTypes: des3-hmac-sha1:special +krbSupportedEncSaltTypes: arcfour-hmac:normal +krbSupportedEncSaltTypes: arcfour-hmac:special +krbMaxTicketLife: 86400 +krbMaxRenewableAge: 604800 +krbDefaultEncSaltTypes: aes256-cts:special +krbDefaultEncSaltTypes: aes128-cts:special +krbDefaultEncSaltTypes: des3-hmac-sha1:special +krbDefaultEncSaltTypes: arcfour-hmac:special + +# Default password Policy +dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +objectClass: krbPwdPolicy +krbMinPwdLife: 3600 +krbPwdMinDiffChars: 0 +krbPwdMinLength: 8 +krbPwdHistoryLength: 0 +krbMaxPwdLife: 7776000 +krbPwdMaxFailure: 6 +krbPwdFailureCountInterval: 60 +krbPwdLockoutDuration: 600 + diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template index 46e26a4ba..d5e5af595 100644 --- a/install/share/krb5.conf.template +++ b/install/share/krb5.conf.template @@ -31,11 +31,6 @@ [dbmodules] $REALM = { - db_library = kldap - ldap_servers = ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket - ldap_kerberos_container_dn = cn=kerberos,$SUFFIX - ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX - ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX - ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd + db_library = ipadb.so } -- cgit