Use kerberos password policy.

This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51
author: Rob Crittenden <rcritten@redhat.com> 2010-10-25 17:58:37 -0400
committer: Adam Young <ayoung@redhat.com> 2010-11-01 14:15:42 -0400
commit: 813dfe501348a671eeb3655cc7406c8e37a3860c (patch)
tree: 419a3d28ec0112aa00217c8e866152aa3f6391e3 /ipalib/plugins/pwpolicy.py
parent: aff2816d2021a5c15dfb93bfb78263f41992582a (diff)
download: freeipa-813dfe501348a671eeb3655cc7406c8e37a3860c.tar.gz
freeipa-813dfe501348a671eeb3655cc7406c8e37a3860c.tar.xz
freeipa-813dfe501348a671eeb3655cc7406c8e37a3860c.zip
1 files changed, 34 insertions, 15 deletions
diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py
index 89347361..53989def 100644
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@@ -63,6 +63,7 @@ from ipalib import api
 from ipalib import Int, Str
 from ipalib.plugins.baseldap import *
 from ipalib import _
+from ipapython.ipautil import run
 
 class cosentry(LDAPObject):
     """
@@ -154,8 +155,7 @@ class cosentry_find(LDAPSearch):
 api.register(cosentry_find)
 
 
-GLOBAL_POLICY_NAME = u'GLOBAL'
-
+global_policy_dn = 'cn=global_policy,cn=%s,cn=kerberos,%s' % (api.env.realm, api.env.basedn)
 
 class pwpolicy(LDAPObject):
     """
@@ -168,7 +168,37 @@ class pwpolicy(LDAPObject):
     default_attributes = [
         'cn', 'cospriority', 'krbmaxpwdlife', 'krbminpwdlife',
         'krbpwdhistorylength', 'krbpwdmindiffchars', 'krbpwdminlength',
+        'krbpwdmaxfailure', 'krbpwdfailurecountinterval',
+        'krbpwdlockoutduration',
     ]
+    has_lockout = False
+    lockout_params = ()
+    (stdout, stderr, rc) = run(['klist', '-V'], raiseonerr=False)
+    if rc == 0:
+        if stdout.find('version 1.8') > -1:
+            has_lockout = True
+
+    if has_lockout:
+        lockout_params = (
+            Int('krbpwdmaxfailure?',
+                cli_name='maxfail',
+                label=_('Max failures'),
+                doc=_('Consecutive failures before lockout'),
+                minvalue=0,
+            ),
+            Int('krbpwdfailurecountinterval?',
+                cli_name='failinterval',
+                label=_('Failure reset interval'),
+                doc=_('Period after which failure count will be reset (seconds)'),
+                minvalue=0,
+            ),
+            Int('krbpwdlockoutduration?',
+                cli_name='lockouttime',
+                label=_('Lockout duration'),
+                doc=_('Period for which lockout is enforced (seconds)'),
+                minvalue=0,
+            ),
+        )
 
     label = _('Password Policy')
 
@@ -216,14 +246,14 @@ class pwpolicy(LDAPObject):
             doc=_('Priority of the policy (higher number means lower priority'),
             minvalue=0,
         ),
-    )
+    ) + lockout_params
 
     def get_dn(self, *keys, **options):
         if keys[-1] is not None:
             return self.backend.make_dn_from_attr(
                 self.primary_key.name, keys[-1], self.container_dn
             )
-        return self.api.env.container_accounts
+        return global_policy_dn
 
     def convert_time_for_output(self, entry_attrs, **options):
         # Convert seconds to hours and days for displaying to user
@@ -348,8 +378,6 @@ class pwpolicy_mod(LDAPUpdate):
         if not options.get('raw', False):
             if options.get('cospriority') is not None:
                 entry_attrs['cospriority'] = [unicode(options['cospriority'])]
-            if keys[-1] is None:
-                entry_attrs['cn'] = GLOBAL_POLICY_NAME
         self.obj.convert_time_for_output(entry_attrs, **options)
         return dn
 
@@ -394,8 +422,6 @@ class pwpolicy_show(LDAPRetrieve):
                         entry_attrs['cospriority'] = cos_entry['cospriority']
                 except errors.NotFound:
                     pass
-            else:
-                entry_attrs['cn'] = GLOBAL_POLICY_NAME
         self.obj.convert_time_for_output(entry_attrs, **options)
         return dn
 
@@ -418,13 +444,6 @@ class pwpolicy_find(LDAPSearch):
                 except errors.NotFound:
                     pass
                 self.obj.convert_time_for_output(e[1], **options)
-        if not args[-1]:
-            global_entry = self.api.Command.pwpolicy_show(
-                all=options.get('all', False), raw=options.get('raw', False)
-            )['result']
-            dn = global_entry['dn']
-            del global_entry['dn']
-            entries.insert(0, (dn, global_entry))
 
 api.register(pwpolicy_find)
author	Rob Crittenden <rcritten@redhat.com>	2010-10-25 17:58:37 -0400
committer	Adam Young <ayoung@redhat.com>	2010-11-01 14:15:42 -0400
commit	813dfe501348a671eeb3655cc7406c8e37a3860c (patch)
tree	419a3d28ec0112aa00217c8e866152aa3f6391e3 /ipalib/plugins/pwpolicy.py
parent	aff2816d2021a5c15dfb93bfb78263f41992582a (diff)
download	freeipa-813dfe501348a671eeb3655cc7406c8e37a3860c.tar.gz freeipa-813dfe501348a671eeb3655cc7406c8e37a3860c.tar.xz freeipa-813dfe501348a671eeb3655cc7406c8e37a3860c.zip