From 813dfe501348a671eeb3655cc7406c8e37a3860c Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 25 Oct 2010 17:58:37 -0400 Subject: Use kerberos password policy. This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51 --- install/share/default-pwpolicy.ldif | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 install/share/default-pwpolicy.ldif (limited to 'install/share/default-pwpolicy.ldif') diff --git a/install/share/default-pwpolicy.ldif b/install/share/default-pwpolicy.ldif new file mode 100644 index 00000000..9d3d8a75 --- /dev/null +++ b/install/share/default-pwpolicy.ldif @@ -0,0 +1,14 @@ +dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +objectClass: krbPwdPolicy +krbMinPwdLife: 3600 +krbPwdMinDiffChars: 0 +krbPwdMinLength: 8 +krbPwdHistoryLength: 0 +krbMaxPwdLife: 7776000 +krbPwdMaxFailure: 3 +krbPwdFailureCountInterval: 60 +krbPwdLockoutDuration: 10 + -- cgit