From dac224c25a2ff8a1400d0a746f600f81cfad6901 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 2 Oct 2009 09:30:16 -0400
Subject: Add support for per-group kerberos password policy.

Use a Class of Service template to do per-group password policy. The
design calls for non-overlapping groups but with cospriority we can
still make sense of things.

The password policy entries stored under the REALM are keyed only on
the group name because the MIT ldap plugin can't handle quotes in the
DN. It also can't handle spaces between elements in the DN.
---
 install/share/bootstrap-template.ldif | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'install')

diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index e98c73b0..4c6e5575 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -204,3 +204,16 @@ dn: cn=Activated,cn=Account Inactivation,cn=accounts,$SUFFIX
 changetype: add
 objectclass: top
 objectclass: groupofnames
+
+# templates for this cos definition are managed by the pwpolicy plugin
+dn: cn=Password Policy,cn=accounts,$SUFFIX
+changetype: add
+description: Password Policy based on group membership
+objectClass: top
+objectClass: ldapsubentry
+objectClass: cosSuperDefinition
+objectClass: cosClassicDefinition
+cosTemplateDn: cn=cosTemplates,cn=accounts,$SUFFIX
+cosAttribute: krbPwdPolicyReference
+cosSpecifier: memberOf
+
-- 
cgit