From 813dfe501348a671eeb3655cc7406c8e37a3860c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 25 Oct 2010 17:58:37 -0400
Subject: Use kerberos password policy.

This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.

There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.

The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.

As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.

ticket 51
---
 ipaserver/install/krbinstance.py | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'ipaserver/install/krbinstance.py')

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index e78155dc..d8a5eff2 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -169,6 +169,7 @@ class KrbInstance(service.Service):
         self.step("adding default ACIs", self.__add_default_acis)
         self.step("configuring KDC", self.__create_instance)
         self.step("adding default keytypes", self.__add_default_keytypes)
+        self.step("adding default password policy", self.__add_default_pwpolicy)
         self.step("creating a keytab for the directory", self.__create_ds_keytab)
         self.step("creating a keytab for the machine", self.__create_host_keytab)
         self.step("exporting the kadmin keytab", self.__export_kadmin_changepw_keytab)
@@ -303,6 +304,9 @@ class KrbInstance(service.Service):
     def __add_default_keytypes(self):
         self._ldap_mod("default-keytypes.ldif", self.sub_dict)
 
+    def __add_default_pwpolicy(self):
+        self._ldap_mod("default-pwpolicy.ldif", self.sub_dict)
+
     def __create_replica_instance(self):
         self.__create_instance(replica=True)
 
-- 
cgit