ipa-kdb: Change install to use the new ipa-kdb kdc backend

Use ipakdb instead of kldap and change install procedures accordingly
Note that we do not need to store the master key in a keytab as we can
read it off of ldap in our driver.

1 files changed, 39 insertions, 0 deletions

diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
index a4c603d8b..a40b63aa0 100644
--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@@ -16,3 +16,42 @@ objectClass: top
 cn: kerberos
 aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
 
+#Realm base object
+dn: cn=$REALM,cn=kerberos,$SUFFIX
+changetype: add
+cn: $REALM
+objectClass: top
+objectClass: krbrealmcontainer
+objectClass: krbticketpolicyaux
+krbSubTrees: $SUFFIX
+krbSearchScope: 2
+krbSupportedEncSaltTypes: aes256-cts:normal
+krbSupportedEncSaltTypes: aes256-cts:special
+krbSupportedEncSaltTypes: aes128-cts:normal
+krbSupportedEncSaltTypes: aes128-cts:special
+krbSupportedEncSaltTypes: des3-hmac-sha1:normal
+krbSupportedEncSaltTypes: des3-hmac-sha1:special
+krbSupportedEncSaltTypes: arcfour-hmac:normal
+krbSupportedEncSaltTypes: arcfour-hmac:special
+krbMaxTicketLife: 86400
+krbMaxRenewableAge: 604800
+krbDefaultEncSaltTypes: aes256-cts:special
+krbDefaultEncSaltTypes: aes128-cts:special
+krbDefaultEncSaltTypes: des3-hmac-sha1:special
+krbDefaultEncSaltTypes: arcfour-hmac:special
+
+# Default password Policy
+dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+objectClass: krbPwdPolicy
+krbMinPwdLife: 3600
+krbPwdMinDiffChars: 0
+krbPwdMinLength: 8
+krbPwdHistoryLength: 0
+krbMaxPwdLife: 7776000
+krbPwdMaxFailure: 6
+krbPwdFailureCountInterval: 60
+krbPwdLockoutDuration: 600
+