diff options
-rw-r--r-- | install/updates/20-default_password_policy.update | 133 | ||||
-rw-r--r-- | install/updates/Makefile.am | 1 | ||||
-rw-r--r-- | ipaserver/install/service.py | 1 |
3 files changed, 135 insertions, 0 deletions
diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update new file mode 100644 index 000000000..b1f9754a9 --- /dev/null +++ b/install/updates/20-default_password_policy.update @@ -0,0 +1,133 @@ +# Default password policies for hosts, services and Kerberos services +# Setting all attributes to zero effectively disables any password policy +# We can do this because hosts and services uses keytabs instead of passwords + +# hosts +dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Host Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# services +dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Service Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# kerberos policy container +# this is necessary to avoid mixing the Kerberos sevice password policy +# with group-membership based user password policies +dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:objectClass: nsContainer +default:objectClass: top +default:cn: Kerberos Service Password Policy + +# kerberos services +dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Kerberos Service Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# default password policies for hosts, services and kerberos services +# cosPriority is set intentionally to higher number than FreeIPA API allows +# to set to ensure that these password policies have always lower priority +# than any defined by user. + +# hosts +dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 10000000000 +default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX + +dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX +default:description: Default Password Policy for Hosts +default:objectClass: top +default:objectClass: ldapsubentry +default:objectClass: cosSuperDefinition +default:objectClass: cosPointerDefinition +default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:cosAttribute: krbPwdPolicyReference default + +# services +dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 10000000000 +default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX + +dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX +default:description: Default Password Policy for Services +default:objectClass: top +default:objectClass: ldapsubentry +default:objectClass: cosSuperDefinition +default:objectClass: cosPointerDefinition +default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX +default:cosAttribute: krbPwdPolicyReference default + +# kerberos services +dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 10000000000 +default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX + +dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:description: Default Password Policy for Kerberos Services +default:objectClass: top +default:objectClass: ldapsubentry +default:objectClass: cosSuperDefinition +default:objectClass: cosPointerDefinition +default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX +default:cosAttribute: krbPwdPolicyReference default diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index a80256f02..e8a55e173 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -24,6 +24,7 @@ app_DATA = \ 20-winsync_index.update \ 20-idoverride_index.update \ 20-uuid.update \ + 20-default_password_policy.update \ 21-replicas_container.update \ 21-ca_renewal_container.update \ 21-certstore_container.update \ diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 4cc7012f6..6451f92f0 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -245,6 +245,7 @@ class Service(object): # There is no service in the wrong location, nothing to do. # This can happen when installing a replica return None + entry.pop('krbpwdpolicyreference', None) # don't copy virtual attr newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix) api.Backend.ldap2.delete_entry(entry) |