diff options
Diffstat (limited to 'install/updates/20-default_password_policy.update')
-rw-r--r-- | install/updates/20-default_password_policy.update | 133 |
1 files changed, 133 insertions, 0 deletions
diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update new file mode 100644 index 000000000..b1f9754a9 --- /dev/null +++ b/install/updates/20-default_password_policy.update @@ -0,0 +1,133 @@ +# Default password policies for hosts, services and Kerberos services +# Setting all attributes to zero effectively disables any password policy +# We can do this because hosts and services uses keytabs instead of passwords + +# hosts +dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Host Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# services +dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Service Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# kerberos policy container +# this is necessary to avoid mixing the Kerberos sevice password policy +# with group-membership based user password policies +dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:objectClass: nsContainer +default:objectClass: top +default:cn: Kerberos Service Password Policy + +# kerberos services +dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Kerberos Service Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# default password policies for hosts, services and kerberos services +# cosPriority is set intentionally to higher number than FreeIPA API allows +# to set to ensure that these password policies have always lower priority +# than any defined by user. + +# hosts +dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 10000000000 +default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX + +dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX +default:description: Default Password Policy for Hosts +default:objectClass: top +default:objectClass: ldapsubentry +default:objectClass: cosSuperDefinition +default:objectClass: cosPointerDefinition +default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:cosAttribute: krbPwdPolicyReference default + +# services +dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 10000000000 +default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX + +dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX +default:description: Default Password Policy for Services +default:objectClass: top +default:objectClass: ldapsubentry +default:objectClass: cosSuperDefinition +default:objectClass: cosPointerDefinition +default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX +default:cosAttribute: krbPwdPolicyReference default + +# kerberos services +dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 10000000000 +default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX + +dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:description: Default Password Policy for Kerberos Services +default:objectClass: top +default:objectClass: ldapsubentry +default:objectClass: cosSuperDefinition +default:objectClass: cosPointerDefinition +default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX +default:cosAttribute: krbPwdPolicyReference default |