diff options
Diffstat (limited to 'install/updates')
-rw-r--r-- | install/updates/20-default_password_policy.update | 133 | ||||
-rw-r--r-- | install/updates/Makefile.am | 1 |
2 files changed, 134 insertions, 0 deletions
diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update new file mode 100644 index 000000000..b1f9754a9 --- /dev/null +++ b/install/updates/20-default_password_policy.update @@ -0,0 +1,133 @@ +# Default password policies for hosts, services and Kerberos services +# Setting all attributes to zero effectively disables any password policy +# We can do this because hosts and services uses keytabs instead of passwords + +# hosts +dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Host Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# services +dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Service Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# kerberos policy container +# this is necessary to avoid mixing the Kerberos sevice password policy +# with group-membership based user password policies +dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:objectClass: nsContainer +default:objectClass: top +default:cn: Kerberos Service Password Policy + +# kerberos services +dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Kerberos Service Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# default password policies for hosts, services and kerberos services +# cosPriority is set intentionally to higher number than FreeIPA API allows +# to set to ensure that these password policies have always lower priority +# than any defined by user. + +# hosts +dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 10000000000 +default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX + +dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX +default:description: Default Password Policy for Hosts +default:objectClass: top +default:objectClass: ldapsubentry +default:objectClass: cosSuperDefinition +default:objectClass: cosPointerDefinition +default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:cosAttribute: krbPwdPolicyReference default + +# services +dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 10000000000 +default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX + +dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX +default:description: Default Password Policy for Services +default:objectClass: top +default:objectClass: ldapsubentry +default:objectClass: cosSuperDefinition +default:objectClass: cosPointerDefinition +default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX +default:cosAttribute: krbPwdPolicyReference default + +# kerberos services +dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 10000000000 +default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX + +dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:description: Default Password Policy for Kerberos Services +default:objectClass: top +default:objectClass: ldapsubentry +default:objectClass: cosSuperDefinition +default:objectClass: cosPointerDefinition +default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX +default:cosAttribute: krbPwdPolicyReference default diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index a80256f02..e8a55e173 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -24,6 +24,7 @@ app_DATA = \ 20-winsync_index.update \ 20-idoverride_index.update \ 20-uuid.update \ + 20-default_password_policy.update \ 21-replicas_container.update \ 21-ca_renewal_container.update \ 21-certstore_container.update \ |