summaryrefslogtreecommitdiffstats
path: root/install/updates/20-default_password_policy.update
blob: b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

# Default password policies for hosts, services and Kerberos services
# Setting all attributes to zero effectively disables any password policy
# We can do this because hosts and services uses keytabs instead of passwords

# hosts
dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
default:objectClass: krbPwdPolicy
default:objectClass: nsContainer
default:objectClass: top
default:cn: Default Host Password Policy
default:krbMinPwdLife: 0
default:krbPwdMinDiffChars: 0
default:krbPwdMinLength: 0
default:krbPwdHistoryLength: 0
default:krbMaxPwdLife: 0
default:krbPwdMaxFailure: 0
default:krbPwdFailureCountInterval: 0
default:krbPwdLockoutDuration: 0

# services
dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
default:objectClass: krbPwdPolicy
default:objectClass: nsContainer
default:objectClass: top
default:cn: Default Service Password Policy
default:krbMinPwdLife: 0
default:krbPwdMinDiffChars: 0
default:krbPwdMinLength: 0
default:krbPwdHistoryLength: 0
default:krbMaxPwdLife: 0
default:krbPwdMaxFailure: 0
default:krbPwdFailureCountInterval: 0
default:krbPwdLockoutDuration: 0

# kerberos policy container
# this is necessary to avoid mixing the Kerberos sevice password policy
# with group-membership based user password policies
dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
default:objectClass: nsContainer
default:objectClass: top
default:cn: Kerberos Service Password Policy

# kerberos services
dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
default:objectClass: krbPwdPolicy
default:objectClass: nsContainer
default:objectClass: top
default:cn: Default Kerberos Service Password Policy
default:krbMinPwdLife: 0
default:krbPwdMinDiffChars: 0
default:krbPwdMinLength: 0
default:krbPwdHistoryLength: 0
default:krbMaxPwdLife: 0
default:krbPwdMaxFailure: 0
default:krbPwdFailureCountInterval: 0
default:krbPwdLockoutDuration: 0

# default password policies for hosts, services and kerberos services
# cosPriority is set intentionally to higher number than FreeIPA API allows
# to set to ensure that these password policies have always lower priority
# than any defined by user.

# hosts
dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:cn: cosTemplates

dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: cosTemplate
default:objectclass: extensibleObject
default:objectclass: krbContainer
default:cn: Default Password Policy
default:cosPriority: 10000000000
default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX

dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
default:description: Default Password Policy for Hosts
default:objectClass: top
default:objectClass: ldapsubentry
default:objectClass: cosSuperDefinition
default:objectClass: cosPointerDefinition
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
default:cosAttribute: krbPwdPolicyReference default

# services
dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:cn: cosTemplates

dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: cosTemplate
default:objectclass: extensibleObject
default:objectclass: krbContainer
default:cn: Default Password Policy
default:cosPriority: 10000000000
default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX

dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
default:description: Default Password Policy for Services
default:objectClass: top
default:objectClass: ldapsubentry
default:objectClass: cosSuperDefinition
default:objectClass: cosPointerDefinition
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
default:cosAttribute: krbPwdPolicyReference default

# kerberos services
dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:cn: cosTemplates

dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
default:objectclass: top
default:objectclass: cosTemplate
default:objectclass: extensibleObject
default:objectclass: krbContainer
default:cn: Default Password Policy
default:cosPriority: 10000000000
default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX

dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
default:description: Default Password Policy for Kerberos Services
default:objectClass: top
default:objectClass: ldapsubentry
default:objectClass: cosSuperDefinition
default:objectClass: cosPointerDefinition
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
default:cosAttribute: krbPwdPolicyReference default
generated by cgit (git 2.34.1) at 2024-06-09 14:37:10 +0000