From e74cfcc96e0f7c43303b4121683c3d1b3594ce3a Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Apr 28 2020 11:13:19 +0000 Subject: Define default password policy for sysaccounts cn=sysaccounts,cn=etc now has a default password policy to permit system accounts with krbPrincipalAux object class. This allows system accounts to have a keytab that does not expire. The "Default System Accounts Password Policy" has a minimum password length in case the password is directly modified with LDAP. Fixes: https://pagure.io/freeipa/issue/8276 Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy --- diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update index b1f9754..d332d2e 100644 --- a/install/updates/20-default_password_policy.update +++ b/install/updates/20-default_password_policy.update @@ -1,6 +1,9 @@ -# Default password policies for hosts, services and Kerberos services -# Setting all attributes to zero effectively disables any password policy -# We can do this because hosts and services uses keytabs instead of passwords +# Default password policies for hosts, services, system accounts, and +# Kerberos services +# Setting all attributes to zero effectively disables any password policy. +# We can do this because hosts and services uses keytabs instead of +# passwords. System accounts with krbPrincipalAux objectClass also use +# keytabs. # hosts dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX @@ -55,7 +58,24 @@ default:krbPwdMaxFailure: 0 default:krbPwdFailureCountInterval: 0 default:krbPwdLockoutDuration: 0 -# default password policies for hosts, services and kerberos services +# system accounts +# Contrary to the other policies this policy has a minimum password length. +dn: cn=Default System Accounts Password Policy,cn=sysaccounts,cn=etc,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default System Accounts Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 8 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# default password policies for hosts, services, system accounts, and +# kerberos services # cosPriority is set intentionally to higher number than FreeIPA API allows # to set to ensure that these password policies have always lower priority # than any defined by user. @@ -131,3 +151,27 @@ default:objectClass: cosSuperDefinition default:objectClass: cosPointerDefinition default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX default:cosAttribute: krbPwdPolicyReference default + +# system accounts +dn: cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 10000000000 +default:krbPwdPolicyReference: cn=Default System Accounts Password Policy,cn=sysaccounts,cn=etc,$SUFFIX + +dn: cn=Default Password Policy,cn=sysaccounts,cn=etc,$SUFFIX +default:description: Default Password Policy for System Accounts +default:objectClass: top +default:objectClass: ldapsubentry +default:objectClass: cosSuperDefinition +default:objectClass: cosPointerDefinition +default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX +default:cosAttribute: krbPwdPolicyReference default