rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   53a374936ca448d4897930910a79131c0085a284
  2.   SOURCES
  3.   0146-password-policy-Add-explicit-default-password-policy.patch
Blob History Raw
53a374 
From 016631a08b67bda3dc996b84061f863e0f5cdc7f Mon Sep 17 00:00:00 2001
53a374 
From: David Kupka <dkupka@redhat.com>
53a374 
Date: Thu, 29 Sep 2016 15:59:34 +0200
53a374 
Subject: [PATCH] password policy: Add explicit default password policy for
53a374 
 hosts and services
53a374
53a374 
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
53a374 
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
53a374 
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
53a374 
CoS so no attributes are really added.
53a374
53a374 
The default policies effectively disable any enforcement or lockout for hosts
53a374 
and services. Since hosts and services use keytabs passwords enforcements
53a374 
doesn't make much sense. Also the lockout policy could be used for easy and
53a374 
cheap DoS.
53a374
53a374 
https://fedorahosted.org/freeipa/ticket/6561
53a374
53a374 
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
53a374 
---
53a374 
 install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++
53a374 
 install/updates/Makefile.am                       |   1 +
53a374 
 ipaserver/install/service.py                      |   1 +
53a374 
 3 files changed, 135 insertions(+)
53a374 
 create mode 100644 install/updates/20-default_password_policy.update
53a374
53a374 
diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
53a374 
new file mode 100644
53a374 
index 0000000000000000000000000000000000000000..b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce
53a374 
--- /dev/null
53a374 
+++ b/install/updates/20-default_password_policy.update
53a374 
@@ -0,0 +1,133 @@
53a374 
+# Default password policies for hosts, services and Kerberos services
53a374 
+# Setting all attributes to zero effectively disables any password policy
53a374 
+# We can do this because hosts and services uses keytabs instead of passwords
53a374 
+
53a374 
+# hosts
53a374 
+dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
53a374 
+default:objectClass: krbPwdPolicy
53a374 
+default:objectClass: nsContainer
53a374 
+default:objectClass: top
53a374 
+default:cn: Default Host Password Policy
53a374 
+default:krbMinPwdLife: 0
53a374 
+default:krbPwdMinDiffChars: 0
53a374 
+default:krbPwdMinLength: 0
53a374 
+default:krbPwdHistoryLength: 0
53a374 
+default:krbMaxPwdLife: 0
53a374 
+default:krbPwdMaxFailure: 0
53a374 
+default:krbPwdFailureCountInterval: 0
53a374 
+default:krbPwdLockoutDuration: 0
53a374 
+
53a374 
+# services
53a374 
+dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
53a374 
+default:objectClass: krbPwdPolicy
53a374 
+default:objectClass: nsContainer
53a374 
+default:objectClass: top
53a374 
+default:cn: Default Service Password Policy
53a374 
+default:krbMinPwdLife: 0
53a374 
+default:krbPwdMinDiffChars: 0
53a374 
+default:krbPwdMinLength: 0
53a374 
+default:krbPwdHistoryLength: 0
53a374 
+default:krbMaxPwdLife: 0
53a374 
+default:krbPwdMaxFailure: 0
53a374 
+default:krbPwdFailureCountInterval: 0
53a374 
+default:krbPwdLockoutDuration: 0
53a374 
+
53a374 
+# kerberos policy container
53a374 
+# this is necessary to avoid mixing the Kerberos sevice password policy
53a374 
+# with group-membership based user password policies
53a374 
+dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
53a374 
+default:objectClass: nsContainer
53a374 
+default:objectClass: top
53a374 
+default:cn: Kerberos Service Password Policy
53a374 
+
53a374 
+# kerberos services
53a374 
+dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
53a374 
+default:objectClass: krbPwdPolicy
53a374 
+default:objectClass: nsContainer
53a374 
+default:objectClass: top
53a374 
+default:cn: Default Kerberos Service Password Policy
53a374 
+default:krbMinPwdLife: 0
53a374 
+default:krbPwdMinDiffChars: 0
53a374 
+default:krbPwdMinLength: 0
53a374 
+default:krbPwdHistoryLength: 0
53a374 
+default:krbMaxPwdLife: 0
53a374 
+default:krbPwdMaxFailure: 0
53a374 
+default:krbPwdFailureCountInterval: 0
53a374 
+default:krbPwdLockoutDuration: 0
53a374 
+
53a374 
+# default password policies for hosts, services and kerberos services
53a374 
+# cosPriority is set intentionally to higher number than FreeIPA API allows
53a374 
+# to set to ensure that these password policies have always lower priority
53a374 
+# than any defined by user.
53a374 
+
53a374 
+# hosts
53a374 
+dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
53a374 
+default:objectclass: top
53a374 
+default:objectclass: nsContainer
53a374 
+default:cn: cosTemplates
53a374 
+
53a374 
+dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
53a374 
+default:objectclass: top
53a374 
+default:objectclass: cosTemplate
53a374 
+default:objectclass: extensibleObject
53a374 
+default:objectclass: krbContainer
53a374 
+default:cn: Default Password Policy
53a374 
+default:cosPriority: 10000000000
53a374 
+default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
53a374 
+
53a374 
+dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
53a374 
+default:description: Default Password Policy for Hosts
53a374 
+default:objectClass: top
53a374 
+default:objectClass: ldapsubentry
53a374 
+default:objectClass: cosSuperDefinition
53a374 
+default:objectClass: cosPointerDefinition
53a374 
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
53a374 
+default:cosAttribute: krbPwdPolicyReference default
53a374 
+
53a374 
+# services
53a374 
+dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
53a374 
+default:objectclass: top
53a374 
+default:objectclass: nsContainer
53a374 
+default:cn: cosTemplates
53a374 
+
53a374 
+dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
53a374 
+default:objectclass: top
53a374 
+default:objectclass: cosTemplate
53a374 
+default:objectclass: extensibleObject
53a374 
+default:objectclass: krbContainer
53a374 
+default:cn: Default Password Policy
53a374 
+default:cosPriority: 10000000000
53a374 
+default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
53a374 
+
53a374 
+dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
53a374 
+default:description: Default Password Policy for Services
53a374 
+default:objectClass: top
53a374 
+default:objectClass: ldapsubentry
53a374 
+default:objectClass: cosSuperDefinition
53a374 
+default:objectClass: cosPointerDefinition
53a374 
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
53a374 
+default:cosAttribute: krbPwdPolicyReference default
53a374 
+
53a374 
+# kerberos services
53a374 
+dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
53a374 
+default:objectclass: top
53a374 
+default:objectclass: nsContainer
53a374 
+default:cn: cosTemplates
53a374 
+
53a374 
+dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
53a374 
+default:objectclass: top
53a374 
+default:objectclass: cosTemplate
53a374 
+default:objectclass: extensibleObject
53a374 
+default:objectclass: krbContainer
53a374 
+default:cn: Default Password Policy
53a374 
+default:cosPriority: 10000000000
53a374 
+default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
53a374 
+
53a374 
+dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
53a374 
+default:description: Default Password Policy for Kerberos Services
53a374 
+default:objectClass: top
53a374 
+default:objectClass: ldapsubentry
53a374 
+default:objectClass: cosSuperDefinition
53a374 
+default:objectClass: cosPointerDefinition
53a374 
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
53a374 
+default:cosAttribute: krbPwdPolicyReference default
53a374 
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
53a374 
index 455fd209d171888dc94a7f708dc5fa1743f62bf4..310ae39c3b659cbe897380f572824acb26009574 100644
53a374 
--- a/install/updates/Makefile.am
53a374 
+++ b/install/updates/Makefile.am
53a374 
@@ -23,6 +23,7 @@ app_DATA =				\
53a374 
 	20-winsync_index.update		\
53a374 
 	20-idoverride_index.update	\
53a374 
 	20-uuid.update  \
53a374 
+	20-default_password_policy.update \
53a374 
 	21-replicas_container.update	\
53a374 
 	21-ca_renewal_container.update	\
53a374 
 	21-certstore_container.update	\
53a374 
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
53a374 
index 057cd3d4b512513a4e3a8f228dc5f07f31fd84e0..6bb2e76f64ac11abc426c70c645cfb042be474c2 100644
53a374 
--- a/ipaserver/install/service.py
53a374 
+++ b/ipaserver/install/service.py
53a374 
@@ -252,6 +252,7 @@ class Service(object):
53a374 
             # There is no service in the wrong location, nothing to do.
53a374 
             # This can happen when installing a replica
53a374 
             return None
53a374 
+        entry.pop('krbpwdpolicyreference', None)  # don't copy virtual attr
53a374 
         newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
53a374 
         hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
53a374 
         self.admin_conn.delete_entry(entry)
53a374 
--
53a374 
2.10.2
53a374

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation