[Freeipa-devel] per-group password policy proposal

Simo Sorce ssorce at redhat.com
Wed Jun 17 15:37:45 UTC 2009 

On Wed, 2009-06-17 at 10:15 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Wed, 2009-06-10 at 17:38 -0400, Rob Crittenden wrote:
> >> One feature we want to add to v2 is per-group password policy. The IPA 
> >> password policy is implemented completely separately from the DS 
> >> password policy (because it is the KDC that does the enforcement, AFAICT).
> >>
> >> Currently it finds the password policy by searching the base for 
> >> objectClass=krbPwdPolicy.
> >>
> >> What I propose is to leave that, it will become the "global" password 
> >> policy, and add an search before that to look for the pwdpolicysubentry 
> >> attribute in the user.
> > 
> > The only parts that enforce password policy in freeipa re really
> > kadmin.local and our password plugin. Initially we decide to go for the
> > MIT schema because we were unsure about letting kadmin run (it would
> > obey only the MIT krb schema). 
> > But since we decided not to allow kadmin, and since kadmin.local is used
> > only to manage keytabs in the bootstrap process and in emergency cases,
> > I think we can easily drop that schema and fully embrace the DS one.
> 
> Ok, I've been reading some code and it looks relatively straightforward, 
> but I do have a couple of questions.
> 
> What enforces an expired password? I assume the KDC currently does this 
> enforcement. Do we want 389 doing this instead, using 
> passwordExpirationTime? There are some special cases in the current code 
> so I'm not sure if that still would apply.

We should still store expiration times also in the attributes the KDC
knows about, or we need to patch the ldap driver to look at the DS
policy attributes.

> If we switch to the 389 password policy we may inherit certain 
> capabilities and not necessarily in a good way. Password retry counts, 
> for example, will be enforced by the server itself.

Not sure how that would work, the KDC doesn't tell DS anything about
retries. Or am I missing something/misunderstanding here ?

> I'm mostly concerned about where we will store the policies vs where the 
> server will look for them. It could be that this sort of thing doesn't 
> get applied evenly because we may end up storing it differently. I still 
> have a lot of code to read.

Keep the questions coming, we need to make sure we don't forget any
feature while transitioning :-)

> > It will require some work in the password plugin but nothing mind
> > blowing.
> 
> Depends on your perspective I suppose :-)

I guess so :-)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list