[Freeipa-devel] kerberos password policy
Rob Crittenden
rcritten at redhat.com
Tue Aug 24 14:19:05 UTC 2010
I'm investigating the account lockout feature introduced in MIT krb5 1.8.
I've done some initial testing in F-14 (the first version of Fedora it
is available in). Initial results look ok but it is going to require a
change in the way we do password policy.
Today we control a lot of it ourselves in the 389-ds password plugin. We
generate the expiration time value ourselves and do the type
enforcement. The plugin rather cleverly looks to see if there is a
krbpwdpolicyreference attribute in the user entry and if there is, pulls
the policy for that. If there isn't it crawls up the tree until it finds
an entry with objectclass=krbpwdpolicy. We currently store our default
password policy in cn=accounts, $SUFFIX.
It appears that the KDC wants to use the policy found in
krbpwdpolicyreference so we're going to need one defined for all users.
The trick is having some sort of default.
We currently do group password policy by using the 389-ds Class of
Service plugin. The krbpwdpolicyreference to use is derived based on
group membership.
What I'm going to propose is to add a krbpwdpolicyreference to every
user pointing at cn=accounts, $SUFFIX. I then want to set the CoS
configuration for password to override so that the CoS value takes
priority over the value within the entry itself.
This way our current policy management should work exactly the same.
I think the only way you'd actually be able to see that there is a
default value when the user is a member of a group is if you dumped the
LDIF. I don't think this will introduce any confusion.
Seem reasonable?
rob
More information about the Freeipa-devel
mailing list