[Freeipa-devel] kerberos password policy

[Rob Crittenden]

I'm investigating the account lockout feature introduced in MIT krb5 1.8.

I've done some initial testing in F-14 (the first version of Fedora it 
is available in). Initial results look ok but it is going to require a 
change in the way we do password policy.

Today we control a lot of it ourselves in the 389-ds password plugin. We 
generate the expiration time value ourselves and do the type 
enforcement. The plugin rather cleverly looks to see if there is a 
krbpwdpolicyreference attribute in the user entry and if there is, pulls 
the policy for that. If there isn't it crawls up the tree until it finds 
an entry with objectclass=krbpwdpolicy. We currently store our default 
password policy in cn=accounts, $SUFFIX.

It appears that the KDC wants to use the policy found in 
krbpwdpolicyreference so we're going to need one defined for all users. 
The trick is having some sort of default.

We currently do group password policy by using the 389-ds Class of 
Service plugin. The krbpwdpolicyreference to use is derived based on 
group membership.

What I'm going to propose is to add a krbpwdpolicyreference to every 
user pointing at cn=accounts, $SUFFIX. I then want to set the CoS 
configuration for password to override so that the CoS value takes 
priority over the value within the entry itself.

This way our current policy management should work exactly the same.

I think the only way you'd actually be able to see that there is a 
default value when the user is a member of a group is if you dumped the 
LDIF. I don't think this will introduce any confusion.

Seem reasonable?

rob