ipa/0004-password-policy-Add-explicit-default-password-policy.patch

From bcb06e1d67b3aefad33db387ce7a7700a224f30c Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Thu, 29 Sep 2016 15:59:34 +0200
Subject: [PATCH] password policy: Add explicit default password policy for
 hosts and services

Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
CoS so no attributes are really added.

The default policies effectively disable any enforcement or lockout for hosts
and services. Since hosts and services use keytabs passwords enforcements
doesn't make much sense. Also the lockout policy could be used for easy and
cheap DoS.
---
 install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++
 install/updates/Makefile.am                       |   1 +
 ipaserver/install/service.py                      |   1 +
 3 files changed, 135 insertions(+)
 create mode 100644 install/updates/20-default_password_policy.update

diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
new file mode 100644
index 0000000000000000000000000000000000000000..b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce
--- /dev/null
+++ b/install/updates/20-default_password_policy.update
@@ -0,0 +1,133 @@
+# Default password policies for hosts, services and Kerberos services
+# Setting all attributes to zero effectively disables any password policy
+# We can do this because hosts and services uses keytabs instead of passwords
+
+# hosts
+dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Host Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# services
+dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Service Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# kerberos policy container
+# this is necessary to avoid mixing the Kerberos sevice password policy
+# with group-membership based user password policies
+dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Kerberos Service Password Policy
+
+# kerberos services
+dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Kerberos Service Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# default password policies for hosts, services and kerberos services
+# cosPriority is set intentionally to higher number than FreeIPA API allows
+# to set to ensure that these password policies have always lower priority
+# than any defined by user.
+
+# hosts
+dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 10000000000
+default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
+
+dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
+default:description: Default Password Policy for Hosts
+default:objectClass: top
+default:objectClass: ldapsubentry
+default:objectClass: cosSuperDefinition
+default:objectClass: cosPointerDefinition
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:cosAttribute: krbPwdPolicyReference default
+
+# services
+dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 10000000000
+default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
+
+dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
+default:description: Default Password Policy for Services
+default:objectClass: top
+default:objectClass: ldapsubentry
+default:objectClass: cosSuperDefinition
+default:objectClass: cosPointerDefinition
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
+default:cosAttribute: krbPwdPolicyReference default
+
+# kerberos services
+dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 10000000000
+default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+
+dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:description: Default Password Policy for Kerberos Services
+default:objectClass: top
+default:objectClass: ldapsubentry
+default:objectClass: cosSuperDefinition
+default:objectClass: cosPointerDefinition
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
+default:cosAttribute: krbPwdPolicyReference default
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index a80256f029f5547b1bc5c2226c9a0a0dd45432f4..e8a55e1734eb9979b34ddb96783902926cc975c0 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -24,6 +24,7 @@ app_DATA =				\
 	20-winsync_index.update		\
 	20-idoverride_index.update	\
 	20-uuid.update  \
+	20-default_password_policy.update \
 	21-replicas_container.update	\
 	21-ca_renewal_container.update	\
 	21-certstore_container.update	\
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 4cc7012f62c5945839af694e8d8e74179d998b12..6451f92f0d3d768cf4619e8b0e3f52e190b628c8 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -245,6 +245,7 @@ class Service(object):
             # There is no service in the wrong location, nothing to do.
             # This can happen when installing a replica
             return None
+        entry.pop('krbpwdpolicyreference', None)  # don't copy virtual attr
         newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
         hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
         api.Backend.ldap2.delete_entry(entry)
--
2.7.4