[Freeipa-devel] per-group password policy proposal

Sergei V. Kovylov serejka at gmail.com
Fri Jun 12 14:16:03 UTC 2009 

Hi all again.
As for usage of COS and user's understanding: we must understand, that
COS is just underlayer of IPA and user has no idea what is it. Another
words user has some virtual term, like policy/security group, user
group etc and what is under this term is out-of-mind of administration
only for deep structure understanding if needs. In such case you are
free to use any mechanism in back-end to provide necessary
functionality. Usage of CoS just provide one of such mechanisms and
give you an opportunity not to overload server with reqests.
So for default password policy across entire LDAP tree, in my opinion,
will be pointer CoS with "Does not override target entry attribute" on
top DN of tree (ex. dc=domain,dc=dom). Moreover such mechanism doesn't
require to create any attribute inside object/user/group entry and any
definition of attribute automatically remove default policy because of
pre-defined restriction "not to override user's entry attribute". Such
mechanism also a good solution for "policy per sub-tree".

So maybe it will be a good solution to create some types of group:
1. Policy/Security group which will store some pre-defined
security/configuratio data (like password policy, user creation
policy, user HBA policy etc). It's just a virtual group and has under
it role with necessary actions.
2. User's group - which will provide an opportunity of groupping
accounts under some circumstance.

Also by the doc about DS 8.0 term "groups" stored for compatibility
mode and for the rest of it offers to use roles. Also it's necessary
to controll count of special policy attributes:
<min length> = <count of digits> + <count of chars (capital,
lower-case)> + <count of special chars> <= <max. length>
And in policy combination use MAX(min.pol1,min.pol2) and MAX(max.pol1,
max.pol2) (min - min. length of polX, max - max. length of polX)
and MIN(attr.pol1, attr.pol2) (attr - attribute like count of somewhat
of polX). We are not necessary to take care about existed user's
password, just new one.

3. Do not allow to use policy combination.

<skiiped>

More information about the Freeipa-devel mailing list