[Freeipa-devel] kerberos password policy

Wed Aug 25 19:28:52 UTC 2010

Simo Sorce wrote:
> On Tue, 24 Aug 2010 10:19:05 -0400
> Rob Crittenden<rcritten at redhat.com>  wrote:
>
>> I'm investigating the account lockout feature introduced in MIT krb5
>> 1.8.
>>
>> I've done some initial testing in F-14 (the first version of Fedora
>> it is available in). Initial results look ok but it is going to
>> require a change in the way we do password policy.
>>
>> Today we control a lot of it ourselves in the 389-ds password plugin.
>> We generate the expiration time value ourselves and do the type
>> enforcement. The plugin rather cleverly looks to see if there is a
>> krbpwdpolicyreference attribute in the user entry and if there is,
>> pulls the policy for that. If there isn't it crawls up the tree until
>> it finds an entry with objectclass=krbpwdpolicy. We currently store
>> our default password policy in cn=accounts, $SUFFIX.
>>
>> It appears that the KDC wants to use the policy found in
>> krbpwdpolicyreference so we're going to need one defined for all
>> users. The trick is having some sort of default.
>>
>> We currently do group password policy by using the 389-ds Class of
>> Service plugin. The krbpwdpolicyreference to use is derived based on
>> group membership.
>>
>> What I'm going to propose is to add a krbpwdpolicyreference to every
>> user pointing at cn=accounts, $SUFFIX. I then want to set the CoS
>> configuration for password to override so that the CoS value takes
>> priority over the value within the entry itself.
>>
>> This way our current policy management should work exactly the same.
>>
>> I think the only way you'd actually be able to see that there is a
>> default value when the user is a member of a group is if you dumped
>> the LDIF. I don't think this will introduce any confusion.
>>
>> Seem reasonable?
>
> Looks good to me.
>
> The only question I have is if you can explain why CoS should override
> per user policies. I do not have strong feelings either way but I'd
> like to know the reasoning.

The problem I'm solving is how to provide a default policy. I may be 
wrong but it seems that the KDC wants a krbpwdpolicyreference set to be 
able to find the policy. If I always set krbpwdpolicyreference pointing 
to some location (and actually, cn=accounts doesn't work. The policy 
must reside somewhere under cn=$REALM,cn=kerberos,CN=$SUFFIX) then 
that's where I get the default. It was simple enough to add this 
attribute when users are created.

Once a user is in a group which has a password policy then 
krbpwdpolicyreference will get overriden by CoS and point to the group's 
password policy. We could do something similiar if we ever wanted to 
support per-user policy I suppose. It raises an interesting question 
actually: can we assign group policy to a MPG? (ticket #160)

There may be a way using CoS to get a default policy but we use the 
memberOf attribute as the CoS attribute so we'd need to create a 
password policy group to store the default policy and assign every 
single user to it. It seems bad to me. I did think about using ipausers 
for this purpose but that opens a new can of worms (such as what to do 
if a different group is chosen as the default users group).

rob