On Thu, 2018-07-12 at 15:08 -0400, Mark Reynolds via FreeIPA-devel
wrote:
> New Attributes to add to objectclass "krbPwdPolicy":
>
> krbPwdPalindrome: on
> krbPwdMaxSequence: 4
> krbPwdMaxSeqSets: 2
> krbPwdMaxCharClass: 3
> krbPwdMinDigits: 1
> krbPwdMinAlphas: 1
> krbPwdMinSpecial: 1
> krbPwdMin8bit: 0
> krbPwdMinUppers: 1
> krbPwdMinLowers: 1
> krbPwdMaxRepeated: 3
> krbPwdDictCheck: on
> krbPwdDictPath: /path/to/custom/cracklib/dict/files
> krbPwdBadWords: redhat fedora
> krbPwdUserAttrs: uid cn sn givenname mail
> krbPwdMinTokenLength: 3 **works only with "krbPwdUserAttrs".
> Example: if any 3 consecutive characters from "uid" (and friends) are
> in
> the new password then it is rejected
Also note that we do not own the krbPwd namespace, the MIT krb5 project
does. It would not be nice to squat on their namespace.
If you want to extend this you'll have to use the ipa namespace and OID
space (but I am really against adding more specialized ldap attributes
to do this stuff, it never ends and it is not a good interface to
set/enforce this kind of policy IMHO).
>
> Implementation
> -------------------------------------------
>
> Dictionary Checks require linking with CrackLib as follows:
Cracklib makes calls to getpwuid_r in some case (to check the gecos
field ....) I am not sure that is desirable either ...
> diff --git a/freeipa.spec.in b/freeipa.spec.in
> index 0ebc6df3e..ba573a00f 100755
> --- a/freeipa.spec.in
> +++ b/freeipa.spec.in
> @@ -148,6 +148,7 @@ BuildRequires: libini_config-devel
> BuildRequires: cyrus-sasl-devel
> %if ! %{ONLY_CLIENT}
> BuildRequires: 389-ds-base-devel >= %{ds_version}
> +BuildRequires: cracklib-devel
>
>
> diff --git a/util/Makefile.am b/util/Makefile.am
> index be40e8699..5c24be2b9 100644
> --- a/util/Makefile.am
> +++ b/util/Makefile.am
> @@ -14,3 +14,4 @@ libutil_la_SOURCES = ipa_krb5.c \
> ipa_pwd_ntlm.c
>
> libutil_la_LIBADD = $(CRYPTO_LIBS) $(KRB5_LIBS) $(LDAP_LIBS)
> $(NSS_LIBS)
> +libutil_la_LDFLAGS = -lcrack
>
>
> pam_pwquality is open sourced and has been ported to 389 Directory
> Server. The changes in 389 DS can basically be copied and pasted
> into
> FreeIPA source (around ipapwd_CheckPolicy() in
> daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c). The major change
> here is that we need to provide the Slapi_Entry to
> ipapwd_CheckPolicy()
> so you can check its attributes/values for the "User Attribute"
> comparison feature (I've actually already coded this in a beta
> patch).
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/VX3TCGGL2NBN7ZT7XTQVZ2WVQUMHXFXZ/
