Monday, April 14, 2014

Implementing Password Policies in OpenLDAP Server On CentOS 6.4

In this post I am going to show you how to configure password policies in OpenLDAP server. The ppolicy overlay module provides some better functionalities for enforcing password policies within our OpenLDAP Server domain.

ppolicy module and schema is by installed by default with openldap-servers package in CentOS 6.4

Copy the below text into /etc/openldap/slapd.conf at the end of the file
[root@ldap1 ~]# vim /etc/openldap/slapd.conf
# Uncomment the module in the modules section
moduleload ppolicy.la 
# Password Policy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext

# ACL Entry for Password Policies
access to attrs=userPassword
        by self write
        by anonymous auth
        by * none
access to *
        by self write
        by * read


Convert the slapd.conf to cn=config format and re-initialize the slapd.d folder
[root@ldap1 ~]# rm -rf /etc/openldap/slapd.d/*
[root@ldap1 ~]# slaptest -u 
[root@ldap1 ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

Change the permissions on the /etc/openldap/slapd.d/ to ldap
[root@ldap1 ~]# chown -R ldap. /etc/openldap/slapd.d/ 


Restart the slapd service
[root@ldap1 ~]# service slapd restart 

Create a LDIF file with the details as below
[root@ldap1 ~]# vim pwdpolicy.ldif
# Creates a Policies OU (Organizational Unit)
dn: ou=Policies,dc=example,dc=com
objectClass: organizationalUnit
ou: Policies


# Creates a Policy object in Policies OU (Organizational Unit)
dn: cn=default,ou=Policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 3888000
pwdExpireWarning: 604800
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 86400
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
 

Add the ldif file created to the DIT using ldapadd command
[root@ldap1 ~]# ldapadd -x -D "cn=manager,dc=example,dc=com" -wredhat -f pwdpolicy.ldif

Password policy is turned on for all accounts
 
The above definition of password policy as below
pwdMaxAge: Number of days users password is valid for i.e 3888000 seconds (45 days)
pwdExpireWarning: No. of days before to warn the user (7 days)
pwdInHistory: No. of password that are kept in history which can't be used continously
pwdCheckQuality: If it is 0, we can use plain passwords, if it is 1 then password should be complex i.e. combination of numbers and alpahbets and special characters
pwdMinLength: Defines the minimum number of characters for setting the password. It can't be less than 8 characters here
pwdMaxFailure: If user tries to enter incorrect password for 5 times then his/her account will be locked
pwdLockoutDuration: Defines the time the account will be locked ie. 1 day. This setting will be valid only if pwdLockout is set to TRUE

For more information and settings on password policy please refer to this link below
http://www.zytrax.com/books/ldap/ch6/ppolicy.html

No comments:

Post a Comment