In this
post I am going to show you how to configure password policies in
OpenLDAP server. The ppolicy overlay module provides some better
functionalities for enforcing password policies within our OpenLDAP
Server domain.
ppolicy module and schema is by installed by default with openldap-servers package in CentOS 6.4
Copy the below text into /etc/openldap/slapd.conf at the end of the file
[root@ldap1 ~]# vim /etc/openldap/slapd.conf
# Uncomment the module in the modules section
moduleload ppolicy.la
# Password Policy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
# ACL Entry for Password Policies
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by self write
by * read
Convert the slapd.conf to cn=config format and re-initialize the slapd.d folder
[root@ldap1 ~]# rm -rf /etc/openldap/slapd.d/*
[root@ldap1 ~]# slaptest -u
[root@ldap1 ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
Change the permissions on the /etc/openldap/slapd.d/ to ldap
[root@ldap1 ~]# chown -R ldap. /etc/openldap/slapd.d/
Restart the slapd service
[root@ldap1 ~]# service slapd restart
Create a LDIF file with the details as below
[root@ldap1 ~]# vim pwdpolicy.ldif
# Creates a Policies OU (Organizational Unit)
dn: ou=Policies,dc=example,dc=com
objectClass: organizationalUnit
ou: Policies
# Creates a Policy object in Policies OU (Organizational Unit)
dn: cn=default,ou=Policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 3888000
pwdExpireWarning: 604800
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 86400
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
Add the ldif file created to the DIT using ldapadd command
[root@ldap1 ~]# ldapadd -x -D "cn=manager,dc=example,dc=com" -wredhat -f pwdpolicy.ldif
Password policy is turned on for all accounts
The above definition of password policy as below
pwdMaxAge: Number of days users password is valid for i.e 3888000 seconds (45 days)
pwdExpireWarning: No. of days before to warn the user (7 days)
pwdInHistory: No. of password that are kept in history which can't be used continously
pwdCheckQuality: If it is 0, we can use plain passwords, if it is 1 then password should be complex i.e. combination of numbers and alpahbets and special characters
pwdMinLength: Defines the minimum number of characters for setting the password. It can't be less than 8 characters here
pwdMaxFailure: If user tries to enter incorrect password for 5 times then his/her account will be locked
pwdLockoutDuration: Defines the time the account will be locked ie. 1 day. This setting will be valid only if pwdLockout is set to TRUE
For more information and settings on password policy please refer to this link below
http://www.zytrax.com/books/ldap/ch6/ppolicy.html
ppolicy module and schema is by installed by default with openldap-servers package in CentOS 6.4
Copy the below text into /etc/openldap/slapd.conf at the end of the file
[root@ldap1 ~]# vim /etc/openldap/slapd.conf
# Uncomment the module in the modules section
moduleload ppolicy.la
# Password Policy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
# ACL Entry for Password Policies
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by self write
by * read
Convert the slapd.conf to cn=config format and re-initialize the slapd.d folder
[root@ldap1 ~]# rm -rf /etc/openldap/slapd.d/*
[root@ldap1 ~]# slaptest -u
[root@ldap1 ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
Change the permissions on the /etc/openldap/slapd.d/ to ldap
[root@ldap1 ~]# chown -R ldap. /etc/openldap/slapd.d/
Restart the slapd service
[root@ldap1 ~]# service slapd restart
Create a LDIF file with the details as below
[root@ldap1 ~]# vim pwdpolicy.ldif
# Creates a Policies OU (Organizational Unit)
dn: ou=Policies,dc=example,dc=com
objectClass: organizationalUnit
ou: Policies
# Creates a Policy object in Policies OU (Organizational Unit)
dn: cn=default,ou=Policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 3888000
pwdExpireWarning: 604800
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 86400
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
Add the ldif file created to the DIT using ldapadd command
[root@ldap1 ~]# ldapadd -x -D "cn=manager,dc=example,dc=com" -wredhat -f pwdpolicy.ldif
Password policy is turned on for all accounts
The above definition of password policy as below
pwdMaxAge: Number of days users password is valid for i.e 3888000 seconds (45 days)
pwdExpireWarning: No. of days before to warn the user (7 days)
pwdInHistory: No. of password that are kept in history which can't be used continously
pwdCheckQuality: If it is 0, we can use plain passwords, if it is 1 then password should be complex i.e. combination of numbers and alpahbets and special characters
pwdMinLength: Defines the minimum number of characters for setting the password. It can't be less than 8 characters here
pwdMaxFailure: If user tries to enter incorrect password for 5 times then his/her account will be locked
pwdLockoutDuration: Defines the time the account will be locked ie. 1 day. This setting will be valid only if pwdLockout is set to TRUE
For more information and settings on password policy please refer to this link below
http://www.zytrax.com/books/ldap/ch6/ppolicy.html
No comments:
Post a Comment