LDAP policies

From Essential
Jump to navigation Jump to search

How install LDAP password policies?

Requirement

  • To have the Ldap password (Keepass!)
  • Down time 1 hour

Stop all LDAP nodes

  • Prevent users from beginning of maintenance.
service pacemaker stop
service corosync stop

Node install

Backup

# Init
MySourceList="/etc/default/slapd\n/etc/ldap/slapd.d/"

MyFilter=$(MyPatern='^SLAPD_CONF=(\/.*)$'
cat /etc/default/slapd |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"

MyFilter=$(MyPatern='^olcConfigDir: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"

MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"

MyRefDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz

# Action
echo -e $MySourceList |tar czvf "${MyBackup}" -T -

Check backup

ls -l "${MyBackup}"

Start LDAP

service corosync start
service pacemaker start

Install

# Init
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcDatabase="$MyFilter"

MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"

MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"

#==== [OpenLDAP] Add schema ====
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif

#==== [OpenLDAP] Enable ====
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy

dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f  /tmp/$$.ldif

#==== Define policies ====
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here

dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 7776000
pwdExpireWarning: 1814400
pwdInHistory: 4
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
  • Enter the Ldap password

Stop LDAP

service pacemaker stop
service corosync stop

Start all LDAP nodes

  • Prevent users from ending of maintenance.
service corosync start
service pacemaker start

Test

Requirement

  • To have user user test
# Enter user login
read MyUser

How create test user example

  • Create backup before
cat <<EOT >/tmp/$$.ldif
dn: ou=users,${MyolcSuffix}
description: My Organization users come here
objectclass: top
objectclass: organizationalUnit
ou: users

dn: uid=${MyUser},ou=users,${MyolcSuffix}
cn: ${MyUser}
sn: ${MyUser}SN
uid: ${MyUser}
ou: users
objectClass: organizationalPerson
objectClass: inetOrgPerson
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif

Init test

# Init
MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"

MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"

MyFilter=$(MyPatern='^dn: ([^=]*=[^,]*'"${MyUser}"'[^,]*,ou=users,dc=[^,]*,dc=[^,]*)$'
slapcat -b $MyolcSuffix |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyUserDN="$MyFilter"

# Reset user password
ldappasswd -D "${MyolcRootDN}" -W "${MyUserDN}" -s mypasswd
  • Enter the Ldap password

Start checking

  • Test many passwords :
ldappasswd -x -H ldap://localhost -D "${MyUserDN}" -w mypasswd -s <mypasswdnew>
  • Prevent users from ending of maintenance.

Node uninstall

Requirement

  • Down time 1/2 hour
  • Backup file
ls -lrt ~/ldap.backup.*.tar.gz |tail

echo "Default backup : MyBackup=$MyBackup"

# Change if necessary

Stop all LDAP nodes

  • Prevent users from beginning of maintenance.
service pacemaker stop
service corosync stop

Restore

cd / &&\
find $(tar -ztf "${MyBackup}") -type f |cpio -ov --format=ustar |gzip >~/ldap.tmp.tar.gz &&\
(find $(tar -ztf "${MyBackup}") -type f -delete
tar xzvf "${MyBackup}") &&\
mv ~/ldap.tmp.tar.gz ~/ldap.undo.tar.gz &&\
cd - &&\
MyBackup=~/ldap.undo.tar.gz
  • To undo execute the block before one more time

Start all LDAP nodes

  • Prevent users from ending of maintenance.
service corosync start
service pacemaker start

Ref

  1. Ref : http://infocepo.com/wiki/index.php/LDAP_policies
  2. Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M
Retrieved from "https://infocepo.com/wiki/index.php?title=LDAP_policies&oldid=708"