LDAP policies: Difference between revisions
Jump to navigation
Jump to search
(Created page with "== BL == * For each node === Stop all LDAP nodes === service pacemaker stop service corosync stop === Start the node === service corosync start service pacemaker start =...") |
No edit summary |
||
| Line 1: | Line 1: | ||
== | How install LDAP password policies? | ||
== Install node == | |||
=== Stop all LDAP nodes === | === Stop all LDAP nodes === | ||
service pacemaker stop | service pacemaker stop | ||
| Line 30: | Line 31: | ||
=== Backup process === | === Backup process === | ||
==== Backup config ==== | |||
slapcat -n 0 |gzip >~/ldap.config."$(hostname)"."${MyDate}".gz | |||
==== ReadOnly ==== | ==== ReadOnly ==== | ||
<pre> | <pre> | ||
| Line 41: | Line 45: | ||
</pre> | </pre> | ||
==== Backup ==== | ==== Backup db ==== | ||
slapcat -b $MyolcSuffix |gzip >~/ldap.db."$(hostname)"."${MyDate}".gz | slapcat -b $MyolcSuffix |gzip >~/ldap.db."$(hostname)"."${MyDate}".gz | ||
| Line 59: | Line 59: | ||
</pre> | </pre> | ||
=== Add password policy schema === | |||
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif | ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif | ||
=== Add policies | === Add directory policies === | ||
<pre> | <pre> | ||
cat <<EOT >/tmp/$$.ldif | cat <<EOT >/tmp/$$.ldif | ||
Revision as of 03:43, 18 November 2016
How install LDAP password policies?
Install node
Stop all LDAP nodes
service pacemaker stop service corosync stop
Start the node
service corosync start service pacemaker start
Define
MyFilter=$(MyPatern='^olcDatabase= (\{[0-9]+\}.db)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcDatabase="${MyFilter}"
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
MyFilter=$(MyPatern='^olcRootDN: (.*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcRootDN="$MyFilter"
MyFilter=$(MyPatern='^olcSuffix: (.*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcSuffix="$MyFilter"
Backup process
Backup config
slapcat -n 0 |gzip >~/ldap.config."$(hostname)"."${MyDate}".gz
ReadOnly
cat <<EOT >/tmp/$$.ldif
dn: olcDatabase=${MyolcDatabase},cn=config
changetype: modify
replace: olcReadonly
olcReadonly: TRUE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
Backup db
slapcat -b $MyolcSuffix |gzip >~/ldap.db."$(hostname)"."${MyDate}".gz
Disable ReadOnly
cat <<EOT >/tmp/$$.ldif
dn: olcDatabase=${MyolcDatabase},cn=config
changetype: modify
replace: olcReadonly
olcReadonly: FALSE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
Add password policy schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
Add directory policies
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
Load ppolicy module
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
EOT
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
Overlay with ppolicy
cat <<EOT >/tmp/$$.ldif
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
Define policy
cat <<EOT >/tmp/$$.ldif
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 3024000
pwdExpireWarning: 1814400
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 9
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
Test
MyFilter=$(MyPatern='^olcRootDN: (.*)$' slapcat -n 0 |\ sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter MyolcRootDN="$MyFilter" MyFilter=$(MyPatern='^dn: (cn=a.pacheco@.*,ou=users,dc=.*,dc=.*)$' slapcat -n 0 |\ sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter MyUser="$MyFilter"
ldappasswd -D "${MyolcRootDN}" -W "$MyUser" -s test
ldappasswd -x -H ldap://localhost -D "$MyUser" -w test -s dura
Rollback
Define
ls -lrt ~/ldap.*.gz |tail
MyRollbackDate="" MyRollbackHostname="" MyLDAPUser='openldap' #redhat: ldap MyConfigDir='/etc/ldap/slapd.d/' #redhat: /etc/openldap/slapd.d/
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
[Stop LDAP]
Restore config
MyRollback=~/ldap.config."${MyRollbackHostname}"."${MyDate}".gz
MyBaseNumber=0
MyBaseDir="$MyConfigDir"
zcat $MyRollback >/tmp/$$.ldif &&\
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"
Restore db
MyRollback=~/ldap.db."${MyRollbackHostname}"."${MyDate}".gz
MyFilter=$(MyPatern='^olcDatabase= \{([0-9]+)\}.db$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyBaseNumber="${MyFilter}"
MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyBaseDir="${MyFilter}"
zcat $MyRollback >/tmp/$$.ldif &&\
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"