LDAP policies: Difference between revisions

From Essential
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
#!/bin/sh
How install LDAP password policies?
How install LDAP password policies?


Line 74: Line 76:
</pre>
</pre>


===== Load ppolicy module =====
==== Load password policy module ====
<pre>
<pre>
cat <<EOT >/tmp/$$.ldif
cat <<EOT >/tmp/$$.ldif
Line 85: Line 87:
</pre>
</pre>


===== Overlay with ppolicy =====
==== Overlay password policy ====
<pre>
<pre>
cat <<EOT >/tmp/$$.ldif
cat <<EOT >/tmp/$$.ldif
Line 97: Line 99:
</pre>
</pre>


===== Define policy =====
==== Define password policy ====
<pre>
<pre>
cat <<EOT >/tmp/$$.ldif
cat <<EOT >/tmp/$$.ldif

Revision as of 02:52, 18 November 2016

  1. !/bin/sh

How install LDAP password policies?

Install node

Stop all LDAP nodes

service pacemaker stop
service corosync stop

Start the node

service corosync start
service pacemaker start

Define

MyFilter=$(MyPatern='^olcDatabase= (\{[0-9]+\}.db)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcDatabase="${MyFilter}"

MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"

MyFilter=$(MyPatern='^olcRootDN: (.*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcRootDN="$MyFilter"

MyFilter=$(MyPatern='^olcSuffix: (.*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcSuffix="$MyFilter"

Backup process

Backup config

slapcat -n 0 |gzip >~/ldap.config."$(hostname)"."${MyDate}".gz

ReadOnly

cat <<EOT >/tmp/$$.ldif
dn: olcDatabase=${MyolcDatabase},cn=config
changetype: modify
replace: olcReadonly
olcReadonly: TRUE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif

Backup db

slapcat -b $MyolcSuffix |gzip >~/ldap.db."$(hostname)"."${MyDate}".gz

Enable write

cat <<EOT >/tmp/$$.ldif
dn: olcDatabase=${MyolcDatabase},cn=config
changetype: modify
replace: olcReadonly
olcReadonly: FALSE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif

Add password policy schema

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif

Add directory policies

cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif

Load password policy module

cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
EOT
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif

Overlay password policy

cat <<EOT >/tmp/$$.ldif
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif

Define password policy

cat <<EOT >/tmp/$$.ldif
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 3024000
pwdExpireWarning: 1814400
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 9
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif

Test

MyFilter=$(MyPatern='^olcRootDN: (.*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcRootDN="$MyFilter"

MyFilter=$(MyPatern='^dn: (cn=a.pacheco@.*,ou=users,dc=.*,dc=.*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyUser="$MyFilter"

ldappasswd -D "${MyolcRootDN}" -W "$MyUser" -s test
ldappasswd -x -H ldap://localhost -D "$MyUser" -w test -s dura

Rollback

Define

ls -lrt ~/ldap.*.gz |tail

MyRollbackDate=""
MyRollbackHostname=""
MyLDAPUser='openldap' #redhat: ldap
MyConfigDir='/etc/ldap/slapd.d/' #redhat: /etc/openldap/slapd.d/

MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"

[Stop LDAP]

Restore config

MyRollback=~/ldap.config."${MyRollbackHostname}"."${MyDate}".gz
MyBaseNumber=0
MyBaseDir="$MyConfigDir"

zcat $MyRollback >/tmp/$$.ldif &&\
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"

Restore db

MyRollback=~/ldap.db."${MyRollbackHostname}"."${MyDate}".gz

MyFilter=$(MyPatern='^olcDatabase= \{([0-9]+)\}.db$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyBaseNumber="${MyFilter}"

MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyBaseDir="${MyFilter}"

zcat $MyRollback >/tmp/$$.ldif &&\
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"

[Start LDAP]

[Enable write]

  1. Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M
Retrieved from "https://infocepo.com/wiki/index.php?title=LDAP_policies&oldid=687"