LDAP policies: Difference between revisions

From Essential
Jump to navigation Jump to search
No edit summary
No edit summary
Line 5: Line 5:
  service pacemaker stop
  service pacemaker stop
  service corosync stop
  service corosync stop
=== Start the node ===
service corosync start
service pacemaker start


=== Backup ===
=== Backup ===
<pre>
<pre>
#==== Init ====
#==== Init ====
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
MySourceList="/etc/default/slapd\n/etc/ldap/slapd.d/"


MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
MyFilter=$(MyPatern='^SLAPD_CONF=(\/.*)$'
cat /etc/default/slapd |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"
 
MyFilter=$(MyPatern='^olcConfigDir: (\/.*)$'
slapcat -n0 |\
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcDatabase="${MyFilter}"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"


#==== Backup config ====
MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n0 |gzip >~/ldap.config."$(hostname)"."${MyDate}".gz
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"


#==== ReadOnly ====
MyRefDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
cat <<EOT >/tmp/$$.ldif
MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz
dn: olcDatabase=${MyolcDatabase},cn=config
changetype: modify
replace: olcReadonly
olcReadonly: TRUE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif


#==== Backup db ====
#==== Backup ====
slapcat |gzip >~/ldap.db."$(hostname)"."${MyDate}".gz
echo -e $MySourceList |tar czvf "${MyBackup}" -T -


#==== Enable write ====
#==== Start LDAP ====
cat <<EOT >/tmp/$$.ldif
service corosync start
dn: olcDatabase=${MyolcDatabase},cn=config
service pacemaker start
changetype: modify
replace: olcReadonly
#==== Check backup ====
olcReadonly: FALSE
ls -l "${MyBackup}"
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
</pre>
</pre>


Line 50: Line 45:
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcDatabase="${MyFilter}"
MyolcDatabase="$MyFilter"
 
MyFilter=$(MyPatern='^olcRootDN: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcRootDN="$MyFilter"


MyFilter=$(MyPatern='^olcSuffix: (.*)$'
MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"
MyolcSuffix="$MyFilter"


#==== Add password policy schema ====
MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapadd -n0 -l /etc/ldap/schema/ppolicy.ldif
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"


#==== Add directory policies ====
#==== [OpenLDAP] Add schema ====
cat <<EOT >/tmp/$$.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here
EOT
slapadd -b $MyolcSuffix -l /tmp/$$.ldif


#==== Load password policy module ====
#==== [OpenLDAP] Enable ====
cat <<EOT >/tmp/$$.ldif
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
dn: cn=module{0},cn=config
Line 82: Line 67:
add: olcModuleLoad
add: olcModuleLoad
olcModuleLoad: ppolicy
olcModuleLoad: ppolicy
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif


#==== Overlay password policy ====
cat <<EOT >/tmp/$$.ldif
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcOverlayConfig
Line 93: Line 74:
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
EOT
slapadd -n0 -l /tmp/$$.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f  /tmp/$$.ldif


#==== Define password policy entry ====
#==== Define policies ====
cat <<EOT >/tmp/$$.ldif
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
cn: MyOrgPPolicy
Line 103: Line 90:
objectClass: top
objectClass: top
pwdAttribute: userPassword
pwdAttribute: userPassword
pwdMaxAge: 3024000
pwdMaxAge: 7776000
pwdExpireWarning: 1814400
pwdExpireWarning: 1814400
pwdInHistory: 3
pwdInHistory: 3
pwdCheckQuality: 1
pwdCheckQuality: 1
pwdMinLength: 9
pwdMinLength: 8
pwdMaxFailure: 4
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockout: TRUE
Line 117: Line 104:
pwdSafeModify: FALSE
pwdSafeModify: FALSE
EOT
EOT
slapadd -b $MyolcSuffix -l /tmp/$$.ldif
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
</pre>
</pre>
==== Restart the node ====
service pacemaker stop
service corosync restart
service pacemaker start


== Test ==
== Test ==
* Create a test user
* Enter name :
MyUser="pacheco"
=== Reset user password ===
* Take the admin password
<pre>
<pre>
MyFilter=$(MyPatern='^olcRootDN: (.*)$'
MyFilter=$(MyPatern='^olcSuffix: (.*)$'
slapcat -n0 |\
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"
 
MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,'"${MyolcSuffix}"')$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcRootDN="$MyFilter"
MyolcRootDN="$MyFilter"


MyFilter=$(MyPatern='^dn: (cn=a.pacheco@.*,ou=users,dc=.*,dc=.*)$'
MyFilter=$(MyPatern='^dn: (cn=.*'"${MyUser}"'.*,ou=users,dc=.*,dc=.*)$'
slapcat -n0 |\
slapcat -b $MyolcSuffix |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyUser="$MyFilter"
MyUserDN="$MyFilter"
 
ldappasswd -D "${MyolcRootDN}" -W "${MyUserDN}" -s test
</pre>
</pre>


ldappasswd -D "${MyolcRootDN}" -W "$MyUser" -s test
=== Start checking ===
  ldappasswd -x -H ldap://localhost -D "$MyUser" -w test -s dura
* Test many passwords :
  ldappasswd -x -H ldap://localhost -D "${MyUserDN}" -w test -s coucou


== Node uninstall ==
== Node uninstall ==
  ls -lrt ~/ldap.*.gz |tail
  ls -lrt ~/ldap.*.gz |tail


* Enter date :
echo "Default backup : $MyBackup" 
  MyRollbackDate=""
# Select new date if necessary :
  # MyRefDate=""
=== Stop node ===
service pacemaker stop
service corosync stop


* Select distribution :
<pre>
#=== Init ===
# redhat
MyLDAPUser='ldap'
MyConfigDir='/etc/openldap/slapd.d/'
# ubuntu
#MyLDAPUser='openldap'
#MyConfigDir='/etc/ldap/slapd.d/'
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
</pre>
=== [Stop LDAP] ===
=== Restore ===
=== Restore ===
<pre>
<pre>
#=== Restore config ===
#==== Init ====
MyRollback=~/ldap.config."$(hostname)"."${MyRollbackDate}".gz
MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz
MyBaseNumber=0
MyBaseDir="$MyConfigDir"


zcat $MyRollback >/tmp/$$.ldif &&\
# Last chance ... ~/ldap.tmp.tar.gz
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
cd / &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
find $(tar -ztf "${MyBackup}") -xdev -type f |cpio -ov --format=ustar |gzip >~/ldap.tmp.tar.gz &&\
mkdir "${MyBaseDir}" &&\
(find $(tar -ztf "${MyBackup}") -xdev -type f -delete
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
tar xzvf "${MyBackup}") &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"
cd -
</pre>


#=== Restore db ===
=== Start node ===
MyRollback=~/ldap.db."$(hostname)"."${MyRollbackDate}".gz
service corosync start
 
service pacemaker start
MyFilter=$(MyPatern='^olcSuffix: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcSuffix="$MyFilter"


MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
=== Ref ===
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyBaseDir="${MyFilter}"
 
zcat $MyRollback >/tmp/$$.ldif &&\
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -b $MyolcSuffix -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"
</pre>
=== [Start LDAP] ===
=== [Enable write] ===
# Ref : http://infocepo.com/wiki/index.php/LDAP_policies
# Ref : http://infocepo.com/wiki/index.php/LDAP_policies
# Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M
# Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M

Revision as of 02:54, 24 November 2016

How install LDAP password policies?

Node install

Stop all LDAP nodes

service pacemaker stop
service corosync stop

Backup

#==== Init ====
MySourceList="/etc/default/slapd\n/etc/ldap/slapd.d/"

MyFilter=$(MyPatern='^SLAPD_CONF=(\/.*)$'
cat /etc/default/slapd |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"

MyFilter=$(MyPatern='^olcConfigDir: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"

MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"

MyRefDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz

#==== Backup ====
echo -e $MySourceList |tar czvf "${MyBackup}" -T -

#==== Start LDAP ====
service corosync start
service pacemaker start
 
#==== Check backup ====
ls -l "${MyBackup}"

Install

#==== Init ====
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcDatabase="$MyFilter"

MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"

MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"

#==== [OpenLDAP] Add schema ====
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif

#==== [OpenLDAP] Enable ====
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy

dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f  /tmp/$$.ldif

#==== Define policies ====
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here

dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 7776000
pwdExpireWarning: 1814400
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif

Restart the node

service pacemaker stop
service corosync restart
service pacemaker start

Test

  • Create a test user
  • Enter name :
MyUser="pacheco"

Reset user password

  • Take the admin password
MyFilter=$(MyPatern='^olcSuffix: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"

MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,'"${MyolcSuffix}"')$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcRootDN="$MyFilter"

MyFilter=$(MyPatern='^dn: (cn=.*'"${MyUser}"'.*,ou=users,dc=.*,dc=.*)$'
slapcat -b $MyolcSuffix |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyUserDN="$MyFilter"

ldappasswd -D "${MyolcRootDN}" -W "${MyUserDN}" -s test

Start checking

  • Test many passwords :
ldappasswd -x -H ldap://localhost -D "${MyUserDN}" -w test -s coucou

Node uninstall

ls -lrt ~/ldap.*.gz |tail

echo "Default backup : $MyBackup"  
# Select new date if necessary :
# MyRefDate=""

Stop node

service pacemaker stop
service corosync stop

Restore

#==== Init ====
MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz

# Last chance ... ~/ldap.tmp.tar.gz
cd / &&\
find $(tar -ztf "${MyBackup}") -xdev -type f |cpio -ov --format=ustar |gzip >~/ldap.tmp.tar.gz &&\
(find $(tar -ztf "${MyBackup}") -xdev -type f -delete
tar xzvf "${MyBackup}") &&\
cd -

Start node

service corosync start
service pacemaker start

Ref

  1. Ref : http://infocepo.com/wiki/index.php/LDAP_policies
  2. Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M
Retrieved from "https://infocepo.com/wiki/index.php?title=LDAP_policies&oldid=693"