LDAP policies: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 107: | Line 107: | ||
</pre> | </pre> | ||
=== Restart the node === | |||
service pacemaker stop | service pacemaker stop | ||
service corosync restart | service corosync restart | ||
| Line 113: | Line 113: | ||
== Test == | == Test == | ||
<pre> | |||
MyUser="myuser" | |||
=== | #=== Init === | ||
MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$' | |||
MyFilter=$(MyPatern='^olcSuffix: ( | |||
slapcat -n0 |\ | slapcat -n0 |\ | ||
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter" | sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter" | ||
MyolcSuffix="$MyFilter" | MyolcSuffix="$MyFilter" | ||
MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*, | MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$' | ||
slapcat - | slapcat -n 0 |\ | ||
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo | sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter | ||
MyolcRootDN="$MyFilter" | MyolcRootDN="$MyFilter" | ||
</pre> | |||
=== Create user === | |||
<pre> | |||
cat <<EOT >/tmp/$$.ldif | |||
dn: ou=users,${MyolcSuffix} | |||
description: My Organization users come here | |||
objectclass: top | |||
objectclass: organizationalUnit | |||
ou: users | |||
dn: uid=${MyUser},ou=users,${MyolcSuffix} | |||
cn: ${MyUser} | |||
sn: ${MyUser}SN | |||
uid: ${MyUser} | |||
ou: users | |||
objectClass: organizationalPerson | |||
objectClass: inetOrgPerson | |||
EOT | |||
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif | |||
</pre> | |||
MyFilter=$(MyPatern='^dn: ( | MyFilter=$(MyPatern='^dn: ([^=]*=[^,]*'"${MyUser}"'[^,]*,ou=users,dc=[^,]*,dc=[^,]*)$' | ||
slapcat -b $MyolcSuffix |\ | slapcat -b $MyolcSuffix |\ | ||
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter" | sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter" | ||
MyUserDN="$MyFilter" | MyUserDN="$MyFilter" | ||
ldappasswd -D "${MyolcRootDN}" -W "${MyUserDN}" -s | === Reset user password === | ||
* Take the admin password | |||
ldappasswd -D "${MyolcRootDN}" -W "${MyUserDN}" -s mypasswd | |||
=== Start checking === | === Start checking === | ||
* Test many passwords : | * Test many passwords : | ||
ldappasswd -x -H ldap://localhost -D "${MyUserDN}" -w | ldappasswd -x -H ldap://localhost -D "${MyUserDN}" -w mypasswd -s mypasswdnew | ||
== Node uninstall == | == Node uninstall == | ||
| Line 169: | Line 188: | ||
service pacemaker start | service pacemaker start | ||
== Ref == | |||
# Ref : http://infocepo.com/wiki/index.php/LDAP_policies | # Ref : http://infocepo.com/wiki/index.php/LDAP_policies | ||
# Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M | # Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M | ||
Revision as of 08:20, 24 November 2016
How install LDAP password policies?
Node install
Stop all LDAP nodes
service pacemaker stop service corosync stop
Backup
#==== Init ====
MySourceList="/etc/default/slapd\n/etc/ldap/slapd.d/"
MyFilter=$(MyPatern='^SLAPD_CONF=(\/.*)$'
cat /etc/default/slapd |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"
MyFilter=$(MyPatern='^olcConfigDir: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"
MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"
MyRefDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz
#==== Backup ====
echo -e $MySourceList |tar czvf "${MyBackup}" -T -
#==== Start LDAP ====
service corosync start
service pacemaker start
#==== Check backup ====
ls -l "${MyBackup}"
Install
#==== Init ====
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcDatabase="$MyFilter"
MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"
MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"
#==== [OpenLDAP] Add schema ====
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
#==== [OpenLDAP] Enable ====
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
#==== Define policies ====
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 7776000
pwdExpireWarning: 1814400
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
Restart the node
service pacemaker stop service corosync restart service pacemaker start
Test
MyUser="myuser" #=== Init === MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$' slapcat -n0 |\ sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter" MyolcSuffix="$MyFilter" MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$' slapcat -n 0 |\ sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter MyolcRootDN="$MyFilter"
Create user
cat <<EOT >/tmp/$$.ldif
dn: ou=users,${MyolcSuffix}
description: My Organization users come here
objectclass: top
objectclass: organizationalUnit
ou: users
dn: uid=${MyUser},ou=users,${MyolcSuffix}
cn: ${MyUser}
sn: ${MyUser}SN
uid: ${MyUser}
ou: users
objectClass: organizationalPerson
objectClass: inetOrgPerson
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
MyFilter=$(MyPatern='^dn: ([^=]*=[^,]*'"${MyUser}"'[^,]*,ou=users,dc=[^,]*,dc=[^,]*)$' slapcat -b $MyolcSuffix |\ sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter" MyUserDN="$MyFilter"
Reset user password
- Take the admin password
ldappasswd -D "${MyolcRootDN}" -W "${MyUserDN}" -s mypasswd
Start checking
- Test many passwords :
ldappasswd -x -H ldap://localhost -D "${MyUserDN}" -w mypasswd -s mypasswdnew
Node uninstall
ls -lrt ~/ldap.*.gz |tail
echo "Default backup : $MyBackup" # Select new date if necessary : # MyRefDate=""
Stop node
service pacemaker stop service corosync stop
Restore
#==== Init ====
MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz
# Last chance ... ~/ldap.tmp.tar.gz
cd / &&\
find $(tar -ztf "${MyBackup}") -xdev -type f |cpio -ov --format=ustar |gzip >~/ldap.tmp.tar.gz &&\
(find $(tar -ztf "${MyBackup}") -xdev -type f -delete
tar xzvf "${MyBackup}") &&\
cd -
Start node
service corosync start service pacemaker start