LDAP policies: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
How install LDAP password policies? | How install LDAP password policies? | ||
== Requirement == | |||
* To have the Ldap password (Keepass!) | |||
* | * Down time 1 hour | ||
== Stop all LDAP nodes == | |||
* Prevent users from beginning of maintenance. | |||
service pacemaker stop | service pacemaker stop | ||
service corosync stop | service corosync stop | ||
== Node install == | |||
=== Backup === | === Backup === | ||
<pre> | <pre> | ||
| Line 32: | Line 34: | ||
MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz | MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz | ||
# | #=== Backup === | ||
echo -e $MySourceList |tar czvf "${MyBackup}" -T - | echo -e $MySourceList |tar czvf "${MyBackup}" -T - | ||
#=== Check backup === | |||
ls -l "${MyBackup}" | |||
</pre> | </pre> | ||
=== Start LDAP === | |||
service corosync start | service corosync start | ||
service pacemaker start | service pacemaker start | ||
=== Install === | === Install === | ||
<pre> | <pre> | ||
| Line 95: | Line 97: | ||
pwdMaxAge: 7776000 | pwdMaxAge: 7776000 | ||
pwdExpireWarning: 1814400 | pwdExpireWarning: 1814400 | ||
pwdInHistory: | pwdInHistory: 4 | ||
pwdCheckQuality: 1 | pwdCheckQuality: 1 | ||
pwdMinLength: 8 | pwdMinLength: 8 | ||
| Line 110: | Line 112: | ||
</pre> | </pre> | ||
=== | === Stop the node === | ||
service pacemaker stop | service pacemaker stop | ||
service corosync | service corosync stop | ||
== Start all LDAP nodes == | |||
* Prevent users from ending of maintenance. | |||
service corosync start | |||
service pacemaker start | service pacemaker start | ||
| Line 133: | Line 139: | ||
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter | sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter | ||
MyolcRootDN="$MyFilter" | MyolcRootDN="$MyFilter" | ||
MyFilter=$(MyPatern='^dn: ([^=]*=[^,]*'"${MyUser}"'[^,]*,ou=users,dc=[^,]*,dc=[^,]*)$' | MyFilter=$(MyPatern='^dn: ([^=]*=[^,]*'"${MyUser}"'[^,]*,ou=users,dc=[^,]*,dc=[^,]*)$' | ||
| Line 142: | Line 147: | ||
=== Reset user password === | === Reset user password === | ||
ldappasswd -D "${MyolcRootDN}" -W "${MyUserDN}" -s mypasswd | ldappasswd -D "${MyolcRootDN}" -W "${MyUserDN}" -s mypasswd | ||
* Enter the Ldap password | |||
=== Start checking === | === Start checking === | ||
* Test many passwords : | * Test many passwords : | ||
ldappasswd -x -H ldap://localhost -D "${MyUserDN}" -w mypasswd -s mypasswdnew | ldappasswd -x -H ldap://localhost -D "${MyUserDN}" -w mypasswd -s mypasswdnew | ||
* Prevent users from ending of maintenance. | |||
== Node uninstall == | == Node uninstall == | ||
| Line 166: | Line 173: | ||
# Last chance ... ~/ldap.tmp.tar.gz | # Last chance ... ~/ldap.tmp.tar.gz | ||
cd / &&\ | cd / &&\ | ||
find $(tar -ztf "${MyBackup}") | find $(tar -ztf "${MyBackup}") -type f |cpio -ov --format=ustar |gzip >~/ldap.tmp.tar.gz &&\ | ||
(find $(tar -ztf "${MyBackup}") | (find $(tar -ztf "${MyBackup}") -type f -delete | ||
tar xzvf "${MyBackup}") &&\ | tar xzvf "${MyBackup}") &&\ | ||
cd - | cd - | ||
Revision as of 22:57, 30 November 2016
How install LDAP password policies?
Requirement
- To have the Ldap password (Keepass!)
- Down time 1 hour
Stop all LDAP nodes
- Prevent users from beginning of maintenance.
service pacemaker stop service corosync stop
Node install
Backup
#==== Init ====
MySourceList="/etc/default/slapd\n/etc/ldap/slapd.d/"
MyFilter=$(MyPatern='^SLAPD_CONF=(\/.*)$'
cat /etc/default/slapd |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"
MyFilter=$(MyPatern='^olcConfigDir: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"
MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"
MyRefDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz
#=== Backup ===
echo -e $MySourceList |tar czvf "${MyBackup}" -T -
#=== Check backup ===
ls -l "${MyBackup}"
Start LDAP
service corosync start service pacemaker start
Install
#==== Init ====
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcDatabase="$MyFilter"
MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"
MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"
#==== [OpenLDAP] Add schema ====
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
#==== [OpenLDAP] Enable ====
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
#==== Define policies ====
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 7776000
pwdExpireWarning: 1814400
pwdInHistory: 4
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
Stop the node
service pacemaker stop service corosync stop
Start all LDAP nodes
- Prevent users from ending of maintenance.
service corosync start service pacemaker start
Test
Requirement
- User test
#MyUser="<UserTest>"
- Have admin login and password (Keepass)
Init test
#=== Init ===
MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"
MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"
MyFilter=$(MyPatern='^dn: ([^=]*=[^,]*'"${MyUser}"'[^,]*,ou=users,dc=[^,]*,dc=[^,]*)$'
slapcat -b $MyolcSuffix |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyUserDN="$MyFilter"
Reset user password
ldappasswd -D "${MyolcRootDN}" -W "${MyUserDN}" -s mypasswd
- Enter the Ldap password
Start checking
- Test many passwords :
ldappasswd -x -H ldap://localhost -D "${MyUserDN}" -w mypasswd -s mypasswdnew
- Prevent users from ending of maintenance.
Node uninstall
ls -lrt ~/ldap.*.gz |tail
echo "Default backup : $MyBackup" # Select new date if necessary : # MyRefDate=""
Stop node
service pacemaker stop service corosync stop
Restore
#==== Init ====
MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz
# Last chance ... ~/ldap.tmp.tar.gz
cd / &&\
find $(tar -ztf "${MyBackup}") -type f |cpio -ov --format=ustar |gzip >~/ldap.tmp.tar.gz &&\
(find $(tar -ztf "${MyBackup}") -type f -delete
tar xzvf "${MyBackup}") &&\
cd -
#=== Start node ===
service corosync start
service pacemaker start