LDAP policies: Difference between revisions

From Essential
Jump to navigation Jump to search
No edit summary
No edit summary
 
(17 intermediate revisions by the same user not shown)
Line 1: Line 1:
#!/bin/sh
How install LDAP password policies?


How install LDAP password policies?
== Requirement ==
* To have the Ldap password (Keepass!)
* Down time 1 hour


== Install node ==
== Stop all LDAP nodes ==
=== Stop all LDAP nodes ===
* Prevent users from beginning of maintenance.
  service pacemaker stop
  service pacemaker stop
  service corosync stop
  service corosync stop


=== Start the node ===
== Node install ==
service corosync start
=== Backup ===
service pacemaker start
 
=== Define ===
<pre>
<pre>
MyFilter=$(MyPatern='^olcDatabase= (\{[0-9]+\}.db)$'
# Init
slapcat -n 0 |\
MySourceList="/etc/default/slapd\n/etc/ldap/slapd.d/"
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcDatabase="${MyFilter}"


MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
MyFilter=$(MyPatern='^SLAPD_CONF=(\/.*)$'
cat /etc/default/slapd |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"


MyFilter=$(MyPatern='^olcRootDN: (.*)$'
MyFilter=$(MyPatern='^olcConfigDir: (\/.*)$'
slapcat -n 0 |\
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcRootDN="$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"


MyFilter=$(MyPatern='^olcSuffix: (.*)$'
MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n 0 |\
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"
</pre>


=== Backup process ===
MyRefDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
==== Backup config ====
MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz
slapcat -n 0 |gzip >~/ldap.config."$(hostname)"."${MyDate}".gz


==== ReadOnly ====
# Action
<pre>
echo -e $MySourceList |tar czvf "${MyBackup}" -T -
cat <<EOT >/tmp/$$.ldif
dn: olcDatabase=${MyolcDatabase},cn=config
changetype: modify
replace: olcReadonly
olcReadonly: TRUE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
</pre>
</pre>


==== Backup db ====
=== Check backup ===
  slapcat -b $MyolcSuffix |gzip >~/ldap.db."$(hostname)"."${MyDate}".gz
  ls -l "${MyBackup}"


==== Enable write ====
=== Start LDAP ===
service corosync start
service pacemaker start
 
=== Install ===
<pre>
<pre>
cat <<EOT >/tmp/$$.ldif
# Init
dn: olcDatabase=${MyolcDatabase},cn=config
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
changetype: modify
slapcat -n0 |\
replace: olcReadonly
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
olcReadonly: FALSE
MyolcDatabase="$MyFilter"
EOT
 
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
</pre>
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"


=== Add password policy schema ===
MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"


=== Add directory policies ===
#==== [OpenLDAP] Add schema ====
<pre>
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
</pre>


==== Load password policy module ====
#==== [OpenLDAP] Enable ====
<pre>
cat <<EOT >/tmp/$$.ldif
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
dn: cn=module{0},cn=config
Line 83: Line 72:
add: olcModuleLoad
add: olcModuleLoad
olcModuleLoad: ppolicy
olcModuleLoad: ppolicy
EOT
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
</pre>


==== Overlay password policy ====
<pre>
cat <<EOT >/tmp/$$.ldif
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcOverlayConfig
Line 96: Line 79:
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
EOT
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
</pre>


==== Define password policy ====
#==== Define policies ====
<pre>
cat <<EOT >/tmp/$$.ldif
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
cn: MyOrgPPolicy
Line 108: Line 95:
objectClass: top
objectClass: top
pwdAttribute: userPassword
pwdAttribute: userPassword
pwdMaxAge: 3024000
pwdMaxAge: 7776000
pwdExpireWarning: 1814400
pwdExpireWarning: 1814400
pwdInHistory: 3
pwdInHistory: 4
pwdCheckQuality: 1
pwdCheckQuality: 1
pwdMinLength: 9
pwdMinLength: 8
pwdMaxFailure: 4
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdLockoutDuration: 600
Line 124: Line 111:
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
</pre>
</pre>
* Enter the Ldap password
=== Stop LDAP ===
service pacemaker stop
service corosync stop
== Start all LDAP nodes ==
* Prevent users from ending of maintenance.
service corosync start
service pacemaker start


== Test ==
== Test ==
=== Requirement ===
* To have user user test
# Enter user login
read MyUser
==== How create test user example ====
* Create backup before
<pre>
<pre>
MyFilter=$(MyPatern='^olcRootDN: (.*)$'
cat <<EOT >/tmp/$$.ldif
dn: ou=users,${MyolcSuffix}
description: My Organization users come here
objectclass: top
objectclass: organizationalUnit
ou: users
 
dn: uid=${MyUser},ou=users,${MyolcSuffix}
cn: ${MyUser}
sn: ${MyUser}SN
uid: ${MyUser}
ou: users
objectClass: organizationalPerson
objectClass: inetOrgPerson
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
</pre>
 
=== Init test ===
<pre>
# Init
MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"
 
MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapcat -n 0 |\
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"
MyolcRootDN="$MyFilter"


MyFilter=$(MyPatern='^dn: (cn=a.pacheco@.*,ou=users,dc=.*,dc=.*)$'
MyFilter=$(MyPatern='^dn: ([^=]*=[^,]*'"${MyUser}"'[^,]*,ou=users,dc=[^,]*,dc=[^,]*)$'
slapcat -n 0 |\
slapcat -b $MyolcSuffix |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyUser="$MyFilter"
MyUserDN="$MyFilter"
 
# Reset user password
ldappasswd -D "${MyolcRootDN}" -W "${MyUserDN}" -s mypasswd
</pre>
</pre>


ldappasswd -D "${MyolcRootDN}" -W "$MyUser" -s test
* Enter the Ldap password
ldappasswd -x -H ldap://localhost -D "$MyUser" -w test -s dura


== Rollback ==
=== Start checking ===
=== Define ===
* Test many passwords :
  ls -lrt ~/ldap.*.gz |tail
  ldappasswd -x -H ldap://localhost -D "${MyUserDN}" -w mypasswd -s <mypasswdnew>


MyRollbackDate=""
* Prevent users from ending of maintenance.
MyRollbackHostname=""
MyLDAPUser='openldap' #redhat: ldap
MyConfigDir='/etc/ldap/slapd.d/' #redhat: /etc/openldap/slapd.d/


MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
== Node uninstall ==
=== [Stop LDAP] ===
=== Requirement ===
=== Restore config ===
* Down time 1/2 hour
* Backup file
<pre>
<pre>
MyRollback=~/ldap.config."${MyRollbackHostname}"."${MyDate}".gz
ls -lrt ~/ldap.backup.*.tar.gz |tail
MyBaseNumber=0
MyBaseDir="$MyConfigDir"


zcat $MyRollback >/tmp/$$.ldif &&\
echo "Default backup : MyBackup=$MyBackup"
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
 
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
# Change if necessary
mkdir "${MyBaseDir}" &&\
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"
</pre>
</pre>


=== Restore db ===
=== Stop all LDAP nodes ===
* Prevent users from beginning of maintenance.
service pacemaker stop
service corosync stop
 
=== Restore ===
<pre>
<pre>
MyRollback=~/ldap.db."${MyRollbackHostname}"."${MyDate}".gz
cd / &&\
find $(tar -ztf "${MyBackup}") -type f |cpio -ov --format=ustar |gzip >~/ldap.tmp.tar.gz &&\
(find $(tar -ztf "${MyBackup}") -type f -delete
tar xzvf "${MyBackup}") &&\
mv ~/ldap.tmp.tar.gz ~/ldap.undo.tar.gz &&\
cd - &&\
MyBackup=~/ldap.undo.tar.gz
</pre>


MyFilter=$(MyPatern='^olcDatabase= \{([0-9]+)\}.db$'
* To undo execute the block before one more time
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyBaseNumber="${MyFilter}"


MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
=== Start all LDAP nodes ===
slapcat -n 0 |\
* Prevent users from ending of maintenance.
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
service corosync start
MyBaseDir="${MyFilter}"
service pacemaker start
 
zcat $MyRollback >/tmp/$$.ldif &&\
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"
</pre>


=== [Start LDAP] ===
== Ref ==
=== [Enable write] ===
# Ref : http://infocepo.com/wiki/index.php/LDAP_policies
# Ref : http://infocepo.com/wiki/index.php/LDAP_policies
# Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M
# Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M

Latest revision as of 01:54, 1 December 2016

How install LDAP password policies?

Requirement

  • To have the Ldap password (Keepass!)
  • Down time 1 hour

Stop all LDAP nodes

  • Prevent users from beginning of maintenance.
service pacemaker stop
service corosync stop

Node install

Backup

# Init
MySourceList="/etc/default/slapd\n/etc/ldap/slapd.d/"

MyFilter=$(MyPatern='^SLAPD_CONF=(\/.*)$'
cat /etc/default/slapd |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"

MyFilter=$(MyPatern='^olcConfigDir: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"

MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"

MyRefDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz

# Action
echo -e $MySourceList |tar czvf "${MyBackup}" -T -

Check backup

ls -l "${MyBackup}"

Start LDAP

service corosync start
service pacemaker start

Install

# Init
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcDatabase="$MyFilter"

MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"

MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"

#==== [OpenLDAP] Add schema ====
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif

#==== [OpenLDAP] Enable ====
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy

dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f  /tmp/$$.ldif

#==== Define policies ====
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here

dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 7776000
pwdExpireWarning: 1814400
pwdInHistory: 4
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
  • Enter the Ldap password

Stop LDAP

service pacemaker stop
service corosync stop

Start all LDAP nodes

  • Prevent users from ending of maintenance.
service corosync start
service pacemaker start

Test

Requirement

  • To have user user test
# Enter user login
read MyUser

How create test user example

  • Create backup before
cat <<EOT >/tmp/$$.ldif
dn: ou=users,${MyolcSuffix}
description: My Organization users come here
objectclass: top
objectclass: organizationalUnit
ou: users

dn: uid=${MyUser},ou=users,${MyolcSuffix}
cn: ${MyUser}
sn: ${MyUser}SN
uid: ${MyUser}
ou: users
objectClass: organizationalPerson
objectClass: inetOrgPerson
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif

Init test

# Init
MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"

MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"

MyFilter=$(MyPatern='^dn: ([^=]*=[^,]*'"${MyUser}"'[^,]*,ou=users,dc=[^,]*,dc=[^,]*)$'
slapcat -b $MyolcSuffix |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyUserDN="$MyFilter"

# Reset user password
ldappasswd -D "${MyolcRootDN}" -W "${MyUserDN}" -s mypasswd
  • Enter the Ldap password

Start checking

  • Test many passwords :
ldappasswd -x -H ldap://localhost -D "${MyUserDN}" -w mypasswd -s <mypasswdnew>
  • Prevent users from ending of maintenance.

Node uninstall

Requirement

  • Down time 1/2 hour
  • Backup file
ls -lrt ~/ldap.backup.*.tar.gz |tail

echo "Default backup : MyBackup=$MyBackup"

# Change if necessary

Stop all LDAP nodes

  • Prevent users from beginning of maintenance.
service pacemaker stop
service corosync stop

Restore

cd / &&\
find $(tar -ztf "${MyBackup}") -type f |cpio -ov --format=ustar |gzip >~/ldap.tmp.tar.gz &&\
(find $(tar -ztf "${MyBackup}") -type f -delete
tar xzvf "${MyBackup}") &&\
mv ~/ldap.tmp.tar.gz ~/ldap.undo.tar.gz &&\
cd - &&\
MyBackup=~/ldap.undo.tar.gz
  • To undo execute the block before one more time

Start all LDAP nodes

  • Prevent users from ending of maintenance.
service corosync start
service pacemaker start

Ref

  1. Ref : http://infocepo.com/wiki/index.php/LDAP_policies
  2. Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M
Retrieved from "https://infocepo.com/wiki/index.php?title=LDAP_policies&oldid=708"