LDAP policies: Difference between revisions

From Essential
Jump to navigation Jump to search
No edit summary
No edit summary
 
(14 intermediate revisions by the same user not shown)
Line 1: Line 1:
How install LDAP password policies?
How install LDAP password policies?


== Node install ==
== Requirement ==
=== Stop all LDAP nodes ===
* To have the Ldap password (Keepass!)
* Down time 1 hour
 
== Stop all LDAP nodes ==
* Prevent users from beginning of maintenance.
  service pacemaker stop
  service pacemaker stop
  service corosync stop
  service corosync stop


=== Start the node ===
== Node install ==
service corosync start
service pacemaker start
 
=== Backup ===
=== Backup ===
<pre>
<pre>
#==== Init ====
# Init
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
MySourceList="/etc/default/slapd\n/etc/ldap/slapd.d/"


MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
MyFilter=$(MyPatern='^SLAPD_CONF=(\/.*)$'
cat /etc/default/slapd |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"
 
MyFilter=$(MyPatern='^olcConfigDir: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"
 
MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n0 |\
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcDatabase="${MyFilter}"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"


#==== Backup config ====
MyRefDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
slapcat -n0 |gzip >~/ldap.config."$(hostname)"."${MyDate}".gz
MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz


#==== ReadOnly ====
# Action
cat <<EOT >/tmp/$$.ldif
echo -e $MySourceList |tar czvf "${MyBackup}" -T -
dn: olcDatabase=${MyolcDatabase},cn=config
</pre>
changetype: modify
replace: olcReadonly
olcReadonly: TRUE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif


#==== Backup db ====
=== Check backup ===
slapcat |gzip >~/ldap.db."$(hostname)"."${MyDate}".gz
ls -l "${MyBackup}"


#==== Enable write ====
=== Start LDAP ===
cat <<EOT >/tmp/$$.ldif
service corosync start
dn: olcDatabase=${MyolcDatabase},cn=config
service pacemaker start
changetype: modify
replace: olcReadonly
olcReadonly: FALSE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
</pre>


=== Install ===
=== Install ===
<pre>
<pre>
#==== Init ====
# Init
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcDatabase="${MyFilter}"
MyolcDatabase="$MyFilter"
 
MyFilter=$(MyPatern='^olcRootDN: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcRootDN="$MyFilter"


MyFilter=$(MyPatern='^olcSuffix: (.*)$'
MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"
MyolcSuffix="$MyFilter"


#==== Add password policy schema ====
MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapadd -n0 -l /etc/ldap/schema/ppolicy.ldif
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"


#==== Add directory policies ====
#==== [OpenLDAP] Add schema ====
cat <<EOT >/tmp/$$.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here
EOT
slapadd -b $MyolcSuffix -l /tmp/$$.ldif


#==== Load password policy module ====
#==== [OpenLDAP] Enable ====
cat <<EOT >/tmp/$$.ldif
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
dn: cn=module{0},cn=config
Line 82: Line 72:
add: olcModuleLoad
add: olcModuleLoad
olcModuleLoad: ppolicy
olcModuleLoad: ppolicy
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif


#==== Overlay password policy ====
cat <<EOT >/tmp/$$.ldif
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcOverlayConfig
Line 93: Line 79:
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
EOT
slapadd -n0 -l /tmp/$$.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f  /tmp/$$.ldif


#==== Define password policy entry ====
#==== Define policies ====
cat <<EOT >/tmp/$$.ldif
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
cn: MyOrgPPolicy
Line 103: Line 95:
objectClass: top
objectClass: top
pwdAttribute: userPassword
pwdAttribute: userPassword
pwdMaxAge: 3024000
pwdMaxAge: 7776000
pwdExpireWarning: 1814400
pwdExpireWarning: 1814400
pwdInHistory: 3
pwdInHistory: 4
pwdCheckQuality: 1
pwdCheckQuality: 1
pwdMinLength: 9
pwdMinLength: 8
pwdMaxFailure: 4
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdLockoutDuration: 600
Line 117: Line 109:
pwdSafeModify: FALSE
pwdSafeModify: FALSE
EOT
EOT
slapadd -b $MyolcSuffix -l /tmp/$$.ldif
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
</pre>
</pre>
* Enter the Ldap password
=== Stop LDAP ===
service pacemaker stop
service corosync stop
== Start all LDAP nodes ==
* Prevent users from ending of maintenance.
service corosync start
service pacemaker start


== Test ==
== Test ==
=== Requirement ===
* To have user user test
# Enter user login
read MyUser
==== How create test user example ====
* Create backup before
<pre>
<pre>
MyFilter=$(MyPatern='^olcRootDN: (.*)$'
cat <<EOT >/tmp/$$.ldif
dn: ou=users,${MyolcSuffix}
description: My Organization users come here
objectclass: top
objectclass: organizationalUnit
ou: users
 
dn: uid=${MyUser},ou=users,${MyolcSuffix}
cn: ${MyUser}
sn: ${MyUser}SN
uid: ${MyUser}
ou: users
objectClass: organizationalPerson
objectClass: inetOrgPerson
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
</pre>
 
=== Init test ===
<pre>
# Init
MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"
 
MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"
MyolcRootDN="$MyFilter"


MyFilter=$(MyPatern='^dn: (cn=a.pacheco@.*,ou=users,dc=.*,dc=.*)$'
MyFilter=$(MyPatern='^dn: ([^=]*=[^,]*'"${MyUser}"'[^,]*,ou=users,dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
slapcat -b $MyolcSuffix |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyUser="$MyFilter"
MyUserDN="$MyFilter"
 
# Reset user password
ldappasswd -D "${MyolcRootDN}" -W "${MyUserDN}" -s mypasswd
</pre>
</pre>


ldappasswd -D "${MyolcRootDN}" -W "$MyUser" -s test
* Enter the Ldap password
ldappasswd -x -H ldap://localhost -D "$MyUser" -w test -s dura


== Rollback node ==
=== Start checking ===
  ls -lrt ~/ldap.*.gz |tail
* Test many passwords :
  ldappasswd -x -H ldap://localhost -D "${MyUserDN}" -w mypasswd -s <mypasswdnew>


* Enter date :
* Prevent users from ending of maintenance.
MyRollbackDate=""


* Select distribution :
== Node uninstall ==
=== Requirement ===
* Down time 1/2 hour
* Backup file
<pre>
<pre>
#=== Init ===
ls -lrt ~/ldap.backup.*.tar.gz |tail
# redhat
 
MyLDAPUser='ldap'
echo "Default backup : MyBackup=$MyBackup"
MyConfigDir='/etc/openldap/slapd.d/'
 
# ubuntu
# Change if necessary
#MyLDAPUser='openldap'
#MyConfigDir='/etc/ldap/slapd.d/'
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
</pre>
</pre>
=== [Stop LDAP] ===
 
=== Stop all LDAP nodes ===
* Prevent users from beginning of maintenance.
service pacemaker stop
service corosync stop
 
=== Restore ===
=== Restore ===
<pre>
<pre>
#=== Restore config ===
cd / &&\
MyRollback=~/ldap.config."$(hostname)"."${MyRollbackDate}".gz
find $(tar -ztf "${MyBackup}") -type f |cpio -ov --format=ustar |gzip >~/ldap.tmp.tar.gz &&\
MyBaseNumber=0
(find $(tar -ztf "${MyBackup}") -type f -delete
MyBaseDir="$MyConfigDir"
tar xzvf "${MyBackup}") &&\
mv ~/ldap.tmp.tar.gz ~/ldap.undo.tar.gz &&\
cd - &&\
MyBackup=~/ldap.undo.tar.gz
</pre>


zcat $MyRollback >/tmp/$$.ldif &&\
* To undo execute the block before one more time
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"


#=== Restore db ===
=== Start all LDAP nodes ===
MyRollback=~/ldap.db."$(hostname)"."${MyRollbackDate}".gz
* Prevent users from ending of maintenance.
service corosync start
service pacemaker start


MyFilter=$(MyPatern='^olcSuffix: (.*)$'
== Ref ==
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcSuffix="$MyFilter"
 
MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyBaseDir="${MyFilter}"
 
zcat $MyRollback >/tmp/$$.ldif &&\
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -b $MyolcSuffix -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"
</pre>
=== [Start LDAP] ===
=== [Enable write] ===
# Ref : http://infocepo.com/wiki/index.php/LDAP_policies
# Ref : http://infocepo.com/wiki/index.php/LDAP_policies
# Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M
# Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M

Latest revision as of 00:54, 1 December 2016

How install LDAP password policies?

Requirement

  • To have the Ldap password (Keepass!)
  • Down time 1 hour

Stop all LDAP nodes

  • Prevent users from beginning of maintenance.
service pacemaker stop
service corosync stop

Node install

Backup

# Init
MySourceList="/etc/default/slapd\n/etc/ldap/slapd.d/"

MyFilter=$(MyPatern='^SLAPD_CONF=(\/.*)$'
cat /etc/default/slapd |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"

MyFilter=$(MyPatern='^olcConfigDir: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"

MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"

MyRefDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz

# Action
echo -e $MySourceList |tar czvf "${MyBackup}" -T -

Check backup

ls -l "${MyBackup}"

Start LDAP

service corosync start
service pacemaker start

Install

# Init
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcDatabase="$MyFilter"

MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"

MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"

#==== [OpenLDAP] Add schema ====
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif

#==== [OpenLDAP] Enable ====
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy

dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f  /tmp/$$.ldif

#==== Define policies ====
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here

dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 7776000
pwdExpireWarning: 1814400
pwdInHistory: 4
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
  • Enter the Ldap password

Stop LDAP

service pacemaker stop
service corosync stop

Start all LDAP nodes

  • Prevent users from ending of maintenance.
service corosync start
service pacemaker start

Test

Requirement

  • To have user user test
# Enter user login
read MyUser

How create test user example

  • Create backup before
cat <<EOT >/tmp/$$.ldif
dn: ou=users,${MyolcSuffix}
description: My Organization users come here
objectclass: top
objectclass: organizationalUnit
ou: users

dn: uid=${MyUser},ou=users,${MyolcSuffix}
cn: ${MyUser}
sn: ${MyUser}SN
uid: ${MyUser}
ou: users
objectClass: organizationalPerson
objectClass: inetOrgPerson
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif

Init test

# Init
MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"

MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"

MyFilter=$(MyPatern='^dn: ([^=]*=[^,]*'"${MyUser}"'[^,]*,ou=users,dc=[^,]*,dc=[^,]*)$'
slapcat -b $MyolcSuffix |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyUserDN="$MyFilter"

# Reset user password
ldappasswd -D "${MyolcRootDN}" -W "${MyUserDN}" -s mypasswd
  • Enter the Ldap password

Start checking

  • Test many passwords :
ldappasswd -x -H ldap://localhost -D "${MyUserDN}" -w mypasswd -s <mypasswdnew>
  • Prevent users from ending of maintenance.

Node uninstall

Requirement

  • Down time 1/2 hour
  • Backup file
ls -lrt ~/ldap.backup.*.tar.gz |tail

echo "Default backup : MyBackup=$MyBackup"

# Change if necessary

Stop all LDAP nodes

  • Prevent users from beginning of maintenance.
service pacemaker stop
service corosync stop

Restore

cd / &&\
find $(tar -ztf "${MyBackup}") -type f |cpio -ov --format=ustar |gzip >~/ldap.tmp.tar.gz &&\
(find $(tar -ztf "${MyBackup}") -type f -delete
tar xzvf "${MyBackup}") &&\
mv ~/ldap.tmp.tar.gz ~/ldap.undo.tar.gz &&\
cd - &&\
MyBackup=~/ldap.undo.tar.gz
  • To undo execute the block before one more time

Start all LDAP nodes

  • Prevent users from ending of maintenance.
service corosync start
service pacemaker start

Ref

  1. Ref : http://infocepo.com/wiki/index.php/LDAP_policies
  2. Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M
Retrieved from "https://infocepo.com/wiki/index.php?title=LDAP_policies&oldid=708"