LDAP policies: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 125: | Line 125: | ||
== Test == | == Test == | ||
=== Requirement === | === Requirement === | ||
* | * To have user user test | ||
# Enter user login | |||
read MyUser | read MyUser | ||
==== example ==== | ==== How create test user example ==== | ||
* Create backup before | * Create backup before | ||
<pre> | <pre> | ||
| Line 184: | Line 184: | ||
* Down time 1/2 hour | * Down time 1/2 hour | ||
* Backup file | * Backup file | ||
<pre> | |||
ls -lrt ~/ldap.backup.*.tar.gz |tail | |||
echo "Default backup : MyBackup=$MyBackup" | |||
# Change if necessary | |||
</pre> | |||
=== Stop all LDAP nodes === | === Stop all LDAP nodes === | ||
| Line 202: | Line 204: | ||
tar xzvf "${MyBackup}") &&\ | tar xzvf "${MyBackup}") &&\ | ||
mv ~/ldap.tmp.tar.gz ~/ldap.undo.tar.gz &&\ | mv ~/ldap.tmp.tar.gz ~/ldap.undo.tar.gz &&\ | ||
cd - | cd - &&\ | ||
MyBackup=~/ldap.undo.tar.gz | |||
</pre> | </pre> | ||
* To undo execute the block before one more time | |||
=== Start all LDAP nodes === | === Start all LDAP nodes === | ||
Latest revision as of 00:54, 1 December 2016
How install LDAP password policies?
Requirement
- To have the Ldap password (Keepass!)
- Down time 1 hour
Stop all LDAP nodes
- Prevent users from beginning of maintenance.
service pacemaker stop service corosync stop
Node install
Backup
# Init
MySourceList="/etc/default/slapd\n/etc/ldap/slapd.d/"
MyFilter=$(MyPatern='^SLAPD_CONF=(\/.*)$'
cat /etc/default/slapd |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"
MyFilter=$(MyPatern='^olcConfigDir: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"
MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
[ ! -z "$MyFilter" ] &&MySourceList+="\n${MyFilter}"
MyRefDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
MyBackup=~/ldap.backup."$(hostname -f)"."${MyRefDate}".tar.gz
# Action
echo -e $MySourceList |tar czvf "${MyBackup}" -T -
Check backup
ls -l "${MyBackup}"
Start LDAP
service corosync start service pacemaker start
Install
# Init
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcDatabase="$MyFilter"
MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"
MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"
#==== [OpenLDAP] Add schema ====
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
#==== [OpenLDAP] Enable ====
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
#==== Define policies ====
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 7776000
pwdExpireWarning: 1814400
pwdInHistory: 4
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
- Enter the Ldap password
Stop LDAP
service pacemaker stop service corosync stop
Start all LDAP nodes
- Prevent users from ending of maintenance.
service corosync start service pacemaker start
Test
Requirement
- To have user user test
# Enter user login read MyUser
How create test user example
- Create backup before
cat <<EOT >/tmp/$$.ldif
dn: ou=users,${MyolcSuffix}
description: My Organization users come here
objectclass: top
objectclass: organizationalUnit
ou: users
dn: uid=${MyUser},ou=users,${MyolcSuffix}
cn: ${MyUser}
sn: ${MyUser}SN
uid: ${MyUser}
ou: users
objectClass: organizationalPerson
objectClass: inetOrgPerson
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
Init test
# Init
MyFilter=$(MyPatern='^olcSuffix: (dc=[^,]*,dc=[^,]*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyolcSuffix="$MyFilter"
MyFilter=$(MyPatern='^olcRootDN: (cn=[^,]*,dc=[^,]*,dc=[^,]*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p"|head -1) ;echo $MyFilter
MyolcRootDN="$MyFilter"
MyFilter=$(MyPatern='^dn: ([^=]*=[^,]*'"${MyUser}"'[^,]*,ou=users,dc=[^,]*,dc=[^,]*)$'
slapcat -b $MyolcSuffix |\
sed -rn "s/$MyPatern/\1/p" |head -1) ;echo "$MyFilter"
MyUserDN="$MyFilter"
# Reset user password
ldappasswd -D "${MyolcRootDN}" -W "${MyUserDN}" -s mypasswd
- Enter the Ldap password
Start checking
- Test many passwords :
ldappasswd -x -H ldap://localhost -D "${MyUserDN}" -w mypasswd -s <mypasswdnew>
- Prevent users from ending of maintenance.
Node uninstall
Requirement
- Down time 1/2 hour
- Backup file
ls -lrt ~/ldap.backup.*.tar.gz |tail echo "Default backup : MyBackup=$MyBackup" # Change if necessary
Stop all LDAP nodes
- Prevent users from beginning of maintenance.
service pacemaker stop service corosync stop
Restore
cd / &&\
find $(tar -ztf "${MyBackup}") -type f |cpio -ov --format=ustar |gzip >~/ldap.tmp.tar.gz &&\
(find $(tar -ztf "${MyBackup}") -type f -delete
tar xzvf "${MyBackup}") &&\
mv ~/ldap.tmp.tar.gz ~/ldap.undo.tar.gz &&\
cd - &&\
MyBackup=~/ldap.undo.tar.gz
- To undo execute the block before one more time
Start all LDAP nodes
- Prevent users from ending of maintenance.
service corosync start service pacemaker start