LDAP policies: Difference between revisions

From Essential
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
#!/bin/sh
How install LDAP password policies?
How install LDAP password policies?


== Install node ==
== Node install ==
=== Stop all LDAP nodes ===
=== Stop all LDAP nodes ===
  service pacemaker stop
  service pacemaker stop
Line 12: Line 10:
  service pacemaker start
  service pacemaker start


=== Define ===
=== Backup ===
<pre>
<pre>
MyFilter=$(MyPatern='^olcDatabase= (\{[0-9]+\}.db)$'
#==== Init ====
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcDatabase="${MyFilter}"
 
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"


MyFilter=$(MyPatern='^olcRootDN: (.*)$'
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n 0 |\
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcRootDN="$MyFilter"
MyolcDatabase="${MyFilter}"
 
MyFilter=$(MyPatern='^olcSuffix: (.*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcSuffix="$MyFilter"
</pre>


=== Backup process ===
#==== Backup config ====
==== Backup config ====
slapcat -n0 |gzip >~/ldap.config."$(hostname)"."${MyDate}".gz
slapcat -n 0 |gzip >~/ldap.config."$(hostname)"."${MyDate}".gz


==== ReadOnly ====
#==== ReadOnly ====
<pre>
cat <<EOT >/tmp/$$.ldif
cat <<EOT >/tmp/$$.ldif
dn: olcDatabase=${MyolcDatabase},cn=config
dn: olcDatabase=${MyolcDatabase},cn=config
Line 45: Line 31:
EOT
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
</pre>


==== Backup db ====
#==== Backup db ====
slapcat -b $MyolcSuffix |gzip >~/ldap.db."$(hostname)"."${MyDate}".gz
slapcat |gzip >~/ldap.db."$(hostname)"."${MyDate}".gz


==== Enable write ====
#==== Enable write ====
<pre>
cat <<EOT >/tmp/$$.ldif
cat <<EOT >/tmp/$$.ldif
dn: olcDatabase=${MyolcDatabase},cn=config
dn: olcDatabase=${MyolcDatabase},cn=config
Line 61: Line 45:
</pre>
</pre>


=== Add password policy schema ===
=== Install ===
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
<pre>
#==== Init ====
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcDatabase="${MyFilter}"
 
MyFilter=$(MyPatern='^olcRootDN: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcRootDN="$MyFilter"
 
MyFilter=$(MyPatern='^olcSuffix: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcSuffix="$MyFilter"
 
#==== Add password policy schema ====
slapadd -n0 -l /etc/ldap/schema/ppolicy.ldif


=== Add directory policies ===
#==== Add directory policies ====
<pre>
cat <<EOT >/tmp/$$.ldif
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
dn: ou=Policies,${MyolcSuffix}
Line 73: Line 74:
description: My Organization policies come here
description: My Organization policies come here
EOT
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
slapadd -b $MyolcSuffix -l /tmp/$$.ldif
</pre>


==== Load password policy module ====
#==== Load password policy module ====
<pre>
cat <<EOT >/tmp/$$.ldif
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
dn: cn=module{0},cn=config
Line 84: Line 83:
olcModuleLoad: ppolicy
olcModuleLoad: ppolicy
EOT
EOT
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
</pre>


==== Overlay password policy ====
#==== Overlay password policy ====
<pre>
cat <<EOT >/tmp/$$.ldif
cat <<EOT >/tmp/$$.ldif
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
Line 96: Line 93:
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
EOT
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
slapadd -n0 -l /tmp/$$.ldif
</pre>


==== Define password policy ====
#==== Define password policy entry ====
<pre>
cat <<EOT >/tmp/$$.ldif
cat <<EOT >/tmp/$$.ldif
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
Line 122: Line 117:
pwdSafeModify: FALSE
pwdSafeModify: FALSE
EOT
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
slapadd -b $MyolcSuffix -l /tmp/$$.ldif
</pre>
</pre>


Line 128: Line 123:
<pre>
<pre>
MyFilter=$(MyPatern='^olcRootDN: (.*)$'
MyFilter=$(MyPatern='^olcRootDN: (.*)$'
slapcat -n 0 |\
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcRootDN="$MyFilter"
MyolcRootDN="$MyFilter"


MyFilter=$(MyPatern='^dn: (cn=a.pacheco@.*,ou=users,dc=.*,dc=.*)$'
MyFilter=$(MyPatern='^dn: (cn=a.pacheco@.*,ou=users,dc=.*,dc=.*)$'
slapcat -n 0 |\
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyUser="$MyFilter"
MyUser="$MyFilter"
Line 141: Line 136:
  ldappasswd -x -H ldap://localhost -D "$MyUser" -w test -s dura
  ldappasswd -x -H ldap://localhost -D "$MyUser" -w test -s dura


== Rollback ==
== Rollback node ==
=== Define ===
  ls -lrt ~/ldap.*.gz |tail
  ls -lrt ~/ldap.*.gz |tail


* Enter date :
  MyRollbackDate=""
  MyRollbackDate=""
MyRollbackHostname=""
MyLDAPUser='openldap' #redhat: ldap
MyConfigDir='/etc/ldap/slapd.d/' #redhat: /etc/openldap/slapd.d/


MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
=== [Stop LDAP] ===
=== Restore config ===
<pre>
<pre>
MyRollback=~/ldap.config."${MyRollbackHostname}"."${MyDate}".gz
#=== Init ===
# redhat
MyLDAPUser='ldap'
MyConfigDir='/etc/openldap/slapd.d/'
# ubuntu
#MyLDAPUser='openldap'
#MyConfigDir='/etc/ldap/slapd.d/'
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
 
#=== [Stop LDAP] ===
 
#=== Restore config ===
MyRollback=~/ldap.config."$(hostname)"."${MyRollbackDate}".gz
MyBaseNumber=0
MyBaseNumber=0
MyBaseDir="$MyConfigDir"
MyBaseDir="$MyConfigDir"
Line 164: Line 165:
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"
chown -R "${MyLDAPUser}": "${MyBaseDir}"
</pre>


=== Restore db ===
#=== Restore db ===
<pre>
MyRollback=~/ldap.db."$(hostname)"."${MyRollbackDate}".gz
MyRollback=~/ldap.db."${MyRollbackHostname}"."${MyDate}".gz


MyFilter=$(MyPatern='^olcDatabase= \{([0-9]+)\}.db$'
MyFilter=$(MyPatern='^olcSuffix: (.*)$'
slapcat -n 0 |\
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyBaseNumber="${MyFilter}"
MyolcSuffix="$MyFilter"


MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n 0 |\
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyBaseDir="${MyFilter}"
MyBaseDir="${MyFilter}"
Line 184: Line 183:
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
slapadd -b $MyolcSuffix -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"
chown -R "${MyLDAPUser}": "${MyBaseDir}"
#=== [Start LDAP] ===
</pre>
</pre>
=== [Start LDAP] ===
=== [Enable write] ===
=== [Enable write] ===
# Ref : http://infocepo.com/wiki/index.php/LDAP_policies
# Ref : http://infocepo.com/wiki/index.php/LDAP_policies
# Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M
# Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M

Revision as of 18:05, 20 November 2016

How install LDAP password policies?

Node install

Stop all LDAP nodes

service pacemaker stop
service corosync stop

Start the node

service corosync start
service pacemaker start

Backup

#==== Init ====
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"

MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcDatabase="${MyFilter}"

#==== Backup config ====
slapcat -n0 |gzip >~/ldap.config."$(hostname)"."${MyDate}".gz

#==== ReadOnly ====
cat <<EOT >/tmp/$$.ldif
dn: olcDatabase=${MyolcDatabase},cn=config
changetype: modify
replace: olcReadonly
olcReadonly: TRUE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif

#==== Backup db ====
slapcat |gzip >~/ldap.db."$(hostname)"."${MyDate}".gz

#==== Enable write ====
cat <<EOT >/tmp/$$.ldif
dn: olcDatabase=${MyolcDatabase},cn=config
changetype: modify
replace: olcReadonly
olcReadonly: FALSE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif

Install

#==== Init ====
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcDatabase="${MyFilter}"

MyFilter=$(MyPatern='^olcRootDN: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcRootDN="$MyFilter"

MyFilter=$(MyPatern='^olcSuffix: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcSuffix="$MyFilter"

#==== Add password policy schema ====
slapadd -n0 -l /etc/ldap/schema/ppolicy.ldif

#==== Add directory policies ====
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here
EOT
slapadd -b $MyolcSuffix -l /tmp/$$.ldif

#==== Load password policy module ====
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif

#==== Overlay password policy ====
cat <<EOT >/tmp/$$.ldif
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
slapadd -n0 -l /tmp/$$.ldif

#==== Define password policy entry ====
cat <<EOT >/tmp/$$.ldif
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 3024000
pwdExpireWarning: 1814400
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 9
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
EOT
slapadd -b $MyolcSuffix -l /tmp/$$.ldif

Test

MyFilter=$(MyPatern='^olcRootDN: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcRootDN="$MyFilter"

MyFilter=$(MyPatern='^dn: (cn=a.pacheco@.*,ou=users,dc=.*,dc=.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyUser="$MyFilter"

ldappasswd -D "${MyolcRootDN}" -W "$MyUser" -s test
ldappasswd -x -H ldap://localhost -D "$MyUser" -w test -s dura

Rollback node

ls -lrt ~/ldap.*.gz |tail
  • Enter date :
MyRollbackDate=""

#=== Init ===
# redhat
MyLDAPUser='ldap'
MyConfigDir='/etc/openldap/slapd.d/'
# ubuntu
#MyLDAPUser='openldap'
#MyConfigDir='/etc/ldap/slapd.d/'
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"

#=== [Stop LDAP] ===

#=== Restore config ===
MyRollback=~/ldap.config."$(hostname)"."${MyRollbackDate}".gz
MyBaseNumber=0
MyBaseDir="$MyConfigDir"

zcat $MyRollback >/tmp/$$.ldif &&\
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"

#=== Restore db ===
MyRollback=~/ldap.db."$(hostname)"."${MyRollbackDate}".gz

MyFilter=$(MyPatern='^olcSuffix: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcSuffix="$MyFilter"

MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyBaseDir="${MyFilter}"

zcat $MyRollback >/tmp/$$.ldif &&\
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -b $MyolcSuffix -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"
#=== [Start LDAP] ===

[Enable write]

  1. Ref : http://infocepo.com/wiki/index.php/LDAP_policies
  2. Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M
Retrieved from "https://infocepo.com/wiki/index.php?title=LDAP_policies&oldid=689"