LDAP policies: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 136: | Line 136: | ||
ldappasswd -x -H ldap://localhost -D "$MyUser" -w test -s dura | ldappasswd -x -H ldap://localhost -D "$MyUser" -w test -s dura | ||
== | == Node uninstall == | ||
ls -lrt ~/ldap.*.gz |tail | ls -lrt ~/ldap.*.gz |tail | ||
Revision as of 18:18, 20 November 2016
How install LDAP password policies?
Node install
Stop all LDAP nodes
service pacemaker stop service corosync stop
Start the node
service corosync start service pacemaker start
Backup
#==== Init ====
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcDatabase="${MyFilter}"
#==== Backup config ====
slapcat -n0 |gzip >~/ldap.config."$(hostname)"."${MyDate}".gz
#==== ReadOnly ====
cat <<EOT >/tmp/$$.ldif
dn: olcDatabase=${MyolcDatabase},cn=config
changetype: modify
replace: olcReadonly
olcReadonly: TRUE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
#==== Backup db ====
slapcat |gzip >~/ldap.db."$(hostname)"."${MyDate}".gz
#==== Enable write ====
cat <<EOT >/tmp/$$.ldif
dn: olcDatabase=${MyolcDatabase},cn=config
changetype: modify
replace: olcReadonly
olcReadonly: FALSE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
Install
#==== Init ====
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcDatabase="${MyFilter}"
MyFilter=$(MyPatern='^olcRootDN: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcRootDN="$MyFilter"
MyFilter=$(MyPatern='^olcSuffix: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcSuffix="$MyFilter"
#==== Add password policy schema ====
slapadd -n0 -l /etc/ldap/schema/ppolicy.ldif
#==== Add directory policies ====
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here
EOT
slapadd -b $MyolcSuffix -l /tmp/$$.ldif
#==== Load password policy module ====
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
#==== Overlay password policy ====
cat <<EOT >/tmp/$$.ldif
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
slapadd -n0 -l /tmp/$$.ldif
#==== Define password policy entry ====
cat <<EOT >/tmp/$$.ldif
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 3024000
pwdExpireWarning: 1814400
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 9
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
EOT
slapadd -b $MyolcSuffix -l /tmp/$$.ldif
Test
MyFilter=$(MyPatern='^olcRootDN: (.*)$' slapcat -n0 |\ sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter MyolcRootDN="$MyFilter" MyFilter=$(MyPatern='^dn: (cn=a.pacheco@.*,ou=users,dc=.*,dc=.*)$' slapcat -n0 |\ sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter MyUser="$MyFilter"
ldappasswd -D "${MyolcRootDN}" -W "$MyUser" -s test
ldappasswd -x -H ldap://localhost -D "$MyUser" -w test -s dura
Node uninstall
ls -lrt ~/ldap.*.gz |tail
- Enter date :
MyRollbackDate=""
- Select distribution :
#=== Init === # redhat MyLDAPUser='ldap' MyConfigDir='/etc/openldap/slapd.d/' # ubuntu #MyLDAPUser='openldap' #MyConfigDir='/etc/ldap/slapd.d/' MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
[Stop LDAP]
Restore
#=== Restore config ===
MyRollback=~/ldap.config."$(hostname)"."${MyRollbackDate}".gz
MyBaseNumber=0
MyBaseDir="$MyConfigDir"
zcat $MyRollback >/tmp/$$.ldif &&\
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"
#=== Restore db ===
MyRollback=~/ldap.db."$(hostname)"."${MyRollbackDate}".gz
MyFilter=$(MyPatern='^olcSuffix: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcSuffix="$MyFilter"
MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyBaseDir="${MyFilter}"
zcat $MyRollback >/tmp/$$.ldif &&\
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -b $MyolcSuffix -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"