LDAP policies: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
#!/bin/sh | |||
How install LDAP password policies? | How install LDAP password policies? | ||
| Line 142: | Line 144: | ||
MyRollbackDate="" | MyRollbackDate="" | ||
* Select distribution : | |||
<pre> | <pre> | ||
#=== Init === | #=== Init === | ||
| Line 151: | Line 154: | ||
#MyConfigDir='/etc/ldap/slapd.d/' | #MyConfigDir='/etc/ldap/slapd.d/' | ||
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')" | MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')" | ||
</pre> | |||
=== [Stop LDAP] === | |||
=== Restore config === | |||
<pre> | |||
#=== Restore config === | #=== Restore config === | ||
MyRollback=~/ldap.config."$(hostname)"."${MyRollbackDate}".gz | MyRollback=~/ldap.config."$(hostname)"."${MyRollbackDate}".gz | ||
| Line 185: | Line 189: | ||
slapadd -b $MyolcSuffix -l /tmp/$$.ldif &&\ | slapadd -b $MyolcSuffix -l /tmp/$$.ldif &&\ | ||
chown -R "${MyLDAPUser}": "${MyBaseDir}" | chown -R "${MyLDAPUser}": "${MyBaseDir}" | ||
</pre> | </pre> | ||
=== [Start LDAP] === | |||
=== [Enable write] === | === [Enable write] === | ||
# Ref : http://infocepo.com/wiki/index.php/LDAP_policies | # Ref : http://infocepo.com/wiki/index.php/LDAP_policies | ||
# Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M | # Ref : https://www.youtube.com/watch?v=_ZvnNVwWk-M | ||
Revision as of 18:15, 20 November 2016
- !/bin/sh
How install LDAP password policies?
Node install
Stop all LDAP nodes
service pacemaker stop service corosync stop
Start the node
service corosync start service pacemaker start
Backup
#==== Init ====
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcDatabase="${MyFilter}"
#==== Backup config ====
slapcat -n0 |gzip >~/ldap.config."$(hostname)"."${MyDate}".gz
#==== ReadOnly ====
cat <<EOT >/tmp/$$.ldif
dn: olcDatabase=${MyolcDatabase},cn=config
changetype: modify
replace: olcReadonly
olcReadonly: TRUE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
#==== Backup db ====
slapcat |gzip >~/ldap.db."$(hostname)"."${MyDate}".gz
#==== Enable write ====
cat <<EOT >/tmp/$$.ldif
dn: olcDatabase=${MyolcDatabase},cn=config
changetype: modify
replace: olcReadonly
olcReadonly: FALSE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
Install
#==== Init ====
MyFilter=$(MyPatern='^olcDatabase: (\{[0-9]+\}.db)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcDatabase="${MyFilter}"
MyFilter=$(MyPatern='^olcRootDN: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcRootDN="$MyFilter"
MyFilter=$(MyPatern='^olcSuffix: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcSuffix="$MyFilter"
#==== Add password policy schema ====
slapadd -n0 -l /etc/ldap/schema/ppolicy.ldif
#==== Add directory policies ====
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here
EOT
slapadd -b $MyolcSuffix -l /tmp/$$.ldif
#==== Load password policy module ====
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
#==== Overlay password policy ====
cat <<EOT >/tmp/$$.ldif
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
slapadd -n0 -l /tmp/$$.ldif
#==== Define password policy entry ====
cat <<EOT >/tmp/$$.ldif
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 3024000
pwdExpireWarning: 1814400
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 9
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
EOT
slapadd -b $MyolcSuffix -l /tmp/$$.ldif
Test
MyFilter=$(MyPatern='^olcRootDN: (.*)$' slapcat -n0 |\ sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter MyolcRootDN="$MyFilter" MyFilter=$(MyPatern='^dn: (cn=a.pacheco@.*,ou=users,dc=.*,dc=.*)$' slapcat -n0 |\ sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter MyUser="$MyFilter"
ldappasswd -D "${MyolcRootDN}" -W "$MyUser" -s test
ldappasswd -x -H ldap://localhost -D "$MyUser" -w test -s dura
Rollback node
ls -lrt ~/ldap.*.gz |tail
- Enter date :
MyRollbackDate=""
- Select distribution :
#=== Init === # redhat MyLDAPUser='ldap' MyConfigDir='/etc/openldap/slapd.d/' # ubuntu #MyLDAPUser='openldap' #MyConfigDir='/etc/ldap/slapd.d/' MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
[Stop LDAP]
Restore config
#=== Restore config ===
MyRollback=~/ldap.config."$(hostname)"."${MyRollbackDate}".gz
MyBaseNumber=0
MyBaseDir="$MyConfigDir"
zcat $MyRollback >/tmp/$$.ldif &&\
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"
#=== Restore db ===
MyRollback=~/ldap.db."$(hostname)"."${MyRollbackDate}".gz
MyFilter=$(MyPatern='^olcSuffix: (.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcSuffix="$MyFilter"
MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyBaseDir="${MyFilter}"
zcat $MyRollback >/tmp/$$.ldif &&\
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -b $MyolcSuffix -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"