LDAP policies
Jump to navigation
Jump to search
How install LDAP password policies?
Install node
Stop all LDAP nodes
service pacemaker stop service corosync stop
Start the node
service corosync start service pacemaker start
Define
MyFilter=$(MyPatern='^olcDatabase= (\{[0-9]+\}.db)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcDatabase="${MyFilter}"
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
MyFilter=$(MyPatern='^olcRootDN: (.*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcRootDN="$MyFilter"
MyFilter=$(MyPatern='^olcSuffix: (.*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyolcSuffix="$MyFilter"
Backup process
Backup config
slapcat -n 0 |gzip >~/ldap.config."$(hostname)"."${MyDate}".gz
ReadOnly
cat <<EOT >/tmp/$$.ldif
dn: olcDatabase=${MyolcDatabase},cn=config
changetype: modify
replace: olcReadonly
olcReadonly: TRUE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
Backup db
slapcat -b $MyolcSuffix |gzip >~/ldap.db."$(hostname)"."${MyDate}".gz
Enable write
cat <<EOT >/tmp/$$.ldif
dn: olcDatabase=${MyolcDatabase},cn=config
changetype: modify
replace: olcReadonly
olcReadonly: FALSE
EOT
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
Add password policy schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
Add directory policies
cat <<EOT >/tmp/$$.ldif
dn: ou=Policies,${MyolcSuffix}
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: My Organization policies come here
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
Load ppolicy module
cat <<EOT >/tmp/$$.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
EOT
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
Overlay with ppolicy
cat <<EOT >/tmp/$$.ldif
dn: olcOverlay={0}ppolicy,olcDatabase=${MyolcDatabase},cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
EOT
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/$$.ldif
Define policy
cat <<EOT >/tmp/$$.ldif
dn: cn=MyOrgPPolicy,ou=Policies,${MyolcSuffix}
cn: MyOrgPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 3024000
pwdExpireWarning: 1814400
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 9
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
EOT
ldapadd -D "${MyolcRootDN}" -W -f /tmp/$$.ldif
Test
MyFilter=$(MyPatern='^olcRootDN: (.*)$' slapcat -n 0 |\ sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter MyolcRootDN="$MyFilter" MyFilter=$(MyPatern='^dn: (cn=a.pacheco@.*,ou=users,dc=.*,dc=.*)$' slapcat -n 0 |\ sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter MyUser="$MyFilter"
ldappasswd -D "${MyolcRootDN}" -W "$MyUser" -s test
ldappasswd -x -H ldap://localhost -D "$MyUser" -w test -s dura
Rollback
Define
ls -lrt ~/ldap.*.gz |tail
MyRollbackDate="" MyRollbackHostname="" MyLDAPUser='openldap' #redhat: ldap MyConfigDir='/etc/ldap/slapd.d/' #redhat: /etc/openldap/slapd.d/
MyDate="$(date -u '+%Y-%m-%dT%H_%M_%SZ')"
[Stop LDAP]
Restore config
MyRollback=~/ldap.config."${MyRollbackHostname}"."${MyDate}".gz
MyBaseNumber=0
MyBaseDir="$MyConfigDir"
zcat $MyRollback >/tmp/$$.ldif &&\
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"
Restore db
MyRollback=~/ldap.db."${MyRollbackHostname}"."${MyDate}".gz
MyFilter=$(MyPatern='^olcDatabase= \{([0-9]+)\}.db$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyBaseNumber="${MyFilter}"
MyFilter=$(MyPatern='^olcDbDirectory: (\/.*)$'
slapcat -n 0 |\
sed -rn "s/$MyPatern/\1/p") ;echo $MyFilter
MyBaseDir="${MyFilter}"
zcat $MyRollback >/tmp/$$.ldif &&\
mkdir -p /tmp/"${MyDate}${MyBaseDir}" &&\
mv -f "${MyBaseDir}" /tmp/"${MyDate}${MyBaseDir}" &&\
mkdir "${MyBaseDir}" &&\
slapadd -F "${MyBaseDir}" -n ${MyBaseNumber} -l /tmp/$$.ldif &&\
chown -R "${MyLDAPUser}": "${MyBaseDir}"