2012. szeptember 3., hétfő

OpenLDAP Password Policy on Ubuntu 12.04 - Part One

From today on I publish some posts about how to make an Ubuntu system using OpenLDAP auth to act as defined in a password policy.
(Ez a cikk magyarul is olvasható.)
What is a password policy good for?
In my case it's three things:
  • you can define the minimum length of the passwords
  • passwords expire
  • before the expiration the user gets a warning to change the password
If you intend to define an OpenLDAP password policy the first thing to do is enabling the ppolicy overlay. The process begins with installing the schema.
sudo ldapadd -Y EXTERNAL -f /etc/ldap/schema/ppolicy.ldif
See if it is really there:
sudo ldapsearch -Q -LLL -Y EXTERNAL -b cn=schema,cn=config dn
We need to put a default policy in the LDAP. Cretate the file policiesou.ldif :
dn: ou=Policies,dc=itthon,dc=cucc
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: policies come here
Put the contents in the LDAP:
ldapadd -D cn=admin,dc=itthon,dc=cucc -w secret -f policiesou.ldif
We load the file handling the policies. Create the file ppolicy_moduleload.ldif :
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
Put the contents in the LDAP:
sudo ldapadd -Y EXTERNAL -f ppolicy_moduleload.ldif
What modules are loaded?
sudo ldapsearch -Y EXTERNAL -b cn=module{0},cn=config
Create the file ppolicy_overlay.ldif . Among other things this will tell to LDAP where to search for the default policy.
dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=DefaultPPolicy,ou=Policies,dc=itthon,dc=cucc
Put the contents in the LDAP:
sudo ldapadd -Y EXTERNAL -f ppolicy_overlay.ldif
What overlays are in use?
sudo ldapsearch -Y EXTERNAL -b olcDatabase={1}hdb,cn=config

Now we write the deafult policy. We store it in the file ppolicy_default.ldif .
dn: cn=DefaultPPolicy,ou=Policies,dc=itthon,dc=cucc
cn: DefaultPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 3024000
pwdExpireWarning: 1814400
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
What is all this?
The password is valid for 5 weeks (60x60x24x7x5=3024000), and 3 weeks before expiration the user starts getting warnings (60x60x24x7x3=1814400). These values are good for testing - we'll talk about it later.
The password need to be at least 8 charactes long, and the last 3 password representations are stored and the user cannot reuse them. The wrong passwords cause the account to be locked. The locking will disappear after 5 minutes (leave us alone!:).  The pwdMustChange is there to make the admin able forcing a password change. We'll get back to it later.
We make LDAP eat this too:
ldapadd -D cn=admin,dc=itthon,dc=cucc -w secret -f ppolicy_default.ldif
Let us see what we have created:
sudo ldapsearch -Q -LLL -Y EXTERNAL -b cn=DefaultPPolicy,ou=Policies,dc=itthon,dc=cucc

Enough for today. To be continued.

1 megjegyzés:

Claude Chaillet írta...
Ezt a megjegyzést eltávolította a szerző.