Changes between Version 2 and Version 3 of campuswifiandeduroam2023Agenda/pwdp


Ignore:
Timestamp:
Jul 24, 2024, 1:16:09 PM (8 weeks ago)
Author:
tuwan
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • campuswifiandeduroam2023Agenda/pwdp

    v2 v3  
    1717- Acceptable password content
    1818- Grace logins to allow the use of expired passwords for a specific time period after the expiry date.
     19
     20'''Load Password Policy Module'''
     21
     22In order to implement the password policies, you need to ensure that the, ppolicy.la module is loaded onto LDAP database. To list loaded modules, run the command;
     23
     24{{{
     25slapcat -n 0 | grep -i module
     26}}}
     27
     28In our current LDAP setup, no password policy module, ppolicy.la, is loaded. See the output of the command above;
     29
     30{{{
     31dn: cn=module{0},cn=config
     32objectClass: olcModuleList
     33cn: module{0}
     34olcModulePath: /usr/libexec/openldap
     35olcModuleLoad: {0}back_mdb.la
     36olcModuleLoad: {1}memberof.la
     37olcModuleLoad: {2}refint.la
     38structuralObjectClass: olcModuleList
     39olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC
     40 'Loadable module that instantiates "check_password() function' EQUALITY cas
     41 op AUXILIARY MAY pwdCheckModule )
     42}}}
     43
     44Therefore, to load the module, you can simply create an LDIF file as shown below to define how to add the password policy module to slapd.
     45
     46{{{
     47vim load-ppolicy-mod.ldif
     48}}}
     49
     50{{{
     51dn: cn=module{0},cn=config
     52changetype: modify
     53add: olcModuleLoad
     54olcModuleLoad: ppolicy.la
     55}}}
     56
     57Load the module in to LDAP database.
     58
     59{{{
     60ldapadd -Y EXTERNAL -H ldapi:/// -f load-ppolicy-mod.ldif
     61}}}
     62
     63After loading the module, if you list the slapd modules again, you should get an output similar to the below (It might be different for your case);
     64
     65{{{
     66slapcat -n 0 | grep -i module
     67}}}
     68
     69{{{
     70dn: cn=module{0},cn=config
     71objectClass: olcModuleList
     72cn: module{0}
     73olcModulePath: /usr/libexec/openldap
     74olcModuleLoad: {0}back_mdb.la
     75olcModuleLoad: {1}memberof.la
     76olcModuleLoad: {2}refint.la
     77olcModuleLoad: {3}ppolicy.la
     78structuralObjectClass: olcModuleList
     79}}}
     80
     81'''Create Password Policies OU Container'''
     82
     83Create an LDAP OU container that will be used to store the default password policies.
     84
     85{{{
     86vi pwpolicy-ou.ldif
     87}}}
     88
     89{{{
     90dn: ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com
     91objectClass: organizationalUnit
     92objectClass: top
     93ou: pwpolicy
     94}}}
     95
     96{{{
     97ldapadd -Y EXTERNAL -H ldapi:/// -f pwpolicy-ou.ldif
     98}}}
     99
     100'''Create OpenLDAP Password Policy Overlay DN'''
     101
     102Once you have loaded the ppolicy module into slapd database, proceed to add the LDAP password policy Overlay DN.
     103
     104Add the password policy overlay into your respective LDAP database backend, which in this setup is mdb.
     105
     106{{{
     107ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config olcDatabase | grep mdb
     108}}}
     109
     110See the highlighted line in the output below;
     111
     112{{{
     113dn: olcDatabase={1}mdb,cn=config
     114olcDatabase: {1}mdb
     115dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
     116}}}
     117
     118Create an LDIF file with the content below for adding the ppolicy Overlay DN along with the configuration options into slapd. Replace the domain components accordingly.
     119
     120{{{
     121vi pwpolicyoverlay.ldif
     122}}}
     123
     124{{{
     125dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
     126objectClass: olcOverlayConfig
     127objectClass: olcPPolicyConfig
     128olcOverlay: ppolicy
     129olcPPolicyDefault: cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com
     130olcPPolicyHashCleartext: TRUE
     131}}}
     132
     133Read more about the configuration options applied to the ppolicy overlay above on man slapo-ppolicy.
     134
     135Update the database.
     136
     137{{{
     138ldapadd -Y EXTERNAL -H ldapi:/// -f pwpolicyoverlay.ldif
     139}}}
     140
     141'''Create OpenLDAP Password Policies'''
     142
     143You are now ready to create your LDAP password policies under your default password policies ou created above, cn=default,ou=pwpolicy,dc=learn,dc=ac,dc=lk
     144
     145The ppolicy overlay depends on the pwdPolicy object class and thus when defining the policies, you can use any of the attributes described under the ObjectClass attributes section of man slapo-ppolicy.
     146
     147{{{
     148cat > ldap-pwpolicies.ldif << 'EOL'
     149dn: cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com
     150objectClass: person
     151objectClass: pwdPolicyChecker
     152objectClass: pwdPolicy
     153cn: pwpolicy
     154sn: pwpolicy
     155pwdAttribute: userPassword
     156pwdMinAge: 0
     157pwdMaxAge: 5184000
     158pwdInHistory: 5
     159pwdCheckQuality: 2
     160pwdMinLength: 12
     161pwdExpireWarning: 432000
     162pwdGraceAuthNLimit: 5
     163pwdLockout: TRUE
     164pwdLockoutDuration: 0
     165pwdMaxFailure: 3
     166pwdFailureCountInterval: 0
     167pwdReset: TRUE
     168pwdMustChange: TRUE
     169pwdAllowUserChange: TRUE
     170pwdSafeModify: FALSE
     171EOL
     172}}}
     173
     174For a good explanation of the password attributes used above, consult, man slapo-ppolicy.
     175
     176Update the Password policies on the slapd.
     177
     178{{{
     179ldapadd -Y EXTERNAL -H ldapi:/// -f ldap-pwpolicies.ldif
     180}}}
     181
     182'''Testing Password Policies'''
     183
     184To test the effectiveness of the implemented OpenLDAP password policies, we will try to change the password of one of the existing OpenLDAP users in our environment.
     185
     186Some of the checks we implemented above include;
     187
     188- pwdInHistory: stores 5 previously used passwords in the database to avoid re-use.
     189- pwdCheckQuality: Set to value to 2. The server will check the syntax of the password and if the server is unable to check the syntax it will return an error refusing the password.
     190- pwdMinLength: Sets the minimum number of characters that will be accepted in a password to 12.
     191
     192'''Reset User's Password as OpenLDAP RootDN Administrator'''
     193
     194//Note// the rootDN, which is typically the LDAP administrator, is granted full access and permissions to the entire LDAP directory, including the ability to bypass password policies. This is to ensure that the LDAP administrator can always access and manage the directory, even if there are password policy restrictions in place for regular users. This means that the rootDN administrator can set any password for any user, regardless of the password policy rules defined for regular users. They are not subject to password complexity requirements, expiration rules, or other password policy restrictions that apply to regular users.
     195
     196Try setting a simple password;
     197
     198{{{
     199ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"
     200}}}
     201
     202Since you are resetting/setting password as LDAP admin, any password can work;
     203
     204{{{
     205New password: password
     206Re-enter new password: password
     207SASL/EXTERNAL authentication started
     208SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
     209SASL SSF: 0
     210}}}
     211
     212From the logs, the result is success.
     213
     214