| 19 | |
| 20 | '''Load Password Policy Module''' |
| 21 | |
| 22 | In order to implement the password policies, you need to ensure that the, ppolicy.la module is loaded onto LDAP database. To list loaded modules, run the command; |
| 23 | |
| 24 | {{{ |
| 25 | slapcat -n 0 | grep -i module |
| 26 | }}} |
| 27 | |
| 28 | In our current LDAP setup, no password policy module, ppolicy.la, is loaded. See the output of the command above; |
| 29 | |
| 30 | {{{ |
| 31 | dn: cn=module{0},cn=config |
| 32 | objectClass: olcModuleList |
| 33 | cn: module{0} |
| 34 | olcModulePath: /usr/libexec/openldap |
| 35 | olcModuleLoad: {0}back_mdb.la |
| 36 | olcModuleLoad: {1}memberof.la |
| 37 | olcModuleLoad: {2}refint.la |
| 38 | structuralObjectClass: olcModuleList |
| 39 | olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC |
| 40 | 'Loadable module that instantiates "check_password() function' EQUALITY cas |
| 41 | op AUXILIARY MAY pwdCheckModule ) |
| 42 | }}} |
| 43 | |
| 44 | Therefore, to load the module, you can simply create an LDIF file as shown below to define how to add the password policy module to slapd. |
| 45 | |
| 46 | {{{ |
| 47 | vim load-ppolicy-mod.ldif |
| 48 | }}} |
| 49 | |
| 50 | {{{ |
| 51 | dn: cn=module{0},cn=config |
| 52 | changetype: modify |
| 53 | add: olcModuleLoad |
| 54 | olcModuleLoad: ppolicy.la |
| 55 | }}} |
| 56 | |
| 57 | Load the module in to LDAP database. |
| 58 | |
| 59 | {{{ |
| 60 | ldapadd -Y EXTERNAL -H ldapi:/// -f load-ppolicy-mod.ldif |
| 61 | }}} |
| 62 | |
| 63 | After loading the module, if you list the slapd modules again, you should get an output similar to the below (It might be different for your case); |
| 64 | |
| 65 | {{{ |
| 66 | slapcat -n 0 | grep -i module |
| 67 | }}} |
| 68 | |
| 69 | {{{ |
| 70 | dn: cn=module{0},cn=config |
| 71 | objectClass: olcModuleList |
| 72 | cn: module{0} |
| 73 | olcModulePath: /usr/libexec/openldap |
| 74 | olcModuleLoad: {0}back_mdb.la |
| 75 | olcModuleLoad: {1}memberof.la |
| 76 | olcModuleLoad: {2}refint.la |
| 77 | olcModuleLoad: {3}ppolicy.la |
| 78 | structuralObjectClass: olcModuleList |
| 79 | }}} |
| 80 | |
| 81 | '''Create Password Policies OU Container''' |
| 82 | |
| 83 | Create an LDAP OU container that will be used to store the default password policies. |
| 84 | |
| 85 | {{{ |
| 86 | vi pwpolicy-ou.ldif |
| 87 | }}} |
| 88 | |
| 89 | {{{ |
| 90 | dn: ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com |
| 91 | objectClass: organizationalUnit |
| 92 | objectClass: top |
| 93 | ou: pwpolicy |
| 94 | }}} |
| 95 | |
| 96 | {{{ |
| 97 | ldapadd -Y EXTERNAL -H ldapi:/// -f pwpolicy-ou.ldif |
| 98 | }}} |
| 99 | |
| 100 | '''Create OpenLDAP Password Policy Overlay DN''' |
| 101 | |
| 102 | Once you have loaded the ppolicy module into slapd database, proceed to add the LDAP password policy Overlay DN. |
| 103 | |
| 104 | Add the password policy overlay into your respective LDAP database backend, which in this setup is mdb. |
| 105 | |
| 106 | {{{ |
| 107 | ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase | grep mdb |
| 108 | }}} |
| 109 | |
| 110 | See the highlighted line in the output below; |
| 111 | |
| 112 | {{{ |
| 113 | dn: olcDatabase={1}mdb,cn=config |
| 114 | olcDatabase: {1}mdb |
| 115 | dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config |
| 116 | }}} |
| 117 | |
| 118 | Create an LDIF file with the content below for adding the ppolicy Overlay DN along with the configuration options into slapd. Replace the domain components accordingly. |
| 119 | |
| 120 | {{{ |
| 121 | vi pwpolicyoverlay.ldif |
| 122 | }}} |
| 123 | |
| 124 | {{{ |
| 125 | dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config |
| 126 | objectClass: olcOverlayConfig |
| 127 | objectClass: olcPPolicyConfig |
| 128 | olcOverlay: ppolicy |
| 129 | olcPPolicyDefault: cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com |
| 130 | olcPPolicyHashCleartext: TRUE |
| 131 | }}} |
| 132 | |
| 133 | Read more about the configuration options applied to the ppolicy overlay above on man slapo-ppolicy. |
| 134 | |
| 135 | Update the database. |
| 136 | |
| 137 | {{{ |
| 138 | ldapadd -Y EXTERNAL -H ldapi:/// -f pwpolicyoverlay.ldif |
| 139 | }}} |
| 140 | |
| 141 | '''Create OpenLDAP Password Policies''' |
| 142 | |
| 143 | You are now ready to create your LDAP password policies under your default password policies ou created above, cn=default,ou=pwpolicy,dc=learn,dc=ac,dc=lk |
| 144 | |
| 145 | The ppolicy overlay depends on the pwdPolicy object class and thus when defining the policies, you can use any of the attributes described under the ObjectClass attributes section of man slapo-ppolicy. |
| 146 | |
| 147 | {{{ |
| 148 | cat > ldap-pwpolicies.ldif << 'EOL' |
| 149 | dn: cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com |
| 150 | objectClass: person |
| 151 | objectClass: pwdPolicyChecker |
| 152 | objectClass: pwdPolicy |
| 153 | cn: pwpolicy |
| 154 | sn: pwpolicy |
| 155 | pwdAttribute: userPassword |
| 156 | pwdMinAge: 0 |
| 157 | pwdMaxAge: 5184000 |
| 158 | pwdInHistory: 5 |
| 159 | pwdCheckQuality: 2 |
| 160 | pwdMinLength: 12 |
| 161 | pwdExpireWarning: 432000 |
| 162 | pwdGraceAuthNLimit: 5 |
| 163 | pwdLockout: TRUE |
| 164 | pwdLockoutDuration: 0 |
| 165 | pwdMaxFailure: 3 |
| 166 | pwdFailureCountInterval: 0 |
| 167 | pwdReset: TRUE |
| 168 | pwdMustChange: TRUE |
| 169 | pwdAllowUserChange: TRUE |
| 170 | pwdSafeModify: FALSE |
| 171 | EOL |
| 172 | }}} |
| 173 | |
| 174 | For a good explanation of the password attributes used above, consult, man slapo-ppolicy. |
| 175 | |
| 176 | Update the Password policies on the slapd. |
| 177 | |
| 178 | {{{ |
| 179 | ldapadd -Y EXTERNAL -H ldapi:/// -f ldap-pwpolicies.ldif |
| 180 | }}} |
| 181 | |
| 182 | '''Testing Password Policies''' |
| 183 | |
| 184 | To test the effectiveness of the implemented OpenLDAP password policies, we will try to change the password of one of the existing OpenLDAP users in our environment. |
| 185 | |
| 186 | Some of the checks we implemented above include; |
| 187 | |
| 188 | - pwdInHistory: stores 5 previously used passwords in the database to avoid re-use. |
| 189 | - pwdCheckQuality: Set to value to 2. The server will check the syntax of the password and if the server is unable to check the syntax it will return an error refusing the password. |
| 190 | - pwdMinLength: Sets the minimum number of characters that will be accepted in a password to 12. |
| 191 | |
| 192 | '''Reset User's Password as OpenLDAP RootDN Administrator''' |
| 193 | |
| 194 | //Note// the rootDN, which is typically the LDAP administrator, is granted full access and permissions to the entire LDAP directory, including the ability to bypass password policies. This is to ensure that the LDAP administrator can always access and manage the directory, even if there are password policy restrictions in place for regular users. This means that the rootDN administrator can set any password for any user, regardless of the password policy rules defined for regular users. They are not subject to password complexity requirements, expiration rules, or other password policy restrictions that apply to regular users. |
| 195 | |
| 196 | Try setting a simple password; |
| 197 | |
| 198 | {{{ |
| 199 | ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" |
| 200 | }}} |
| 201 | |
| 202 | Since you are resetting/setting password as LDAP admin, any password can work; |
| 203 | |
| 204 | {{{ |
| 205 | New password: password |
| 206 | Re-enter new password: password |
| 207 | SASL/EXTERNAL authentication started |
| 208 | SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
| 209 | SASL SSF: 0 |
| 210 | }}} |
| 211 | |
| 212 | From the logs, the result is success. |
| 213 | |
| 214 | |