Our Work

OpenLDAP Password Policy Implementation On Ubuntu

Posted 1 year, 9 months and 22 days ago

Using Password Policy one can achieve

a. Password Expiration
b. Before Expiration User gets warning to change the password

Step1. Enable policy Overlay, It can be done by installing the schema.

$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif

For Verification, whether it is done or not

$ ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn

Step2. We need to write to the directory where are all policies will be filename: policies_1.ldif

dn : ou = Policies , dc = ktree , dc = org
objectClass : top
objectClass : organizationalUnit
ou : Policies
description : policies come here

To apply to the directory  :

$ ldapadd -D cn=admin,dc=ktree,dc=org -W -f policies_1.ldif

Step3. Now, We load the Modules handling the policies.

filename: policy_module.ldif
dn : cn = module { 0 }, cn = config
changetype : modify
add : olcModuleLoad
olcModuleLoad : ppolicy
  • To apply to the directory :
    $ ldapadd -Y EXTERNAL -H ldapi:/// -f policy_module.ldif
  • For verification, modules loaded?
    $ ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=module{0},cn=config

Step4. Now tell directory where to look for the policies.

filename: policy_overlay.ldif

dn : olcOverlay ={ 0 } ppolicy , olcDatabase ={ 1 } hdb , cn = config
objectClass : olcOverlayConfig
objectClass : olcPPolicyConfig
olcOverlay : { 0 } ppolicy
olcPPolicyDefault : cn = DefaultPPolicy , ou = Policies , dc = ktree , dc = org
  • To apply to the directory
    $ ldapadd -Y EXTERNAL -H ldapi:/// -f policy_overlay.ldif
  • For Verification, Overlays in use
    $ ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}hdb,cn=config

Step5. Now we can create default policy objects.

filename: Default_Policies.ldiif

dn : cn = DefaultPPolicy , ou = Policies , dc = ktree , dc = org
cn : DefaultPPolicy
objectClass : pwdPolicy
objectClass : device
objectClass : top
pwdAttribute : userPassword
pwdMaxAge : 2592000
pwdExpireWarning : 2160000
pwdInHistory : 3
pwdCheckQuality : 1
pwdMinLength : 8
pwdMaxFailure : 3
pwdLockout : TRUE
pwdLockoutDuration : 30
pwdGraceAuthNLimit : 0
pwdFailureCountInterval : 0
pwdMustChange : TRUE
pwdAllowUserChange : TRUE
pwdSafeModify : FALSE

Note : Here pwdExpireAge, object tells us when to expire. It takes input in seconds. Here it is for 30 days. pwdExpireWarning gives tells us when to issue warning before password expiry i.e 25 days.

  • To apply to the directory
    $ ldapadd -D cn=admin,dc=ktree,dc=org -W -f Default_Policies.ldif
  • For Verification
    $ ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=DefaultPPolicy,ou=Policies,dc=ktree,dc=or

Testing

Choose an account from the directory, suppose

dn: uid=user1,ou=People,dc=ktree,dc=org

A. Now to check expiration date, modify timestamp before a month

filename: change_timestamp.ldif
dn : uid = user1, ou = People, dc = ktree, dc = org
changetype : modify
replace : pwdChangedTime
pwdChangedTime : 20150110192853Z

Note:Here syntax for pwdChanedTime: (YYYYMMDDHHMMSST)
T stands for time zone (GMT)

  • To apply to the directory
    • $ ldapmodify -D cn=admin,dc=ktree,dc=org -W -e relax -f change_timestamp.ldif
  • For verification check with by login in with uid=user1
    • $ ldapwhoami -e ppolicy -x -D uid=user1,ou=People,dc=ktree,dc=org -W
  • It will not allow you to login

B. To check for the password warning, put time stamp between (25th day to 30th day). and repeat the same steps, now it will throw a message saying “Password expires in somanyseconds” and allows you to login

 

Tags

Related Posts