Using Password Policy one can achieve
a. Password Expiration
b. Before Expiration User gets warning to change the password
Step1. Enable policy Overlay, It can be done by installing the schema.
$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldifFor Verification, whether it is done or not
$ ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
Step2. We need to write to the directory where are all policies will be filename: policies_1.ldif
dn : ou = Policies , dc = ktree , dc = org
objectClass : top
objectClass : organizationalUnit
ou : Policies
description : policies come here
To apply to the directory :
$ ldapadd -D cn=admin,dc=ktree,dc=org -W -f policies_1.ldif
Step3. Now, We load the Modules handling the policies.
filename: policy_module.ldif
dn : cn = module { 0 }, cn = config
changetype : modify
add : olcModuleLoad
olcModuleLoad : ppolicy
To apply to the directory :
$ ldapadd -Y EXTERNAL -H ldapi:/// -f policy_module.ldif
For verification, modules loaded?
$ ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=module{0},cn=config
Step4. Now tell directory where to look for the policies.
filename: policy_overlay.ldif
dn : olcOverlay ={ 0 } ppolicy , olcDatabase ={ 1 } hdb , cn = config
objectClass : olcOverlayConfig
objectClass : olcPPolicyConfig
olcOverlay : { 0 } ppolicy
olcPPolicyDefault : cn = DefaultPPolicy , ou = Policies , dc = ktree , dc = org
To apply to the directory
$ ldapadd -Y EXTERNAL -H ldapi:/// -f policy_overlay.ldif
For Verification, Overlays in use
$ ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}hdb,cn=config
Step5. Now we can create default policy objects.
filename: Default_Policies.ldiif
dn : cn = DefaultPPolicy , ou = Policies , dc = ktree , dc = org
cn : DefaultPPolicy
objectClass : pwdPolicy
objectClass : device
objectClass : top
pwdAttribute : userPassword
pwdMaxAge : 2592000
pwdExpireWarning : 2160000
pwdInHistory : 3
pwdCheckQuality : 1
pwdMinLength : 8
pwdMaxFailure : 3
pwdLockout : TRUE
pwdLockoutDuration : 30
pwdGraceAuthNLimit : 0
pwdFailureCountInterval : 0
pwdMustChange : TRUE
pwdAllowUserChange : TRUE
pwdSafeModify : FALSE
Note : Here pwdExpireAge, object tells us when to expire. It takes input in seconds. Here it is for 30 days. pwdExpireWarning gives tells us when to issue warning before password expiry i.e 25 days.
To apply to the directory
$ ldapadd -D cn=admin,dc=ktree,dc=org -W -f Default_Policies.ldif
For Verification
$ ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=DefaultPPolicy,ou=Policies,dc=ktree,dc=or
Testing
Choose an account from the directory, suppose
dn: uid=user1,ou=People,dc=ktree,dc=org
A. Now to check expiration date, modify timestamp before a month
filename: change_timestamp.ldif
dn : uid = user1, ou = People, dc = ktree, dc = org
changetype : modify
replace : pwdChangedTime
pwdChangedTime : 20150110192853Z
Note:Here syntax for pwdChanedTime: (YYYYMMDDHHMMSST)
T stands for time zone (GMT)
- To apply to the directory
$ ldapmodify -D cn=admin,dc=ktree,dc=org -W -e relax -f change_timestamp.ldif
- For verification check with by login in with uid=user1
$ ldapwhoami -e ppolicy -x -D uid=user1,ou=People,dc=ktree,dc=org -W
- It will not allow you to login
B. To check for the password warning, put time stamp between (25th day to 30th day). and repeat the same steps, now it will throw a message saying “Password expires in somanyseconds” and allows you to login