Our Work

OpenLDAP Password Policy Implementation On Ubuntu

Updated 5 months and 24 days ago

Using Password Policy one can achieve

a. Password Expiration
b. Before Expiration User gets warning to change the password

Step1. Enable policy Overlay, It can be done by installing the schema.

$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif

For Verification, whether it is done or not

$ ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn

Step2. We need to write to the directory where are all policies will be filename: policies_1.ldif

dn : ou = Policies , dc = ktree , dc = org
objectClass : top
objectClass : organizationalUnit
ou : Policies
description : policies come here

To apply to the directory  :

$ ldapadd -D cn=admin,dc=ktree,dc=org -W -f policies_1.ldif

Step3. Now, We load the Modules handling the policies.

    filename: policy_module.ldif
    dn : cn = module { 0 }, cn = config
    changetype : modify
    add : olcModuleLoad
    olcModuleLoad : ppolicy
    To apply to the directory :
    $ ldapadd -Y EXTERNAL -H ldapi:/// -f policy_module.ldif
    For verification, modules loaded?
    $ ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=module{0},cn=config

    Step4. Now tell directory where to look for the policies.

    filename: policy_overlay.ldif

    dn : olcOverlay ={ 0 } ppolicy , olcDatabase ={ 1 } hdb , cn = config
    objectClass : olcOverlayConfig
    objectClass : olcPPolicyConfig
    olcOverlay : { 0 } ppolicy
    olcPPolicyDefault : cn = DefaultPPolicy , ou = Policies , dc = ktree , dc = org
    To apply to the directory
    $ ldapadd -Y EXTERNAL -H ldapi:/// -f policy_overlay.ldif
    For Verification, Overlays in use
    $ ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}hdb,cn=config

    Step5. Now we can create default policy objects.

    filename: Default_Policies.ldiif

    dn : cn = DefaultPPolicy , ou = Policies , dc = ktree , dc = org
    cn : DefaultPPolicy
    objectClass : pwdPolicy
    objectClass : device
    objectClass : top
    pwdAttribute : userPassword
    pwdMaxAge : 2592000
    pwdExpireWarning : 2160000
    pwdInHistory : 3
    pwdCheckQuality : 1
    pwdMinLength : 8
    pwdMaxFailure : 3
    pwdLockout : TRUE
    pwdLockoutDuration : 30
    pwdGraceAuthNLimit : 0
    pwdFailureCountInterval : 0
    pwdMustChange : TRUE
    pwdAllowUserChange : TRUE
    pwdSafeModify : FALSE

    Note : Here pwdExpireAge, object tells us when to expire. It takes input in seconds. Here it is for 30 days. pwdExpireWarning gives tells us when to issue warning before password expiry i.e 25 days.

    To apply to the directory
    $ ldapadd -D cn=admin,dc=ktree,dc=org -W -f Default_Policies.ldif

      For Verification
      $ ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=DefaultPPolicy,ou=Policies,dc=ktree,dc=or


      Choose an account from the directory, suppose

      dn: uid=user1,ou=People,dc=ktree,dc=org

      A. Now to check expiration date, modify timestamp before a month

      filename: change_timestamp.ldif
      dn : uid = user1, ou = People, dc = ktree, dc = org
      changetype : modify
      replace : pwdChangedTime
      pwdChangedTime : 20150110192853Z

      Note:Here syntax for pwdChanedTime: (YYYYMMDDHHMMSST)
      T stands for time zone (GMT)

      • To apply to the directory
      $ ldapmodify -D cn=admin,dc=ktree,dc=org -W -e relax -f change_timestamp.ldif
      • For verification check with by login in with uid=user1
      $ ldapwhoami -e ppolicy -x -D uid=user1,ou=People,dc=ktree,dc=org -W
      • It will not allow you to login

      B. To check for the password warning, put time stamp between (25th day to 30th day). and repeat the same steps, now it will throw a message saying “Password expires in somanyseconds” and allows you to login

        Related Posts