LDAP密码策略配置

LDAP 开启密码策略管理

部署过程

  1. 导入基础 objectClass

    # 加载ppolicy配置
    ldapadd -Y EXTERNAL -H ldapi:/// -f new_ppolicy.ldif
    

    new_ppolicy.ldif内容如下:

    dn: cn=ppolicy,cn=schema,cn=config
    objectClass: olcSchemaConfig
    cn: ppolicy
    olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALI
     TY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
    olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY 
     integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
     1.27 SINGLE-VALUE )
    olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY 
     integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
     1.27 SINGLE-VALUE )
    olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALI
     TY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.1
     21.1.27 SINGLE-VALUE )
    olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQU
     ALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.11
     5.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALI
     TY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.1
     21.1.27 SINGLE-VALUE )
    olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQ
     UALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.1
     15.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' 
     EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466
     .115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY
      booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
    olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration'
      EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.146
     6.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQU
     ALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.11
     5.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInt
     erval' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4
     .1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQU
     ALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
    olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange
     ' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
    olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQU
     ALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
    olcAttributeTypes: {15}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFail
     ure' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1
     .1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {16}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 
     'Loadable module that instantiates check_password() function' EQUALITY case
     ExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
    olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP t
     op AUXILIARY MAY pwdCheckModule )
    olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AU
     XILIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdC
     heckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLoc
     kout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMu
     stChange $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) )
    
  2. 配置module模块,加载 accesslogauditlogppolicymemberof

    cat << EOF | ldapadd -Y EXTERNAL -H ldapi:///
    dn: cn=module,cn=config
    objectClass: olcModuleList
    cn: module
    olcModulePath: /usr/lib64/openldap
    olcModulepath:	/usr/lib/openldap
    olcModuleload: accesslog.la
    olcModuleload: auditlog.la
    olcModuleload: memberof.la
    olcModuleLoad: ppolicy.la
    EOF
    
  3. 配置DB

    cat << EOF | ldapadd -Y EXTERNAL -H ldapi:///
    dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
    changetype: add
    objectClass: olcConfig
    objectClass: olcOverlayConfig
    objectClass: olcPPolicyConfig
    olcOverlay: ppolicy
    olcPPolicyDefault: cn=pwdDefault,ou=Policies,dc=laoshiren,dc=com
    olcPPolicyHashCleartext: TRUE
    olcPPolicyUseLockout: TRUE
    EOF
    
  4. 创建组

    cat << EOF | ldapadd -x -D cn=manager,dc=laoshiren,dc=com -W
    dn: ou=Policies,dc=laoshiren,dc=com
    objectClass: top
    objectClass: organizationalUnit
    ou: Policies
    EOF
    
  5. 创建默认密码策略

    密码属性说明,请查看官网属相说明 搜索相应属性即可

    cat << EOF | ldapadd -x -D cn=manager,dc=laoshiren,dc=com -W
    dn: cn=pwdDefault,ou=Policies,dc=laoshiren,dc=com
    cn: pwdDefault
    objectClass: top
    objectClass: device
    objectClass: pwdPolicy
    objectClass: pwdPolicyChecker
    pwdAttribute: userPassword
    pwdInHistory: 8
    pwdMinLength: 8
    pwdMaxFailure: 3
    pwdFailureCountInterval: 1800
    pwdCheckQuality: 2
    pwdMustChange: TRUE
    pwdGraceAuthNLimit: 0
    pwdMaxAge: 3600
    pwdExpireWarning: 1209600
    pwdLockoutDuration: 900
    pwdLockout: TRUE
    EOF
    
    # 查看用户信息,前提存在该用户
    ldapsearch -x -b "uid=linux_user1,ou=People,dc=laoshiren,dc=com" +
    

扩展

  • 增加用户首次登陆更改密码

    cat << EOF | ldapadd -x -D "cn=manager,dc=laoshiren,dc=com" -w FCzxpJWCccuB -H ldap://172.16.10.220
    dn: uid=linux_user1,ou=People,dc=laoshiren,dc=com
    changetype: modify
    replace: pwdReset
    pwdReset: TRUE
    EOF
    
  • 删除该用户登陆更改密码属性

    cat << EOF | ldapadd -x -D "cn=manager,dc=laoshiren,dc=com" -w FCzxpJWCccuB -H ldap://172.16.10.220
    changetype: modify
    delete: pwdReset
    EOF
    
  • 针对不同用户使用不同的密码策略

    # 对于服务帐户,不使帐户过期更安全。
    cat << EOF | ldapadd -x -D cn=manager,dc=laoshiren,dc=com -W
    dn: cn=servicesaccounts, ou=Policies,dc=laoshiren,dc=com
    cn: servicesaccounts
    objectClass: top
    objectClass: device
    objectClass: pwdPolicy
    pwdAllowUserChange: TRUE
    pwdAttribute: userPassword
    pwdExpireWarning: 0
    pwdFailureCountInterval: 0
    pwdGraceAuthNLimit: 5
    pwdLockout: FALSE
    pwdLockoutDuration: 0
    pwdInHistory: 0
    pwdMaxAge: 0
    pwdMaxFailure: 0
    pwdMinAge: 0
    pwdMinLength: 15
    pwdMustChange: FALSE
    pwdSafeModify: FALSE
    EOF
    
  • 配置用户访问以及更改密码权限

    # 允许用户更改密码
    cat << EOF | ldapmodify -c -Y EXTERNAL -Q -H ldapi:///
    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    replace: olcAccess
    olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=ppolicy,ou=Policies,dc=laoshiren,dc=com" write by anonymous auth by * read
    olcAccess: {1}to * by self write by dn="cn=ppolicy,ou=Policies,dc=laoshiren,dc=com" write by * read
    EOF
    
  • 密码过期处理

    # 更改用户密码,此处不经过密码策略,随意书写。
    ldappasswd -H ldap://172.16.10.220 -x -D "cn=manager,dc=laoshiren,dc=com" -W -S "uid=linux_user1,ou=People,dc=laoshiren,dc=com"
    
    
  • 配置日志输出界别

    更改日志级别
    cat log.ldif 
    dn: cn=config
    changetype: modify
    add: olcLogLevel
    olcLogLevel: -1
    
    
    ldapadd -Y EXTERNAL -H ldapi:/// -f log.ldif
    

测试

  • 测试用户更改密码

    • 尝试1

      输入密码为111111

      LDAP密码策略配置_第1张图片

      # server 端通过未通过规则
      Jan 12 08:32:12 ldap-server slapd[1296]: conn=1161 op=5 RESULT oid= err=19 text=Password fails quality checking policy
      
    • 尝试2

      输入密码HsJC8m3y

      LDAP密码策略配置_第2张图片

  • 测试用户过期

    以上默认规则我设置的密码过期时间为一小时,所以以下输出会是已经过期

    LDAP密码策略配置_第3张图片

你可能感兴趣的:(Linux,运维)