[LDAP] OpenLDAP Password Policy overlay (ppolicy)

OpenLDAP Password Policy overlay (ppolicy)

정책 스키마 사용(OpenLDAP 비밀번호 정책)

ls -l /etc/openldap/schema/ppolicy.ldif

$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif

정책 오버레이 활성화 및 정책 오버레이 구성

ppolicy-module.ldif 편집

$ vim ppolicy-module.ldif
dn: cn=module{0},cn=config
cn: module{0}
objectClass: olcModuleList
olcModuleLoad: ppolicy.la
olcModulePath: /usr/lib64/openldap

###
# ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy-module.ldif

$ ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy-module.ldif

olcModuleLoad 모듈 확인

$ slapcat -n 0 | grep olcModuleLoad
olcModuleLoad: {0}ppolicy.la

Policies OU 생성

ppolicy-oU.ldif 편집

$ vim cat ppolicy-oU.ldif
dn: ou=Policies,dc=4wxyz.com,dc=com
ou: Policies
objectClass: organizationalUnit
objectClass: extensibleObject
objectClass: top

###
# ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy-oU.ldif

$ ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy-oU.ldif

정책 오버레이 구성

ppolicy-overlay.ldif 편집

$ cat ppolicy-overlay.ldif
dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPpolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=4wxyz,dc=com
olcPPolicyUseLockout: FALSE
olcPPolicyHashCleartext: TRUE

###
# ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy-overlay.ldif

$ ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy-overlay.ldif

비밀번호 정책의 정의

ppolicy-password.ldif 편집

$ vim ppolicy-password.ldif
# passwordDefault, policies, 4wxyz.com
dn: cn=default,ou=Policies,dc=4wxyz,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
cn: default
pwdAttribute: userPassword
pwdCheckQuality: 0
pwdMinAge: 0
pwdMaxAge: 0
pwdMinLength: 8
pwdInHistory: 5
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE

###
# ldapadd -x -D cn=Manager,dc=4wxyz,dc=com -w password1! -f ppolicy-password.ldif

$ ldapadd -x -D cn=Manager,dc=4wxyz,dc=com -w password1! -f ppolicy-password.ldif

 

https://tobru.ch/openldap-password-policy-overlay/