LDAP 开启密码策略管理

部署过程

1. 导入基础 objectClass

   # 加载ppolicy配置
   ldapadd -Y EXTERNAL -H ldapi:/// -f new_ppolicy.ldif
   

   new_ppolicy.ldif内容如下：

   dn: cn=ppolicy,cn=schema,cn=config
   objectClass: olcSchemaConfig
   cn: ppolicy
   olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALI
    TY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
   olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY 
    integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
    1.27 SINGLE-VALUE )
   olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY 
    integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
    1.27 SINGLE-VALUE )
   olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALI
    TY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.1
    21.1.27 SINGLE-VALUE )
   olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQU
    ALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.11
    5.121.1.27 SINGLE-VALUE )
   olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALI
    TY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.1
    21.1.27 SINGLE-VALUE )
   olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQ
    UALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.1
    15.121.1.27 SINGLE-VALUE )
   olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' 
    EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466
    .115.121.1.27 SINGLE-VALUE )
   olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY
     booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
   olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration'
     EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.146
    6.115.121.1.27 SINGLE-VALUE )
   olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQU
    ALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.11
    5.121.1.27 SINGLE-VALUE )
   olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInt
    erval' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4
    .1.1466.115.121.1.27 SINGLE-VALUE )
   olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQU
    ALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
   olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange
    ' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
   olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQU
    ALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
   olcAttributeTypes: {15}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFail
    ure' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1
    .1466.115.121.1.27 SINGLE-VALUE )
   olcAttributeTypes: {16}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 
    'Loadable module that instantiates check_password() function' EQUALITY case
    ExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
   olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP t
    op AUXILIARY MAY pwdCheckModule )
   olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AU
    XILIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdC
    heckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLoc
    kout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMu
    stChange $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) )
   

2. 配置module模块，加载 accesslog、auditlog、ppolicy、memberof

   cat << EOF | ldapadd -Y EXTERNAL -H ldapi:///
   dn: cn=module,cn=config
   objectClass: olcModuleList
   cn: module
   olcModulePath: /usr/lib64/openldap
   olcModulepath:	/usr/lib/openldap
   olcModuleload: accesslog.la
   olcModuleload: auditlog.la
   olcModuleload: memberof.la
   olcModuleLoad: ppolicy.la
   EOF
   

3. 配置DB

   cat << EOF | ldapadd -Y EXTERNAL -H ldapi:///
   dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
   changetype: add
   objectClass: olcConfig
   objectClass: olcOverlayConfig
   objectClass: olcPPolicyConfig
   olcOverlay: ppolicy
   olcPPolicyDefault: cn=pwdDefault,ou=Policies,dc=laoshiren,dc=com
   olcPPolicyHashCleartext: TRUE
   olcPPolicyUseLockout: TRUE
   EOF
   

4. 创建组

   cat << EOF | ldapadd -x -D cn=manager,dc=laoshiren,dc=com -W
   dn: ou=Policies,dc=laoshiren,dc=com
   objectClass: top
   objectClass: organizationalUnit
   ou: Policies
   EOF
   

5. 创建默认密码策略

   密码属性说明，请查看官网属相说明 搜索相应属性即可

   cat << EOF | ldapadd -x -D cn=manager,dc=laoshiren,dc=com -W
   dn: cn=pwdDefault,ou=Policies,dc=laoshiren,dc=com
   cn: pwdDefault
   objectClass: top
   objectClass: device
   objectClass: pwdPolicy
   objectClass: pwdPolicyChecker
   pwdAttribute: userPassword
   pwdInHistory: 8
   pwdMinLength: 8
   pwdMaxFailure: 3
   pwdFailureCountInterval: 1800
   pwdCheckQuality: 2
   pwdMustChange: TRUE
   pwdGraceAuthNLimit: 0
   pwdMaxAge: 3600
   pwdExpireWarning: 1209600
   pwdLockoutDuration: 900
   pwdLockout: TRUE
   EOF
   

   # 查看用户信息,前提存在该用户
   ldapsearch -x -b "uid=linux_user1,ou=People,dc=laoshiren,dc=com" +
   

扩展

• 增加用户首次登陆更改密码

  cat << EOF | ldapadd -x -D "cn=manager,dc=laoshiren,dc=com" -w FCzxpJWCccuB -H ldap://172.16.10.220
  dn: uid=linux_user1,ou=People,dc=laoshiren,dc=com
  changetype: modify
  replace: pwdReset
  pwdReset: TRUE
  EOF
  

• 删除该用户登陆更改密码属性

  cat << EOF | ldapadd -x -D "cn=manager,dc=laoshiren,dc=com" -w FCzxpJWCccuB -H ldap://172.16.10.220
  changetype: modify
  delete: pwdReset
  EOF
  

• 针对不同用户使用不同的密码策略

  # 对于服务帐户，不使帐户过期更安全。
  cat << EOF | ldapadd -x -D cn=manager,dc=laoshiren,dc=com -W
  dn: cn=servicesaccounts, ou=Policies,dc=laoshiren,dc=com
  cn: servicesaccounts
  objectClass: top
  objectClass: device
  objectClass: pwdPolicy
  pwdAllowUserChange: TRUE
  pwdAttribute: userPassword
  pwdExpireWarning: 0
  pwdFailureCountInterval: 0
  pwdGraceAuthNLimit: 5
  pwdLockout: FALSE
  pwdLockoutDuration: 0
  pwdInHistory: 0
  pwdMaxAge: 0
  pwdMaxFailure: 0
  pwdMinAge: 0
  pwdMinLength: 15
  pwdMustChange: FALSE
  pwdSafeModify: FALSE
  EOF
  

• 配置用户访问以及更改密码权限

  # 允许用户更改密码
  cat << EOF | ldapmodify -c -Y EXTERNAL -Q -H ldapi:///
  dn: olcDatabase={2}hdb,cn=config
  changetype: modify
  replace: olcAccess
  olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=ppolicy,ou=Policies,dc=laoshiren,dc=com" write by anonymous auth by * read
  olcAccess: {1}to * by self write by dn="cn=ppolicy,ou=Policies,dc=laoshiren,dc=com" write by * read
  EOF
  

• 密码过期处理

  # 更改用户密码，此处不经过密码策略，随意书写。
  ldappasswd -H ldap://172.16.10.220 -x -D "cn=manager,dc=laoshiren,dc=com" -W -S "uid=linux_user1,ou=People,dc=laoshiren,dc=com"
  
  

• 配置日志输出界别

  更改日志级别
  cat log.ldif 
  dn: cn=config
  changetype: modify
  add: olcLogLevel
  olcLogLevel: -1
  
  
  ldapadd -Y EXTERNAL -H ldapi:/// -f log.ldif
  

测试

• 测试用户更改密码

  • 尝试1

    输入密码为111111

    

    # server 端通过未通过规则
    Jan 12 08:32:12 ldap-server slapd[1296]: conn=1161 op=5 RESULT oid= err=19 text=Password fails quality checking policy
    

  • 尝试2

    输入密码HsJC8m3y

    

• 测试用户过期

  以上默认规则我设置的密码过期时间为一小时，所以以下输出会是已经过期