LDAP 开启密码策略管理

部署过程

  1. 导入基础 objectClass

    # 加载ppolicy配置
ldapadd -Y EXTERNAL -H ldapi:/// -f new_ppolicy.ldif

    new_ppolicy.ldif内容如下:

    dn: cn=ppolicy,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: ppolicy
olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALI
 TY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY 
 integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
 1.27 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY 
 integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
 1.27 SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALI
 TY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.27 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQU
 ALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.11
 5.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALI
 TY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQ
 UALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.1
 15.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' 
 EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466
 .115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY
  booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration'
  EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.146
 6.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQU
 ALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.11
 5.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInt
 erval' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4
 .1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQU
 ALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange
 ' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQU
 ALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFail
 ure' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1
 .1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 
 'Loadable module that instantiates check_password() function' EQUALITY case
 ExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP t
 op AUXILIARY MAY pwdCheckModule )
olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AU
 XILIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdC
 heckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLoc
 kout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMu
 stChange $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) )

  2. 配置module模块,加载 accesslogauditlogppolicymemberof

    cat << EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModulepath:	/usr/lib/openldap
olcModuleload: accesslog.la
olcModuleload: auditlog.la
olcModuleload: memberof.la
olcModuleLoad: ppolicy.la
EOF

  3. 配置DB

    cat << EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=pwdDefault,ou=Policies,dc=laoshiren,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
EOF

  4. 创建组

    cat << EOF | ldapadd -x -D cn=manager,dc=laoshiren,dc=com -W
dn: ou=Policies,dc=laoshiren,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Policies
EOF

  5. 创建默认密码策略

    密码属性说明,请查看官网属相说明 搜索相应属性即可

    cat << EOF | ldapadd -x -D cn=manager,dc=laoshiren,dc=com -W
dn: cn=pwdDefault,ou=Policies,dc=laoshiren,dc=com
cn: pwdDefault
objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAttribute: userPassword
pwdInHistory: 8
pwdMinLength: 8
pwdMaxFailure: 3
pwdFailureCountInterval: 1800
pwdCheckQuality: 2
pwdMustChange: TRUE
pwdGraceAuthNLimit: 0
pwdMaxAge: 3600
pwdExpireWarning: 1209600
pwdLockoutDuration: 900
pwdLockout: TRUE
EOF

    # 查看用户信息,前提存在该用户
ldapsearch -x -b "uid=linux_user1,ou=People,dc=laoshiren,dc=com" +

扩展

  • 增加用户首次登陆更改密码

    cat << EOF | ldapadd -x -D "cn=manager,dc=laoshiren,dc=com" -w FCzxpJWCccuB -H ldap://172.16.10.220
dn: uid=linux_user1,ou=People,dc=laoshiren,dc=com
changetype: modify
replace: pwdReset
pwdReset: TRUE
EOF

  • 删除该用户登陆更改密码属性

    cat << EOF | ldapadd -x -D "cn=manager,dc=laoshiren,dc=com" -w FCzxpJWCccuB -H ldap://172.16.10.220
changetype: modify
delete: pwdReset
EOF

  • 针对不同用户使用不同的密码策略

    # 对于服务帐户,不使帐户过期更安全。
cat << EOF | ldapadd -x -D cn=manager,dc=laoshiren,dc=com -W
dn: cn=servicesaccounts, ou=Policies,dc=laoshiren,dc=com
cn: servicesaccounts
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdExpireWarning: 0
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 5
pwdLockout: FALSE
pwdLockoutDuration: 0
pwdInHistory: 0
pwdMaxAge: 0
pwdMaxFailure: 0
pwdMinAge: 0
pwdMinLength: 15
pwdMustChange: FALSE
pwdSafeModify: FALSE
EOF

  • 配置用户访问以及更改密码权限

    # 允许用户更改密码
cat << EOF | ldapmodify -c -Y EXTERNAL -Q -H ldapi:///
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=ppolicy,ou=Policies,dc=laoshiren,dc=com" write by anonymous auth by * read
olcAccess: {1}to * by self write by dn="cn=ppolicy,ou=Policies,dc=laoshiren,dc=com" write by * read
EOF

  • 密码过期处理

    # 更改用户密码,此处不经过密码策略,随意书写。
ldappasswd -H ldap://172.16.10.220 -x -D "cn=manager,dc=laoshiren,dc=com" -W -S "uid=linux_user1,ou=People,dc=laoshiren,dc=com"

  • 配置日志输出界别

    更改日志级别
cat log.ldif 
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: -1


ldapadd -Y EXTERNAL -H ldapi:/// -f log.ldif

测试

  • 测试用户更改密码

    • 尝试1

      输入密码为111111

      # server 端通过未通过规则
Jan 12 08:32:12 ldap-server slapd[1296]: conn=1161 op=5 RESULT oid= err=19 text=Password fails quality checking policy

    • 尝试2

      输入密码HsJC8m3y

  • 测试用户过期

    以上默认规则我设置的密码过期时间为一小时,所以以下输出会是已经过期

Logo
Authing身份云

Authing 是一款以开发者为中心的全场景身份云产品,集成了所有主流身份认证协议,为企业和开发者提供完善安全的用户认证和访问管理服务

更多推荐

cover

管理员分级管控三大模式,提高企业内部管理效率

avatar Authing身份云
cover

构建用户身份基础设施,推动新能源汽车高质量发展

avatar Authing身份云
cover

当网络安全成为业务增长的重要保障,企业应该如何应对?

avatar Authing身份云