[LINUX] OpenLDAP construction memo

[0 installation](# 0-install) [1 Check settings](# 1-Check settings) 2 Add basic schema [2.1 How to add](# 21-How to add) [2.2 Confirmation method](# 22-Confirmation method) 3 Add password policy [3.1 Add Schema](# 31-Add Schema) [3.2 Confirmation method](# 32-Confirmation method) [4 Server administrator password setting](# 4-Server administrator password setting) [4.1 Creating a file storage directory](# 41-Create a file storage directory) [4.2 Generate Password Hash Value](# 42-Generate Password Hash Value) [4.3 Create File](# 43-Create File) [4.4 Added](# 44-Added) [4.5 Confirmation](# 45-Confirmation) [4.6 How to change](# 46-How to change) [4.6.1 Generate password hash value](# 461-Generate password hash value) [4.6.2 Create File](# 462-Create File) [4.6.3 Confirmation](# 463-Confirmation) [5 Data directory settings](# 5-Data directory settings) [5.1 Check current settings](# 51-Check current settings) [5.2 Change settings (initial settings)](# 52-Change settings Initial settings) [5.2.1 File Preparation](# 521-File Preparation) [5.2.2 Execute](# 522-Execute) [5.2.3 Confirmation of settings after change](# 523-Confirmation of settings after change) [5.3 Change settings (change domain name)](# 53-Change settings Change domain name) [5.3.1 File Preparation](# 531-File Preparation) [5.3.2 Execute](# 532-Execute) [5.3.3 Confirmation of settings after domain change](# 533-Confirmation of settings after domain change) 6 Registration of the organization that manages the basic organization / user account / organization that manages the group [6.1 File Preparation](# 61-File Preparation) [6.2 Registration](# 62-Registration) [6.3 Confirmation](# 63-Confirmation) 7 Network Settings [7.1 IPv4 Settings](# 71-ipv4 Settings) [7.2 Firewall settings](# 72-firewall settings) [7.3 Host name setting](# 73-Host name setting) [7.4 Simple name resolution](# 74-Simple name resolution) [7.5 Encryption](# 75-Encryption) [7.6 Client Machine Settings](# 76-Client Machine Settings) [8 How to add users](# 8-How to add users) [8.1 UNIX command execution](# 81-unix command execution) [8.2 File Preparation](# 82-File Preparation) [8.3 Add to LDAP Directory](# 83-Add to ldap directory) [8.4 How to modify user password](# 84-How to modify user password) [8.4.1 File Preparation](# 841-File Preparation) [8.4.2 Execute](# 842-Execute) [8.5 How to force the user password to change](# 85-How to force the user password to change) [8.5.1 File Preparation](# 851-File Preparation) [8.5.2 Execution](# 852-Execution) Add 9 groups [9.1 File Preparation](# 91-File Preparation) [9.2 Execute](# 92-Execute) [10 Load Password Policy Module](# 10-Load Password Policy Module) [10.1 Addition of organizational unit for password](# 101-Addition of organizational unit for password) [10.2 Add Password Module](# 102-Add Password Module) [10.3 Check if password module has been added](# 103-Check if password module has been added) [10.4 Add Overlay](# 104-Add Overlay) [10.4.1 Database check](# 1041-Database check) [10.4.2 File Preparation](# 1042-File Preparation) [10.4.3 Add overlay](# 1043-Add overlay) [10.5 Password policy input](# 105-Password policy input) [10.5.1 Confirmation of contents](# 1051-Confirmation of contents) [10.5.2 File Preparation](# 1052-File Preparation) [10.5.3 Execution](# 1053-Execution) [10.5.4 Confirmation](# 1054-Confirmation) [10.5.5 Change settings](# 1055-Change settings) [10.5.6 Password Policy Test](# 1056-Password Policy Test) [11 Unlock Password](# 11-Unlock Password) [11.1 File](# 111-File) [11.2 How to unlock](# 112-How to unlock) 12 Edit file descriptor limit [12.1 Check current settings](# 121-Check current settings) [12.2 Change settings](# 122-Change settings) [12.3 Check if the settings are reflected](# 123-Check if the settings are reflected) 13 Log Rotate Settings [13.1 Editing rsyslog.conf](# 131-Editing rsyslogconf) [13.2 Restarting the rsyslog service](# 132-Restarting the rsyslog service) [13.3 Add slapd to logrotate settings](# 133-Add slapd to logrotate settings) 14 SELinux Settings 15 Convenient Commands 16 Reference Information

Goal: Set up a secure LDAP server and check the LDAP entry of the server from the client machine.

Domain: intrajp-test.org, intrajp-test2.org LDAP server: ldap.intrajp-test.org Administrator: Manager LDAP client for testing: client.intrajp-test.org Construction environment: VirtualBox Network: Internal network (172.30.1.0/24) You can add multiple users and their groups. SELinux should be enabled for added security. By the way, the ldif file provided by OpenLDAP exists in/etc/openldap/schema. Note: If there is a space at the end of the ldif file, an error will occur and the cause is difficult to understand, so check carefully before submitting.

0 installation

# yum install openldap openldap-servers openldap-clients
# cp -p /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown ldap:ldap /var/lib/ldap/DB_CONFIG
# systemctl start slapd
# systemctl enable slapd

1 Check settings

# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
(Display immediately after installation)
dn: cn=config
dn: cn={0}core,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}monitor,cn=config
dn: olcDatabase={2}hdb,cn=config

2 Add basic schema

2.1 How to add

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

2.2 How to check

# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
(display)
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config

3 Add password policy

3.1 Adding a schema

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif

3.2 Confirmation method

# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
(display)
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: cn={4}ppolicy,cn=schema,cn=config

4 Server administrator password setting

4.1 Creating a file storage directory

# mkdir /root/ldif

4.2 Password hash value generation

# slappasswd

(Make a note of the output hash string)

4.3 Creating a file

Note: If there is a space at the end, an error will occur, so check carefully.

# vim /root/ldif/ldaprootpasswd.ldif
====
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: <Hash string output by slappasswd>
====

4.4 Added

# ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldif/ldaprootpasswd.ldif

(display) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"

4.5 Confirmation

# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcRootPW

4.6 How to change

4.6.1 Password hash value generation

# slappasswd

(Make a note of the output hash string)

4.6.2 Creating a file

# vim /root/ldif/ldaprootpasswd-replace.ldif
====
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: <Hash string output by slappasswd>
====

4.6.3 Confirmation

# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcRootPW

5 Data directory settings

5.1 Check current settings

# ldapsearch -LLL -Y EXTERNAL -H Ldapi:/// -b 'olcDatabase={2}hdb,cn=config'

(display) dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

5.2 Change settings (initial settings)

5.2.1 File preparation

# vim /root/ldif/ldapdomain.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=intrajp-test,dc=org" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=intrajp-test,dc=org

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=intrajp-test,dc=org

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: <Hash string output by slappasswd>

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="Manager,dc=intrajp-test,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=intrajp-test,dc=org" write by * read

5.2.2 Execution

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldif/ldapdomain.ldif

5.2.3 Confirmation of settings after change

# ldapsearch -LLL -Y EXTERNAL -H Ldapi:/// -b 'olcDatabase={2}hdb,cn=config'

(display) dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcSuffix: dc=intrajp-test,dc=org olcRootDN: cn=Manager,dc=intrajp-test,dc=org olcRootPW: olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=intrajp-test,dc=org" write by anonymous auth by self write by * nonw olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=intrajp-test,dc=org" write by * read

5.3 Change settings (change domain name)

Try changing to intrajp-test2.org.

5.3.1 File preparation

# vim /root/ldif/ldapdomain-replace.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=intrajp-test2,dc=org" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=intrajp-test2,dc=org

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=intrajp-test2,dc=org

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: <Hash string output by slappasswd>

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="Manager,dc=intrajp-test,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=intrajp-test2,dc=org" write by * read

5.3.2 Execution

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldif/ldapdomain-replace.ldif

5.3.3 Confirmation of settings after domain change

(display) dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcSuffix: dc=intrajp-test,dc=org olcRootDN: cn=Manager,dc=intrajp-test2,dc=org olcRootPW: olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=intrajp-test2,dc=org" write by anonymous auth by self write by * nonw olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=intrajp-test2,dc=org" write by * read

6 Registration of the organization that manages the basic organization / user account / organization that manages the group

6.1 File preparation

# vim /root/ldf/baseldapdomain.ldif

dn: dc=intrajp-test2,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: intrajp-test2 org
dc: intrajp-test2

dn: cn=Manager,dc=intrajp-test2,dc=org
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=intrajp-test2,dc=org
objectClass: organizationalUnit
ou: People

dn: ou=Goup,dc=intrajp-test2,dc=org
objectClass: organizationalUnit
ou: Group

6.2 Registration

Add the above entry to the LDAP directory with the following command.

# ldapadd -x -D cn=Manager,dc=intrajp-test2,dc=org -W -f /root/ldif/baseldapdomain.ldif

(display) Enter LDAP Password: adding new entry "dc=intrajp-test2,dc=org" adding new entry "cn=Manager,dc=intrajp-test2,dc=org" adding new entry "ou=People,dc=intrajp-test2,dc=org" adding new entry "ou=Group,dc=intrajp-test2,dc=org"

6.3 Confirmation

# ldapsearch -x -LLL -b "dc=intrajp-test2,dc=org" "(objectClass=*)"

(display) dn: dc=intrajp-test2,dc=org objectClass: top objectClass: dcObject objectClass: organization o: intrajp-test2 org dc: intrajp-test2

dn: cn=Manager,dc=intrajp-test2,dc=org objctClass: organizationalRole cn: Manager description: Directory Manager

dn: ou=People,dc=intrajp-test2,dc=org objectClass: organizationalUnit ou: People

dn: ou=Group,dc=intrajp-test2,dc=org objectClass: organizationalUnit ou: Group

7 Network settings

7.1 IPv4 settings

# vim /etc/sysconfig/network-scripts/ifcfg-enp0s3
====
...
#BOOTPROTO=dhcp
BOOTPROTO=static
IPADDR=172.30.1.2
NETMASK=255.255.255.0
...
====
# systemctl restart network
# ip a

Make sure the IP address is 172.30.1.2.

7.2 Firewall settings

# firewall-cmd --add-service=ldap --permanent

7.3 Host name setting

# hostnamectl set-hostname --static shibbolethidp.intrajp-test2.org

Shut down once, make the network "internal network", and start.

7.4 Simple name resolution

Set each machine name in/etc/hosts of each machine.

# vim /etc/hosts
====
172.30.1.1 ldap.intrajp-test.org
172.30.1.2 shibbolethidp.intrajp-test2.org
172.30.1.101 client1.intrajp-test.org
====

7.5 Encryption

Create a certificate on the server.

Private key creation

# cd /etc/pki/tls/certs/
# make ldaps.key
# openssl rsa -in ldaps.key -out ldaps.key
The password is now empty.
# ls -lt

(display) ldaps.key

Request form creation

# make ldaps.csr

JP KANAGAWA YOKOHAMA Common Name:shibbolethidp.intrajp-test2.org

Check if CSR is done.

# ls -lt

Certificate creation

# openssl req -x509 -days 3650 -in ldaps.csr -key ldaps.key -out ldaps.crt

Check if the certificate is made.

# ls -lt

Move files

# mv ldaps.* /etc/openldap/certs
# chown ldap:ldap /etc/openldap/certs/ldaps.*

Also copy ca-bundle.

# cp /etc/pki/tls/certs/ca-bundle.crt /etc/openldap/certs

Check the file

# ls -lt /etc/openldap/certs

Check config once

# ldapsearch -LLL -Y EXTERNAL ldapi:/// -b cn=config

Creating a configuration file

# vim /root/ldif/ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldaps.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldaps.key

Configuration

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldif/ssl.ldif

(display) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"

If the following error is output here, it means that the authority of the certificate is incorrect or the Common Name is not the FQDN (I made a mistake here and got stuck). Also note that if you forget to copy ca-bundle.crt, you will get the same error. (When an error display is output) ldap_modify: Other (e.g., implementation specific) error (80)

Make ldaps available

# vim /etc/sysconfig/slapd

(Change before) SLAPD_URLS="ldapi:/// ldap:///" (After change) SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

# firewall-cmd --add-service=ldaps --permanent

Service restart

# systemctl restart slapd

7.6 Client machine settings

# hostnamectl set-hostname client1.intrajp-test.org
# yum install openldap openldap-clients nss-pam-ldapd
# vim /etc/sysconfig/network-scripts/ifcfg-enp0s3

#BOOTPROTO=dhcp
BOOTPROTO=static
IPADDR=172.30.1.101
NETMASK=255.255.255.0
# vim /etc/hosts

172.30.1.1 ldap.intrajp-test.org
172.30.1.2. shibbolethidp.intrajp-test2.org
172.30.1.101 client1.intrajp-test.org

Ping the server from the client machine.

$ ping ldap.intrajp-test.org
$ ping shibbolethidp.intrajp-test2.org
# systemctl start oddjobd
# systemctl enable oddjobd
# vim /etc/openldap/ldap.conf
(Add the following)
====
TLS_REQUEST allow
====
# authconfig --enableldap --enableldapauth --ldapserver=ldaps://shibbolethidp.intrajp-test2.org --ldapbasedn="dc=intrajp-test2,dc=org" --enablemkhomedir --update

The above command has edited /etc/openldap/ldap.conf.

# shutdown -r now

By the way, why can I log in as an intrajp-user5 user even if I change the server or stop the server? Is it because you are reading the cache?

I tried disabling sssd and now I can't log in. It looks like you're reading the sssd cache. Well, let's put it back.

As written here, even if you delete the cache file, you can not log in if you stop the server. https://www.rootusers.com/how-to-clear-the-sssd-cache-in-linux/

Earlier, I set the shibbolethidp.intrajp-test2.org server as an LDAP server and was able to log in on the client machine even though there was no intrajp-user5 user there because I was reading the sssd cache. .. After deleting all the cache files on the client machine, the intrajp-user5 user can no longer log in. Now let's restore the LDAP server settings to the original ldap.intrajp-test.org server.

# authconfig --enableldap --enableldapauth --ldapserver=ldaps://ldap.intrajp-test.org --ldapbasedn="dc=intrajp-test,dc=org" --enablemkhomedir --update

Now you can log in as an intrajp-user5 user from the client machine again.

8 How to add users

8.1 Executing UNIX commands

# useradd <User name>
# passwd <User name>
# less /etc/passwd | grep <User name>

(Remember the uidNumber)

# slappasswd

(Copy the SHA output)

8.2 File preparation

# vim /root/ldif/ldapuser.ldif
====
dn: uid=<User name>,ou=People,dc=intrajp-test,dc=org
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: <User name>
uid: <User name>
uidNumber: <id number>
gidNumber: <Same as above>
homeDirectory: /home/<User name>
userPassword: <SHA copied>
loginShell: /bin/bash
gecos: <User name>
ShadowLastChange: 0
ShadowMax: 0
ShadowWarning: 0
pwdReset: TRUE
====

8.3 Add to LDAP directory

# ldapadd -x -D cn=Manager,dc=intrajp-test,dc=org -W -f /root/ldif/ldapuser.ldif

8.4 How to correct user password

8.4.1 File preparation

# vim /root/ldif/ldapuser-replace.ldif
====
dn: uid=intrajp-user1,ou=People,dc=intrajp-test,dc=org
changetype: modify
replace: userPassword
userPassword: <String output by slappasswd>
====

8.4.2 Execution

# ldapmodify -x -D cn=Manager,dc=intrajp-test,dc=org -W -f /root/ldif/ldapuser-replace.ldif

8.5 How to force the user password to change

8.5.1 File preparation

# vim /root/ldif/ldapuser-replace-pwdreset.ldif
====
dn: uid=intrajp-user1,ou=People,dc=intrajp-test,dc=org
changetype: modify
replace: pwdReset
pwdReset: TRUE
====

8.5.2 Execution

# ldapmodify -x -D cn=Manager,dc=intrajp-test,dc=org -W -f /root/ldif/ldapuser-replace-pwdreset.ldif

Add 9 groups

9.1 File preparation

# vim /root/ldif/ldapgroup.ldif
====
dn: cn=<group name>,ou=Group,dc=intrajp-test.dc=org
objectClass: posixGroup
cn: <group name>
gidNUMBER: <id number>
====

9.2 Run

# ldapadd -x -D cn=Manager,dc=intrajp-test,dc=org -W -f /root/ldif/ldapgroup.ldif

10 Load password policy module

10.1 Adding organizationalUnit for password

Add an organaizationalUnit called policies and try to include the password policy in it.

# vim /root/ldif/oupolicy.ldif
====
dn: ou=policies,dc=intrajp-test,dc=org
objectClass: top
objectClass: organizationalUnit
ou: policies
description: Password plicy
====
# ldapadd -x -W -D cn=Manager,dc=intrajp-test,dc=org -f /root/ldif/oupolicy.ldif

10.2 Addition of password module

Create LDIF file for adding modules

# vim /root/ldif/ppolicymodule.ldif
====
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: ppolicy.la
====

to add.

# ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldif/ppolicymodule.ldif

I also referred to the following. https://kifarunix.com/implement-openldap-password-policies/amp/ https://meddeb.net/pqchecker/

Make sure the ppolicy.la module is loaded in the LDAP database.

10.3 Check if the password module has been added

# slapcat -n 0 | grep -i module

(display) ...(snip)... olcModuleLoad: {0}ppolicy.la olcModuleLoad: {1}ppolicy ...(snip)...

10.4 Add overlay

10.4.1 Database check

# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config olcDatabase

Go with {2} hdb.

10.4.2 File preparation

# vim /root/ldif/ppolicyoverlay.ldif
dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=intrajp-test,dc=org

10.4.3 Add overlay

# ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldif/ppolicyoverlay.ldif

10.5 Enter password policy

10.5.1 Confirmation of contents

# man slapo-ppolicy

See also here (there is an explanation such as pwdMinAge).

https://tools.ietf.org/id/draft-behera-ldap-password-policy-10.html

10.5.2 File preparation

# vim /root/ldif/ppolicy_only.ldif
dn: cn=default,ou=policies,dc=intrajp-test,dc=org
cn: default
objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdCheckModule: check_password.so
pwdAttribute: userPassword
pwdLockout: TRUE
pwdMaxFailure: 5
pwdLockoutDuration: 300
pwdCheckQuality: 1
pwdMinLength: 8
pwdSafeModify: FALSE
pwdMaxAge: 7776000
pwdExpireWarning: 604800
pwdInHistory: 2
pwdGraceAuthNLimit: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdReset TRUE

10.5.3 Execution

# ldapadd -x -W -D cn=Manager,dc=intrajp-test,dc=org -f /root/ldif/ppolicy.ldif
(Verification)

10.5.4 Confirmation

# ldapsearch -x -H ldap:/// -D cn=Manager,dc=domain,dc=local -W -b dc=domain,dc=local "(objectClass=pwdPolicy)" -LLL

10.5.5 Change settings

# vim /etc/openldap/check_password.conf
(Changed to the following value)
====
useCracklib 1
minPoints 3
minUpper 1
minLower 1
minDigit 1
minPunct 1
====

The meaning of each value is as follows.

useCracklib : integer. Default value : 1. Set it to 0 to disable cracklib verification. It has no effect if cracklib is not included at compile time.
minPoints : integer. Default value: 3. Minimum number of quality points a new password must have to be accepted. One quality point is awarded for each character class used in the password.
minUpper: integer. Defaut value: 0. Minimum upper characters expected.
minLower: integer. Defaut value: 0. Minimum lower characters expected.
minDigit: integer. Defaut value: 0. Minimum digit characters expected.
minPunct: integer. Defaut value: 0. Minimum punctuation characters expected.

10.5.6 Password policy test

# ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=intrajp-user1,ou=people,dc=intrajp-test,dc=org"
New password: password
Re-enter new password: password
...
Result: Constraint violation (19)

It seems to have worked.

Try to lock the password incorrectly 5 times or more from the client. Check on the server.

# ldapsearch -x -W -H ldap:/// -D "cn=Manager,dc=intrajp-test,dc=org" -b "dc=intrajp-test,dc=org" pwdAccountLockedTime=* pwdAccountLockedTime
(display)
...
# intrajp-user1, People, intrajp-test.org
dn: uid=intrajp-user1,ou=People,dc=intrajp-test,dc=org
pwdAccountLockedTime: 20210103084740Z

Create and apply unlock file

# vim /root/ldif/ppolicy-unlock.ldif
dn:uid=intrajp-user1,ou=people,dc=intrajp-test,dc=org
changetype:modify
delete: pwdAccountLockedTime
# ldapmodify -x -D "cn=Manager,dc=intrajp-test,dc=org" -W -f /root/ldif/ppolicy-unlock.ldif

When I checked it again, it was unlocked.

11 Unlock password

11.1 file

# vim /root/ldif/ppolicy-unlock.ldif
====
dn:uid=intrajp-user1,ou=people,dc=intrajp-test,dc=org
changetype:modify
delete: pwdAccountLockedTime
====

11.2 How to unlock

# ldapmodify -x -D "cn=Manager,dc=intrajp-test,dc=org" -W -f /root/ldif/ppolicy-unlock.ldif

12 Edit file descriptor limit

12.1 Check current settings

# grep "Max open files" /proc/$(pidof slapd)/limits

(display) Max open files 1024 4096 files

12.2 Change settings

# mkdir /etc/systmd/system/slapd.service.d
# vim /etc/systemd/system/slapd.service.d/override.conf
====
[Service]
LimitNOFILE=65536
LimitNPROC=65536
====

# systemctl daemon-reload
# systemctl restart slapd
# grep "Max oprn files" /proc/$(pidof slapd)/limits

(display) Max open files 65536 65536 files

12.3 Check if the settings are reflected

# shutdown -r now
# grep "Max open files" /proc/$(pidof slapd)/limits

(display) Max open files 65536 65536 files

13 Log rotation settings

13.1 Editing rsyslog.conf

Cause rsyslog to spit out slapd logs.

# vim /etc/rsyslog.conf
Add the following
====
local4.* /var/log/slapd/slapd.log
====

13.2 Restarting the rsyslog service

# systemctl restart rsyslog

13.3 Added slapd to logrotate settings

# vim /etc/logrotate.d/syslog
====
Add the following
/var/log/slapd/slapd.log
====

14 SELinux settings

SELinux is set to Enforcing to improve security.

Verification

# sestatus

(display) enforcing

15 Convenient commands

# ldapsearch -x -LLL -b dc=intrajp-test,dc=org
# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config olcDatabase
Check the schema
# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
# slapcat -n 0
Check loaded modules
# slapcat -n 0 | grep -i module
# ldapsearch -x -H ldap:/// -D cn=Manager,dc=intrajp-test,dc=org -W -b dc=intrajp-test,dc=org
# ldapsearch -h localhost -x -W -D "cn=Manager,dc=intrajp-test,dc=org" -b 'ou=People,dc=intrajp-test,dc=org'

16 Reference information

(Mainly referred to) https://www.tecmint.com/install-openldap-server-for-centralized-authentication/ (Other references) https://qiita.com/y-araki-qiita/items/6b2dcbf1a39a969d8024 https://qiita.com/gzock/items/f1ac346304653a92c8cb https://qiita.com/pa_pa_paper/items/c3d7f4a28729045167d2 http://kawakamasu.hatenablog.com/entry/2017/06/08/011422 https://www.conversion.co.jp/technology/blog/-/detail/=/blog_id=5836119 https://www.openldap.org/doc/admin24/slapdconf2.html https://nonylene.hatenablog.jp/entry/2017/08/19/022137 https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap (About client machine) https://www.tecmint.com/configure-ldap-client-to-connect-external-authentication/ (reference) https://www.server-world.info/query?os=CentOS_7&p=openldap&f=4 (Reference 2) https://www.nedia.ne.jp/blog/tech/2015/09/08/5570 (Further reference) https://www.unix-power.net/networking/post-748

Recommended Posts