STEP ONE - Prepare the environment
Install the openldap-servers-overlays RPM.
Edit slapd.conf and insert the following if it doesn't already exists...
include /etc/openldap/schema/ppolicy.schema
modulepath /usr/lib64/openldap
moduleload ppolicy.la
overlay ppolicy
ppolicy_default "cn=default,ou=ppolicy,dc=company,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
STEP TWO - Install the password check module
Next step is to install a password checker module, if you want to use a password checker module. It's easy to say no, but I recommend that you do. Anyway, you can get the source from their repository at:
http://tools.ltb-project.org/projects/ltb/files
This was the only password checker module I found when I was googling for one and it seems to work quite well.
Once you extract everything, you will want to edit the Makefile. Set the path to your openldap header files. You probably don't have it installed. If you do, great. If you don't, you can either install the source RPM or you can grab the source from openldap here:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=summary
On this web page, just find the openldap version you need and click on it. Since I am running OpenLDAP v2.3, I clicked on OPENLDAP_REL_ENG_2_3.
On the next page, I clicked on the snapshot link for "Update dates for release OPENLDAP_REL_ENG_2_3_43" since I am running v2.3.43
After you've extracted the source code, you need to execute "./configure" followed by "make depend"
That's it. You're done with the OpenLDAP package.
Back to the password checker. Now, I set LDAP_INC in the make file to the location where I extracted openldap source as follows:
LDAP_INC=-I/home/user/openldap-src/include \
-I/home/user/openldap-src/servers/slapd
That's it. Now, you are ready to compile the module. See what the output is supposed to look like below. By the way, I got an error the first time I ran make. It was because crack/cracklib was not installed. I ran 'yum install cracklib-devel cracklib crack' and that resolved it.
ltb-project-openldap-ppolicy-check-password-1.1 $ make
rm -f check_password.o check_password.so check_password.lo
rm -f -r .libs
gcc -g -O2 -Wall -fpic -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"/usr/share/cracklib/pw_dict\"" -DCONFIG_FILE="\"/etc/openldap/check_password.conf\"" -DDEBUG -c -I/home/user/openldap-src/include -I/home/user/openldap-src/servers/slapd check_password.c
gcc -shared -o check_password.so check_password.o -lcrack
ltb-project-openldap-ppolicy-check-password-1.1 $
You now should have a check_password.o and check_password.so file. Copy or move these two files in to your module path. In my case, I copied them in to /usr/lib64/openldap.
STEP THREE - Configure your server
Restart your openldap server.
Import the below in to your openldap server. The values I have are for testing purposes. You will need to modify it for your use.
dn: cn=users,ou=ppolicy,dc=company,dc=com
cn: users
objectclass: top
objectclass: device
objectclass: pwdPolicy
objectclass: pwdPolicyChecker
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckmodule: check_password.so
pwdcheckquality: 2
pwdexpirewarning: 0
pwdfailurecountinterval: 0
pwdgraceauthnlimit: 0
pwdinhistory: 2
pwdlockout: TRUE
pwdlockoutduration: 600
pwdmaxage: 0
pwdmaxfailure: 4
pwdminage: 30
pwdminlength: 8
pwdmustchange: TRUE
pwdsafemodify: FALSE
Edit /etc/ldap.conf and insert or modify the following:
pam_password clear
pam_lookup_policy yes
Note: You need to NOT hash the password on the machine in order to allow openldap to be able to read the password. That way, the password history will be honored. If you set "pam_password md5" or anything other than clear, password history will not be honored. Don't worry about security though, just make sure you are using TLS. Also, don't worry about openldap storing the password in the clear because by default it doesn't. It should store it in SSHA like below. I took this screen shot using phpldapadmin "show internal attributes".
Create the configuration file for password checker at /etc/openldap/check_password.conf
The content of the conf file is fully explained at the LTB site:
http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password
No comments:
Post a Comment