Saturday, February 22, 2014

How to setup ppolicy in OpenLDAP 2.4

STEP ONE - Prepare the environment

I'm running CentOS 6.5 and OpenLDAP 2.4.23

Make sure ppolicy schema exists and add it to cn=schema if it does not
Make sure your modulepath is pointing to the path where your ppolicy.la exists
Example: /usr/lib64/openldap


You're also going to have to add an overlay for ppolicy. Here is an LDIF I exported using my test instance. You can use it if you like.

# LDIF Export for olcOverlay={0}ppolicy,olcDatabase={1}bdb,cn=config
# Server: Config (127.0.0.1)
# Search Scope: base
# Search Filter: (objectClass=*)
# Total Entries: 1
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on February 22, 2014 3:47 pm
# Version: 1.2.3

version: 1

# Entry 1: olcOverlay={0}ppolicy,olcDatabase={1}bdb,cn=config
dn: olcOverlay={0}ppolicy,olcDatabase={1}bdb,cn=config
objectclass: olcOverlayConfig
objectclass: olcPPolicyConfig
olcoverlay: {0}ppolicy
olcppolicydefault: cn=default,ou=ppolicy,dc=test,dc=com
olcppolicyforwardupdates: FALSE
olcppolicyhashcleartext: TRUE
olcppolicyuselockout: TRUE


STEP TWO - Install the password check module
Next step is to install a password checker module, if you want to use a password checker module. It's easy to say no, but I recommend that you do. Anyway, you can get the source from their repository at:
http://tools.ltb-project.org/projects/ltb/files

This was the only password checker module I found when I was googling for one and it seems to work quite well.

Once you extract everything, you will want to edit the Makefile. Set the path to your openldap header files. You probably don't have it installed. If you do, great. If you don't, you can either install the source RPM or you can grab the source from openldap here:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=summary

On this web page, just find the openldap version you need and click on it. Since I am running OpenLDAP v2.4, I clicked on OPENLDAP_REL_ENG_2_4.

On the next page, I clicked on the snapshot link for "Update dates for release  OPENLDAP_REL_ENG_2_3_23" since I am running v2.4.23

After you've extracted the source code, you need to execute "./configure" followed by "make depend"
That's it. You're done with the OpenLDAP package.

Back to the password checker. Now, I set LDAP_INC in the make file to the location where I extracted openldap source as follows:


LDAP_INC=-I/home/user/openldap-src/include \
         -I/home/user/openldap-src/servers/slapd

That's it. Now, you are ready to compile the module. See what the output is supposed to look like below. By the way, I got an error the first time I ran make. It was because crack/cracklib was not installed. I ran 'yum install cracklib-devel cracklib crack' and that resolved it.

ltb-project-openldap-ppolicy-check-password-1.1 $ make
rm -f check_password.o check_password.so check_password.lo
rm -f -r .libs
gcc -g -O2 -Wall -fpic -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"/usr/share/cracklib/pw_dict\"" -DCONFIG_FILE="\"/etc/openldap/check_password.conf\"" -DDEBUG -c -I/home/user/openldap-src/include -I/home/user/openldap-src/servers/slapd  check_password.c
gcc -shared -o check_password.so check_password.o -lcrack
ltb-project-openldap-ppolicy-check-password-1.1 $ 

You now should have a check_password.o and check_password.so file. Copy or move these two files in to your module path. In my case, I copied them in to  /usr/lib64/openldap.

STEP THREE - Configure your server
Restart your openldap server.

Import the below in to your openldap server. The values I have are for testing purposes. You will need to modify it for your use.


dn: cn=users,ou=ppolicy,dc=company,dc=com
cn: users
objectclass: top
objectclass: device
objectclass: pwdPolicy
objectclass: pwdPolicyChecker
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckmodule: check_password.so
pwdcheckquality: 2
pwdexpirewarning: 0
pwdfailurecountinterval: 0
pwdgraceauthnlimit: 0
pwdinhistory: 2
pwdlockout: TRUE
pwdlockoutduration: 600
pwdmaxage: 0
pwdmaxfailure: 4
pwdminage: 30
pwdminlength: 8
pwdmustchange: TRUE
pwdsafemodify: FALSE




Edit your ldap.conf and insert or modify the following:
pam_password clear
pam_lookup_policy yes


Note: You need to NOT hash the password on the machine in order to allow openldap to be able to read the password. That way, the password history will be honored. If you set "pam_password md5" or anything other than clear, password history will not be honored. Don't worry about security though, just make sure you are using TLS. Also, don't worry about openldap storing the password in the clear because by default it doesn't. It should store it in SSHA like below. I took this screen shot using phpldapadmin "show internal attributes".




Create the configuration file for password checker at /etc/openldap/check_password.conf
The content of the conf file is fully explained at the LTB site:
http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password

Posted by at

4 comments:

  1. UnknownApril 28, 2014 at 8:23 AM

    This comment has been removed by the author.

    ReplyDelete
    Replies
    1. UnknownApril 28, 2014 at 8:44 AM

      Hi

      I did followed this wonderful instruction.

      For step one : setup environment, when i try to add the overlay for policy, this is what I got :-
      Enter LDAP Password:
      adding new entry "olcOverlay={0}ppolicy,olcDatabase={1}bdb,cn=config"
      ldap_add: Insufficient access (50)

      I just continue with step 2 and 3.

      Step 2 mostly perfect similar result with given guide.

      Step 3 Whan i try to load the policy , here the message is :-
      LDAP: error code 21 - pwdAttribute: value #0 invalid per syntax

      The pwdAttribute is referring to userPassword. I not sure why I can't add the policy with userPassword as attribute. By reading, few people suggest to use upgrade the openldap (such as 2.4.36) , few people suggest to change to OID instead of userPassword. So I did it by chnage the value to 2.5.4.35. Only than it managed to load.
      Than I continue the whole guide in step 3. Unfortunately when I try do ldapmodify to modify userPassword, i found that it doesnt check against the policy (such as min lower, minimum upper and etc)

      Appreciate some input if I missed anything here.

      Thanks

      Delete
  2. Legend of GouMay 7, 2014 at 4:32 PM

    If you're getting insufficient access error, your user probably doesn't have the right privileges. Use the root account since the root account won't be subjected to any acl.

    Check /var/log/messages to see if the check_password module is being used. Here is example output:
    check_password: Got line |minPoints 3 |
    check_password: Validating parameter [minPoints]
    check_password: Parameter accepted.

    Check to make sure pwdCheckModule equals check_password.so
    Also, check to make sure that check_password.so is in a location your openldap will look. I placed my check_password.so in /usr/lib64/openldap/. The permission I set is 755, so check your permission too.

    Lastly, check to make sure you've created the /etc/openldap/check_password.conf file.

    ReplyDelete
  3. UnknownJune 23, 2014 at 10:00 PM

    Hi

    Thanks for all your respond. At this time i managed to get the openldap with policies up.
    Just to ask, if we had already list of ID's in LDAP, if there is changing to be done to password policies such as password age, password history, what is the proper way to do. Because after I did changed the policies let say password age from 30 days to just 15 minutes for testing, it doesn't get effect. I still can use the password although after 15 minutes.

    Hope some advise

    ReplyDelete

Subscribe to: Post Comments (Atom)