Reputation: 595
OPENLDAP: password policy overlap, how to assign to a specific OU
I need to set password policy only to a specific OU, and it will be applied to all users that will be crated/moved in this OU.
I have OPENLDAP 2.4.44 installed on CentOS 7, and I configured it in this way (I used this guide: https://ktree.com/blog/OpenLDAP-password-policy-implementatio-on-ubuntu.html):
Step1. Enable policy Overlay, It can be done by installing the schema.
$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
For Verification, whether it is done or not
[root@TST-LDAP01]# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: cn={4}ppolicy,cn=schema,cn=config
Step2. We need to write to the directory where are all policies will be filename: policies_1.ldif
$ vim policies_1.ldif
dn: ou=Policies,cn=Manager,dc=mydomain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: Password policy config files
To apply to the directory:
$ ldapadd -D cn=Manager,dc=mydomain,dc=com -W -f policies_1.ldif
Step3. Now, We load the Modules handling the policies.
$ vim policy_module.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
To apply to the directory :
$ ldapadd -Y EXTERNAL -H ldapi:/// -f policy_module.ldif
For verification, modules loaded?
[root@TST-LDAP01]# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=module{0},cn=config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib64/openldap
olcModuleLoad: {0}syncprov.la
olcModuleLoad: {1}ppolicy
Step4. Now tell directory where to look for the policies.
$ vim policy_overlay.ldif
dn: olcOverlay={1}ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {1}ppolicy
olcPPolicyDefault: cn=DefaultPPolicy,ou=Policies,cn=Manager,dc=mydomain,dc=com
To apply to the directory
$ ldapadd -Y EXTERNAL -H ldapi:/// -f policy_overlay.ldif
For Verification, Overlays in use
[root@TST-LDAP01]# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b olcDatabase={2}hdb,cn=config
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=mydomain,dc=com
olcRootDN: cn=Manager,dc=mydomain,dc=com
olcRootPW: {SSHA}1AMIpQs6xbFa8wYre5rdBGm+fCmTCVXz
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
dn: olcOverlay={0}ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=DefaultPPolicy,ou=Policies,cn=Manager,dc=mydomain,dc=c
om
Step5. Now we can create default policy objects.
$ vim Default_Policies.ldif
dn: cn=DefaultPPolicy,ou=Policies,cn=Manager,dc=mydomain,dc=com
cn: DefaultPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 2592000
pwdExpireWarning: 2160000
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 30
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
To apply to the directory
$ ldapadd -D cn=Manager,dc=mydomain,dc=com -W -f Default_Policies.ldif
For Verification
[root@TST-LDAP01]# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=DefaultPPolicy,ou=Policies,cn=Manager,dc=mydomain,dc=com
dn: cn=DefaultPPolicy,ou=Policies,cn=Manager,dc=mydomain,dc=com
cn: DefaultPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 2592000
pwdExpireWarning: 2160000
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 30
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
Now is it possible to set Default_Policies only to ou=ExternalUsers,cn=Manager,dc=mydomain,dc=com and all new users have this settings?
Thanks Marco
Upvotes: 2
Views: 2694
Answers (1)
Reputation: 152
sorry, can't comment due to my reputation score but a similar question was answered here: https://serverfault.com/questions/830147/openldap-password-policy-for-a-group
The following may help but it is user specific:
Create custom policy for example:
dn: cn=pwdLockoutDuration,ou=Policies,dc=test,dc=com
objectClass: device
objectClass: pwdPolicy
objectClass: top
cn: pwdLockoutDuration
pwdAttribute: userPassword
pwdExpireWarning: 500
pwdMaxAge: 600
pwdMaxFailure: 3
Then add a subentry to the user:
dn: cn=test4,ou=Users,dc=test,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=pwdLockoutDuration,ou=Policies,dc=test,dc=com
Upvotes: 2
Related Questions
- How to add OU in LDAP?
- OpanLdap password policies
- ldap password policy minimum length is not working
- Is it possible to allocate one user (entry) below two different OU (Organizational Unit) in OpenLDAP?
- Enforcing ppolicy to openldap users
- java authentication on OpenLDAP without OU in base gives invalid credentials
- Add: Object class violation error on adding password policies
- Ldap password policy not throwing different errors
- LDAP Server Password Policy Apache DS and Open DS
- OpenLDAP Authentication