aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-30 21:11:29 +0100
committerGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-30 21:11:29 +0100
commit27316fbb6a341287d5f0d3ec32a62ac2f332fdba (patch)
treea4ddf9065e1220491a50bd20b9cbd6949ee0aabf
parentc4b39c091e413d196112a94352654a4803ed3c84 (diff)
Added a (mild) password policy for our services.
-rw-r--r--ldap/base.ldif43
-rw-r--r--ldap/ppolicy.ldif2
2 files changed, 37 insertions, 8 deletions
diff --git a/ldap/base.ldif b/ldap/base.ldif
index 81e8874..9dee5da 100644
--- a/ldap/base.ldif
+++ b/ldap/base.ldif
@@ -13,14 +13,31 @@ dn: o=mailHosting,dc=fripost,dc=dev
objectClass: organization
description: Mail hosting
-dn: cn=ppolicy,o=mailHosting,dc=fripost,dc=dev
+dn: ou=ppolicies,o=mailHosting,dc=fripost,dc=dev
+objectClass: organizationalUnit
+description: Password Policies
+
+# The password policy for our users, hardened to counter brute-force
+# attacks. (Account are locked for 15min after 3 consecutive password
+# mismatchs with less than 5min in between.)
+dn: cn=users,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalRole
+description: The Password Policy for our virtual users
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdLockout: TRUE
+pwdMaxFailure: 3
pwdLockoutDuration: 900
pwdFailureCountInterval: 300
-pwdMaxFailure: 3
+
+# The password policy for our services, not hardened since not facing
+# the internet.
+dn: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev
+objectClass: organizationalRole
+description: The Password Policy for our services
+objectClass: pwdPolicy
+pwdAttribute: userPassword
+pwdLockout: FALSE
dn: ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalUnit
@@ -38,29 +55,41 @@ dn: ou=services,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalUnit
dn: cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=dev
-objectClass: simpleSecurityObject
objectClass: organizationalRole
-userPassword: postfix
description: Where Postfix binds to for its LDAP lookups.
+objectClass: simpleSecurityObject
+userPassword: postfix
+objectClass: pwdPolicy
+pwdAttribute: userPassword
+pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev
dn: cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev
-objectClass: simpleSecurityObject
objectClass: organizationalRole
description: The entity that is authorized to add list commands
+objectClass: simpleSecurityObject
userPassword: createlist
+objectClass: pwdPolicy
+pwdAttribute: userPassword
+pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev
dn: cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev
-objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Delete expired pending entries
+objectClass: simpleSecurityObject
userPassword: deletependingentries
+objectClass: pwdPolicy
+pwdAttribute: userPassword
+pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev
dn: cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev
-objectClass: simpleSecurityObject
objectClass: organizationalRole
description: The adminstrator Web Panel
+objectClass: simpleSecurityObject
userPassword: {CLEARTEXT}panel
# NOTE: ^ The password needs to be stored clear for DIGEST-MD5 SASL authentication
authzTo: dn.regex:^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$
#authzTo: ldap:///ou=virtual,o=mailHosting,dc=fripost,dc=dev??sub?(objectClass=FripostVirtualUser)
# NOTE: ^ This is an expensive operation, and requires search perms for the service.
+objectClass: pwdPolicy
+pwdAttribute: userPassword
+pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev
diff --git a/ldap/ppolicy.ldif b/ldap/ppolicy.ldif
index 60b52aa..6733b1e 100644
--- a/ldap/ppolicy.ldif
+++ b/ldap/ppolicy.ldif
@@ -21,6 +21,6 @@
dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
-olcPPolicyDefault: cn=ppolicy,o=mailHosting,dc=fripost,dc=dev
+olcPPolicyDefault: cn=users,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE