From 27316fbb6a341287d5f0d3ec32a62ac2f332fdba Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 30 Jan 2013 21:11:29 +0100 Subject: Added a (mild) password policy for our services. --- ldap/base.ldif | 43 ++++++++++++++++++++++++++++++++++++------- ldap/ppolicy.ldif | 2 +- 2 files changed, 37 insertions(+), 8 deletions(-) diff --git a/ldap/base.ldif b/ldap/base.ldif index 81e8874..9dee5da 100644 --- a/ldap/base.ldif +++ b/ldap/base.ldif @@ -13,14 +13,31 @@ dn: o=mailHosting,dc=fripost,dc=dev objectClass: organization description: Mail hosting -dn: cn=ppolicy,o=mailHosting,dc=fripost,dc=dev +dn: ou=ppolicies,o=mailHosting,dc=fripost,dc=dev +objectClass: organizationalUnit +description: Password Policies + +# The password policy for our users, hardened to counter brute-force +# attacks. (Account are locked for 15min after 3 consecutive password +# mismatchs with less than 5min in between.) +dn: cn=users,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalRole +description: The Password Policy for our virtual users objectClass: pwdPolicy pwdAttribute: userPassword pwdLockout: TRUE +pwdMaxFailure: 3 pwdLockoutDuration: 900 pwdFailureCountInterval: 300 -pwdMaxFailure: 3 + +# The password policy for our services, not hardened since not facing +# the internet. +dn: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev +objectClass: organizationalRole +description: The Password Policy for our services +objectClass: pwdPolicy +pwdAttribute: userPassword +pwdLockout: FALSE dn: ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalUnit @@ -38,29 +55,41 @@ dn: ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalUnit dn: cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=dev -objectClass: simpleSecurityObject objectClass: organizationalRole -userPassword: postfix description: Where Postfix binds to for its LDAP lookups. +objectClass: simpleSecurityObject +userPassword: postfix +objectClass: pwdPolicy +pwdAttribute: userPassword +pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev dn: cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev -objectClass: simpleSecurityObject objectClass: organizationalRole description: The entity that is authorized to add list commands +objectClass: simpleSecurityObject userPassword: createlist +objectClass: pwdPolicy +pwdAttribute: userPassword +pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev dn: cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev -objectClass: simpleSecurityObject objectClass: organizationalRole description: Delete expired pending entries +objectClass: simpleSecurityObject userPassword: deletependingentries +objectClass: pwdPolicy +pwdAttribute: userPassword +pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev dn: cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev -objectClass: simpleSecurityObject objectClass: organizationalRole description: The adminstrator Web Panel +objectClass: simpleSecurityObject userPassword: {CLEARTEXT}panel # NOTE: ^ The password needs to be stored clear for DIGEST-MD5 SASL authentication authzTo: dn.regex:^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$ #authzTo: ldap:///ou=virtual,o=mailHosting,dc=fripost,dc=dev??sub?(objectClass=FripostVirtualUser) # NOTE: ^ This is an expensive operation, and requires search perms for the service. +objectClass: pwdPolicy +pwdAttribute: userPassword +pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev diff --git a/ldap/ppolicy.ldif b/ldap/ppolicy.ldif index 60b52aa..6733b1e 100644 --- a/ldap/ppolicy.ldif +++ b/ldap/ppolicy.ldif @@ -21,6 +21,6 @@ dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig -olcPPolicyDefault: cn=ppolicy,o=mailHosting,dc=fripost,dc=dev +olcPPolicyDefault: cn=users,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE -- cgit v1.2.3