From c4b39c091e413d196112a94352654a4803ed3c84 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 30 Jan 2013 20:28:47 +0100 Subject: Password policy --- ldap/Makefile | 10 +++++++++- ldap/base.ldif | 11 ++++++++++- ldap/constraint.ldif | 4 ++++ ldap/database.ldif | 7 ++++--- ldap/modules.ldif | 3 +++ ldap/ppolicy.ldif | 26 ++++++++++++++++++++++++++ 6 files changed, 56 insertions(+), 5 deletions(-) create mode 100644 ldap/ppolicy.ldif diff --git a/ldap/Makefile b/ldap/Makefile index 5efa7e7..d023d1c 100644 --- a/ldap/Makefile +++ b/ldap/Makefile @@ -32,9 +32,14 @@ install-mx: install: # WARN! +# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif +# ldapadd -Y EXTERNAL -H ldapi:/// -f modules.ldif +# ldapadd -Y EXTERNAL -H ldapi:/// -f database.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f fripost.ldif + ldapadd -Y EXTERNAL -H ldapi:/// -f authz.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f index.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f constraint.ldif + ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f acl.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f populate.ldif @@ -49,7 +54,6 @@ install-schema: install-acl: @sed "s/^dn: olcDatabase={.*}hdb,cn=config$$/dn: $(NUM)/" acl.ldif | ldapmodify -Q -Y EXTERNAL -H ldapi:/// - uninstall: @echo "The database - suffix \"$(SUFFIX)\" - will be saved into \`$(BACKUPDB)' (if non-empty), and then *cleared* (but not deleted)." @echo "Also, its ACLs, indexes and constraints will be cleared as well, if there are any." @@ -86,6 +90,10 @@ uninstall: @if test -d "$(TMPSLAPD)/$(NUM2)"; then \ echo "Deleting constraints" && find "$(TMPSLAPD)/$(NUM2)/" -type f -name "olcOverlay={*}constraint.ldif" -delete \ ;fi +# + @if test -d "$(TMPSLAPD)/$(NUM2)"; then \ + echo "Deleting ppolicy" && find "$(TMPSLAPD)/$(NUM2)/" -type f -name "olcOverlay={*}ppolicy.ldif" -delete \ + ;fi # @/etc/init.d/slapd stop # diff --git a/ldap/base.ldif b/ldap/base.ldif index c102beb..81e8874 100644 --- a/ldap/base.ldif +++ b/ldap/base.ldif @@ -13,6 +13,14 @@ dn: o=mailHosting,dc=fripost,dc=dev objectClass: organization description: Mail hosting +dn: cn=ppolicy,o=mailHosting,dc=fripost,dc=dev +objectClass: organizationalRole +objectClass: pwdPolicy +pwdAttribute: userPassword +pwdLockout: TRUE +pwdLockoutDuration: 900 +pwdFailureCountInterval: 300 +pwdMaxFailure: 3 dn: ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalUnit @@ -51,7 +59,8 @@ dn: cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: simpleSecurityObject objectClass: organizationalRole description: The adminstrator Web Panel -userPassword: panel +userPassword: {CLEARTEXT}panel +# NOTE: ^ The password needs to be stored clear for DIGEST-MD5 SASL authentication authzTo: dn.regex:^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$ #authzTo: ldap:///ou=virtual,o=mailHosting,dc=fripost,dc=dev??sub?(objectClass=FripostVirtualUser) # NOTE: ^ This is an expensive operation, and requires search perms for the service. diff --git a/ldap/constraint.ldif b/ldap/constraint.ldif index f909c6b..9466e86 100644 --- a/ldap/constraint.ldif +++ b/ldap/constraint.ldif @@ -7,6 +7,10 @@ # # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=o=mailHosting,dc=fripost,dc=dev" dn # +# Note: There is no clean way to remove/replace overlays, other than +# stopping slapd and digging into the slapd.d directory: +# http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-overlays +# # # References: # - http://www.openldap.org/doc/admin24/overlays.html#Constraints diff --git a/ldap/database.ldif b/ldap/database.ldif index eb94b87..e2c7071 100644 --- a/ldap/database.ldif +++ b/ldap/database.ldif @@ -46,14 +46,15 @@ olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth # 2. It may be a good idea to modify DB_CONFIG, depending on the output # of # -# db4.8_stat -m -h /var/lib/ldap/ | head -16 +# db_stat -mh /var/lib/ldap/ | head -16 # # (For optimal performance, the Requested pages found in the cache -# should be above 95%, and the pages forced from the cache should be 0.) +# should be above 95%, and the dirty/clean pages forced from the cache +# should be 0.) # # and # -# db4.8_stat -m -h /var/lib/ldap/ | head -16 +# db_stat -ch /var/lib/ldap/ | head -16 # # (For optimal performance, usage should be within 85% of the configured # values.) diff --git a/ldap/modules.ldif b/ldap/modules.ldif index 46b9ca2..b6c17e8 100644 --- a/ldap/modules.ldif +++ b/ldap/modules.ldif @@ -16,4 +16,7 @@ add: olcModuleLoad olcModuleLoad: syncprov.la - add: olcModuleLoad +olcModuleLoad: ppolicy.la +- +add: olcModuleLoad olcModuleLoad: constraint.la diff --git a/ldap/ppolicy.ldif b/ldap/ppolicy.ldif new file mode 100644 index 0000000..60b52aa --- /dev/null +++ b/ldap/ppolicy.ldif @@ -0,0 +1,26 @@ +# Load this file with +# +# ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy.ldif +# +# It will load the "ppolicy" overlay configuration for the database #1. +# Ensure that it's indeed the database #1 that you want to configure: +# +# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=o=mailHosting,dc=fripost,dc=dev" dn +# +# Note: There is no clean way to remove/replace overlays, other than +# stopping slapd and digging into the slapd.d directory: +# http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-overlays +# +# +# References: +# - http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies +# - http://www.zytrax.com/books/ldap/ch6/ppolicy.html +# - man 5 slapo-ppolicy + + +dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcPPolicyConfig +olcPPolicyDefault: cn=ppolicy,o=mailHosting,dc=fripost,dc=dev +olcPPolicyHashCleartext: TRUE +olcPPolicyUseLockout: FALSE -- cgit v1.2.3