From 12c66f55363f0e3ea6d7b5846d5bfcc7eff4fcbf Mon Sep 17 00:00:00 2001 From: Marisa Date: Tue, 7 Oct 2025 14:28:33 -0400 Subject: [PATCH] Update README.md --- README.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/README.md b/README.md index 903185c..160ed54 100644 --- a/README.md +++ b/README.md @@ -622,6 +622,42 @@ root@example:/# ldapsearch -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 123 ``` This two commands are a little convoluted but what they're doing is, using ldapsearch and multiple grep, and only showing the number of times the user has entered the wrong password. In this case the user reimu tried to change the password using a wrong password twice. +### _Setup passwords complexity_ + +There are different levels of password complexity that comes with the policies module in openLDAP: +0: No quality checking. Any password is accepted, regardless of complexity. +1: Evaluates the password against its built-in quality checks but does not reject weak passwords. If the password fails (e.g., too short or too simple), it logs a warning but allows the change to proceed. +2: OpenLDAP strictly enforces password quality, rejecting weak passwords with "Constraint violation" errors and messages like "Password fails quality checking policy". +Minimum Password quality checking: length check of at least 5–6 characters, reject identical characters like aaaaaa or 111111 + +Setting up passwords complexity level: +``` +root@example:/# vim update_policy_quality.ldif +dn: cn=default,ou=policies,dc=example,dc=com +changetype: modify +add: pwdCheckQuality +pwdCheckQuality: 2 +``` +Execute the .ldif file... +``` +root@example:/# ldapmodify -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -f update_policy_quality.ldif +modifying entry "cn=default,ou=policies,dc=example,dc=com" +``` +We need to specify who we want to apply this new policy (change it from how it was by default before), let's use the user reimu +``` +root@example:/# vim apply_policy_reimu.ldif +dn: uid=reimu,ou=Supergirls,dc=example,dc=com +changetype: modify +replace: pwdPolicySubentry +pwdPolicySubentry: cn=default,ou=policies,dc=example,dc=com +``` +Execute the .ldif **replacing** the pwdPolicySubentry +``` +root@example:/etc/ldap/slapd.d# ldapmodify -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -f apply_policy_reimu.ldif +modifying entry "uid=reimu,ou=Supergirls,dc=example,dc=com" +``` + + ## _Show Organizational Units, users, and attributes_ ### _Show LDAP server directories with the data_