diff --git a/INSTALL.md b/INSTALL.md index 96ad8cf..ad6df08 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -81,3 +81,72 @@ root@example:/# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_ppolicy.ldif adding new entry "olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config" ``` The policies module has been loaded and we can begin to configure password schemas and ACLs. + +## _4- Configure default passwod policies_ + +Create a basic overlay of your password policies, run this command, copy-paste the content then press enter to run it automatically. Go back to the shell with CTRL+C. +``` +root@example:/# ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -H ldapi:/// +dn: cn=default,ou=policies,dc=example,dc=com +objectClass: pwdPolicy +objectClass: organizationalRole +cn: default +pwdAttribute: userPassword +pwdMinLength: 8 +pwdCheckQuality: 2 + +adding new entry "cn=default,ou=policies,dc=example,dc=com" + +^C +``` +Attributes you can change for example, pwdMinLength, pwdMaxFailure, pwdMaxAge, etc. +\ +\ +In order to enforce our password configuration we need something to control. +Copy the command, and copy-paste the content, press enter to exec, you can escape with CTRL+C. +``` +# ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -H ldapi:/// +dn: ou=Supergirls,dc=example,dc=com +objectClass: organizationalUnit +ou: Supergirls + +adding new entry "ou=Supergirls,dc=example,dc=com" +^C +``` +Create a password hash for the user marisa +``` +root@example:/etc/ldap/slapd.d# slappasswd -s qwerty +{SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V +``` +Copy-paste all this attributes after the command, remember to write down the hashed password correctly. +``` +root@example:/etc/ldap/slapd.d# ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -H ldapi:/// +dn: uid=marisa,ou=Supergirls,dc=example,dc=com +objectClass: inetOrgPerson +objectClass: posixAccount +cn: Marisa +sn: Kirisame +givenName: Marisa +displayName: Marisa Kirisame +uid: marisa +uidNumber: 1001 +gidNumber: 5000 +homeDirectory: /home/marisa +loginShell: /bin/bash +userPassword: {SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V +mail: marisa@example.com + +adding new entry "uid=marisa,ou=Supergirls,dc=example,dc=com" +^C +``` +marisa and all users added to Supergirls will respect the password default policies, you can check it out, example: +``` +root@example:/etc/ldap/slapd.d# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s marisakirisame +Result: Constraint violation (19) +Additional info: Password fails quality checking policy +``` +Password rejected because we established before pwdMinLength was 8. +``` +root@example:/etc/ldap/slapd.d# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s kirisame +``` +"kirisame" is accepted because it's within 8 length characters.