Update README.md
This commit is contained in:
parent
4b6f46faeb
commit
a4a334235a
61
README.md
61
README.md
@ -438,9 +438,15 @@ This probably looks confusing and even scary now, but it's pretty simple, it bas
|
||||
root@example:/# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f update_acl.ldif
|
||||
```
|
||||
|
||||
Let's create a new basic LDAP directory with the Organizational Unit (ou) Supergirls and let's add the LDAP users (uid) Reimu and Marisa to the ou
|
||||
Generate a new password hash like this:
|
||||
```
|
||||
root@example:/# vim create_directory.ldif
|
||||
root@example:/# slappasswd -s ying
|
||||
{SSHA}LcyDtEjMaPCBcYgkumVPDBFjliOjJrMC
|
||||
```
|
||||
|
||||
Create a new basic LDAP directory with the Organizational Unit (ou) Supergirls and add the LDAP user (uid) reimu with our previously generated hashed password
|
||||
```
|
||||
root@example:/# vim create_reimu.ldif
|
||||
dn: ou=Supergirls,dc=example,dc=com
|
||||
changetype: add
|
||||
objectClass: organizationalUnit
|
||||
@ -454,19 +460,9 @@ objectClass: inetOrgPerson
|
||||
uid: reimu
|
||||
cn: Reimu Hakurei
|
||||
sn: Hakurei
|
||||
userPassword: {SSHA}mRl... # Generate with: slappasswd -s ying
|
||||
|
||||
dn: uid=marisa,ou=Supergirls,dc=example,dc=com
|
||||
changetype: add
|
||||
objectClass: person
|
||||
objectClass: organizationalPerson
|
||||
objectClass: inetOrgPerson
|
||||
uid: marisa
|
||||
cn: Marisa Kirisame
|
||||
sn: Kirisame
|
||||
userPassword: {SSHA}cgT... # Generate with: slappasswd -s yang
|
||||
userPassword: {SSHA}LcyDtEjMaPCBcYgkumVPDBFjliOjJrMC
|
||||
```
|
||||
That's a lot of data, but it creates our Supergirls directory, and with it the users reimu and marisa.
|
||||
This creates our Supergirls directory, and with it the user reimu.
|
||||
|
||||
### <ins>_Blocking user access after 3 wrong tries_</ins>
|
||||
|
||||
@ -512,12 +508,45 @@ Now let's try changing the password, but with a wrong password. Using the same c
|
||||
root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com"
|
||||
ldap_bind: Invalid credentials (49)
|
||||
```
|
||||
Before using 3 wrong passwords in a row and get the user blocked, let's try once again using the correct password, which is the new one _yang_:
|
||||
Before get the user blocked, let's try once again using the correct password, which is the new one _yang_:
|
||||
```
|
||||
root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w yang -s ying "uid=reimu,ou=S
|
||||
upergirls,dc=example,dc=com"
|
||||
```
|
||||
As we see, we are getting no error, since the correct new password was _yang_ and we changed it back to _ying_ as it was from the beginning.
|
||||
Now let's try using 3 wrong passwords in a row...
|
||||
|
||||
Now, if we use the same command more than 3 times in a row (more than 3 wrong passwords in a row), as established by policy, the user will get blocked:
|
||||
```
|
||||
root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com"
|
||||
ldap_bind: Invalid credentials (49)
|
||||
root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com"
|
||||
ldap_bind: Invalid credentials (49)
|
||||
root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com"
|
||||
ldap_bind: Invalid credentials (49)
|
||||
root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com"
|
||||
ldap_bind: Invalid credentials (49)
|
||||
```
|
||||
Let's checkout as administrator if the user has some pwd* attributes...
|
||||
```
|
||||
root@example:/etc/ldap/slapd.d# ldapsearch -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -b "uid=reimu,ou=Supergirls,dc=example,dc=com" "(objectclass=*)" pwdFailureTime pwdAccountLockedTime
|
||||
# extended LDIF
|
||||
#
|
||||
# LDAPv3
|
||||
# base <uid=reimu,ou=Supergirls,dc=example,dc=com> with scope subtree
|
||||
# filter: (objectclass=*)
|
||||
# requesting: pwdFailureTime pwdAccountLockedTime
|
||||
#
|
||||
|
||||
# reimu, Supergirls, example.com
|
||||
dn: uid=reimu,ou=Supergirls,dc=example,dc=com
|
||||
pwdFailureTime: 20251002131513.454814Z
|
||||
pwdFailureTime: 20251002131955.545595Z
|
||||
pwdFailureTime: 20251002133529.173964Z
|
||||
pwdAccountLockedTime: 20251002133529Z
|
||||
```
|
||||
The user has been locked out. It cannot do anything using it's user and password.
|
||||
If we want to unlock it, to give it a clean slate, create the following file
|
||||
|
||||
|
||||
|
||||
<!--ldappasswd -H ldap://server_domain_or_IP -x -D "cn=admin,dc=example,dc=com" -W -S "uid=bob,ou=people,dc=example,dc=com"-->
|
||||
Loading…
Reference in New Issue
Block a user