From a4a334235a3d44a8d1667fd8b7d2e085f1af9cb1 Mon Sep 17 00:00:00 2001 From: Marisa Date: Thu, 2 Oct 2025 09:45:53 -0400 Subject: [PATCH] Update README.md --- README.md | 61 ++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 45 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 424d7e1..fb7ebb0 100644 --- a/README.md +++ b/README.md @@ -438,9 +438,15 @@ This probably looks confusing and even scary now, but it's pretty simple, it bas root@example:/# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f update_acl.ldif ``` -Let's create a new basic LDAP directory with the Organizational Unit (ou) Supergirls and let's add the LDAP users (uid) Reimu and Marisa to the ou +Generate a new password hash like this: ``` -root@example:/# vim create_directory.ldif +root@example:/# slappasswd -s ying +{SSHA}LcyDtEjMaPCBcYgkumVPDBFjliOjJrMC +``` + +Create a new basic LDAP directory with the Organizational Unit (ou) Supergirls and add the LDAP user (uid) reimu with our previously generated hashed password +``` +root@example:/# vim create_reimu.ldif dn: ou=Supergirls,dc=example,dc=com changetype: add objectClass: organizationalUnit @@ -454,19 +460,9 @@ objectClass: inetOrgPerson uid: reimu cn: Reimu Hakurei sn: Hakurei -userPassword: {SSHA}mRl... # Generate with: slappasswd -s ying - -dn: uid=marisa,ou=Supergirls,dc=example,dc=com -changetype: add -objectClass: person -objectClass: organizationalPerson -objectClass: inetOrgPerson -uid: marisa -cn: Marisa Kirisame -sn: Kirisame -userPassword: {SSHA}cgT... # Generate with: slappasswd -s yang +userPassword: {SSHA}LcyDtEjMaPCBcYgkumVPDBFjliOjJrMC ``` -That's a lot of data, but it creates our Supergirls directory, and with it the users reimu and marisa. +This creates our Supergirls directory, and with it the user reimu. ### _Blocking user access after 3 wrong tries_ @@ -512,12 +508,45 @@ Now let's try changing the password, but with a wrong password. Using the same c root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com" ldap_bind: Invalid credentials (49) ``` -Before using 3 wrong passwords in a row and get the user blocked, let's try once again using the correct password, which is the new one _yang_: +Before get the user blocked, let's try once again using the correct password, which is the new one _yang_: ``` root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w yang -s ying "uid=reimu,ou=S upergirls,dc=example,dc=com" ``` As we see, we are getting no error, since the correct new password was _yang_ and we changed it back to _ying_ as it was from the beginning. -Now let's try using 3 wrong passwords in a row... + +Now, if we use the same command more than 3 times in a row (more than 3 wrong passwords in a row), as established by policy, the user will get blocked: +``` +root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com" +ldap_bind: Invalid credentials (49) +root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com" +ldap_bind: Invalid credentials (49) +root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com" +ldap_bind: Invalid credentials (49) +root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com" +ldap_bind: Invalid credentials (49) +``` +Let's checkout as administrator if the user has some pwd* attributes... +``` +root@example:/etc/ldap/slapd.d# ldapsearch -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -b "uid=reimu,ou=Supergirls,dc=example,dc=com" "(objectclass=*)" pwdFailureTime pwdAccountLockedTime +# extended LDIF +# +# LDAPv3 +# base with scope subtree +# filter: (objectclass=*) +# requesting: pwdFailureTime pwdAccountLockedTime +# + +# reimu, Supergirls, example.com +dn: uid=reimu,ou=Supergirls,dc=example,dc=com +pwdFailureTime: 20251002131513.454814Z +pwdFailureTime: 20251002131955.545595Z +pwdFailureTime: 20251002133529.173964Z +pwdAccountLockedTime: 20251002133529Z +``` +The user has been locked out. It cannot do anything using it's user and password. +If we want to unlock it, to give it a clean slate, create the following file + + \ No newline at end of file