okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Marisa 2025-10-02 09:45:53 -04:00
parent 4b6f46faeb
commit a4a334235a
1 changed files with 45 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
README.md
View File

@ -438,9 +438,15 @@ This probably looks confusing and even scary now, but it's pretty simple, it bas
root@example:/# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f update_acl.ldif root@example:/# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f update_acl.ldif
``` ```
Let's create a new basic LDAP directory with the Organizational Unit (ou) Supergirls and let's add the LDAP users (uid) Reimu and Marisa to the ou Generate a new password hash like this:
``` ```
root@example:/# vim create_directory.ldif root@example:/# slappasswd -s ying
{SSHA}LcyDtEjMaPCBcYgkumVPDBFjliOjJrMC
```
Create a new basic LDAP directory with the Organizational Unit (ou) Supergirls and add the LDAP user (uid) reimu with our previously generated hashed password
```
root@example:/# vim create_reimu.ldif
dn: ou=Supergirls,dc=example,dc=com dn: ou=Supergirls,dc=example,dc=com
changetype: add changetype: add
objectClass: organizationalUnit objectClass: organizationalUnit
@ -454,19 +460,9 @@ objectClass: inetOrgPerson
uid: reimu uid: reimu
cn: Reimu Hakurei cn: Reimu Hakurei
sn: Hakurei sn: Hakurei
userPassword: {SSHA}mRl... # Generate with: slappasswd -s ying userPassword: {SSHA}LcyDtEjMaPCBcYgkumVPDBFjliOjJrMC
dn: uid=marisa,ou=Supergirls,dc=example,dc=com
changetype: add
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: marisa
cn: Marisa Kirisame
sn: Kirisame
userPassword: {SSHA}cgT... # Generate with: slappasswd -s yang
``` ```
That's a lot of data, but it creates our Supergirls directory, and with it the users reimu and marisa. This creates our Supergirls directory, and with it the user reimu.
### <ins>_Blocking user access after 3 wrong tries_</ins> ### <ins>_Blocking user access after 3 wrong tries_</ins>
@ -512,12 +508,45 @@ Now let's try changing the password, but with a wrong password. Using the same c
root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com" root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com"
ldap_bind: Invalid credentials (49) ldap_bind: Invalid credentials (49)
``` ```
Before using 3 wrong passwords in a row and get the user blocked, let's try once again using the correct password, which is the new one _yang_: Before get the user blocked, let's try once again using the correct password, which is the new one _yang_:
``` ```
root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w yang -s ying "uid=reimu,ou=S root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w yang -s ying "uid=reimu,ou=S
upergirls,dc=example,dc=com" upergirls,dc=example,dc=com"
``` ```
As we see, we are getting no error, since the correct new password was _yang_ and we changed it back to _ying_ as it was from the beginning. As we see, we are getting no error, since the correct new password was _yang_ and we changed it back to _ying_ as it was from the beginning.
Now let's try using 3 wrong passwords in a row...
Now, if we use the same command more than 3 times in a row (more than 3 wrong passwords in a row), as established by policy, the user will get blocked:
```
root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com"
ldap_bind: Invalid credentials (49)
root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com"
ldap_bind: Invalid credentials (49)
root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com"
ldap_bind: Invalid credentials (49)
root@example:/# ldappasswd -x -H ldap:/// -D "uid=reimu,ou=Supergirls,dc=example,dc=com" -w ying -s yang "uid=reimu,ou=Supergirls,dc=example,dc=com"
ldap_bind: Invalid credentials (49)
```
Let's checkout as administrator if the user has some pwd* attributes...
```
root@example:/etc/ldap/slapd.d# ldapsearch -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -b "uid=reimu,ou=Supergirls,dc=example,dc=com" "(objectclass=*)" pwdFailureTime pwdAccountLockedTime
# extended LDIF
#
# LDAPv3
# base <uid=reimu,ou=Supergirls,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: pwdFailureTime pwdAccountLockedTime
#
# reimu, Supergirls, example.com
dn: uid=reimu,ou=Supergirls,dc=example,dc=com
pwdFailureTime: 20251002131513.454814Z
pwdFailureTime: 20251002131955.545595Z
pwdFailureTime: 20251002133529.173964Z
pwdAccountLockedTime: 20251002133529Z
```
The user has been locked out. It cannot do anything using it's user and password.
If we want to unlock it, to give it a clean slate, create the following file
<!--ldappasswd -H ldap://server_domain_or_IP -x -D "cn=admin,dc=example,dc=com" -W -S "uid=bob,ou=people,dc=example,dc=com"--> <!--ldappasswd -H ldap://server_domain_or_IP -x -D "cn=admin,dc=example,dc=com" -W -S "uid=bob,ou=people,dc=example,dc=com"-->