From ab177b04cd5849714d2c254613a53c842199d4b9 Mon Sep 17 00:00:00 2001 From: Marisa Date: Sun, 12 Oct 2025 13:53:21 -0400 Subject: [PATCH] Update INSTALL.md --- INSTALL.md | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index a60a3ad..64c67ad 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -29,7 +29,7 @@ root@example:/# slappasswd -s Op3nLd4p! Create the .ldif file that will create the admin user, edit the _userPassword_ attribute with our password hash\ (you can copy & paste the entire command until userPassword, copy your password hash with the mouse, and paste it directly) ``` -root@example:/# cat > create_admin.ldif << EOL +root@example:/# cat > create_admin.ldif << EOF dn: cn=admin,dc=example,dc=com changetype: add objectClass: organizationalRole @@ -37,7 +37,7 @@ objectClass: simpleSecurityObject cn: admin description: LDAP administrator userPassword: {SSHA}vP1xt9t8+/GmOXmqlH1yNh305+MpUDe+ # Replace with the hash of your password -EOL +EOF ``` ``` root@example:/# ldapadd -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -f create_admin.ldif @@ -49,12 +49,12 @@ That's all, our administrator user was properly done. We need to make use of new schemas and **policies**, which in large part exists in /usr/lib/ppolicy.so -since the module exists, we are going to create modify_ppolicy_module.ldif to be able to make use of it: ``` -root@example:/# cat > modify_ppolicy_module.ldif << EOL +root@example:/# cat > modify_ppolicy_module.ldif << EOF dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: ppolicy.so -EOL +EOF ``` ``` root@example:/# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f modify_ppolicy_module.ldif @@ -67,14 +67,14 @@ root@example:/# slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ld ``` Now that we restarted our openLDAP server, we can load the new module, so we create the following .ldif file: ``` -root@example:/# cat > enable_ppolicy.ldif << EOL +root@example:/# cat > enable_ppolicy.ldif << EOF dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=com -EOL +EOF ``` ``` root@example:/# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_ppolicy.ldif @@ -84,9 +84,9 @@ The policies module has been loaded and we can begin to configure password schem ## _4- Configure default password policies_ -Create a basic overlay of your password policies, run this command, copy-paste the content then press enter to run it automatically. Once the entry has been added, go back to the shell with CTRL+C. +Create a basic overlay of your password policies: ``` -root@example:/# ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -H ldapi:/// +root@example:/# cat > passwd_ppolicy_overlay.ldif << EOF dn: cn=default,ou=policies,dc=example,dc=com objectClass: pwdPolicy objectClass: organizationalRole @@ -94,10 +94,11 @@ cn: default pwdAttribute: userPassword pwdMinLength: 8 pwdCheckQuality: 2 - +EOF +``` +``` +root@example:/# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f passwd_ppolicy_overlay.ldif adding new entry "cn=default,ou=policies,dc=example,dc=com" - -^C ``` You can change password policies like pwdMinLength, pwdMaxFailure, pwdMaxAge, etc. and all organizationalUnits (and therefore, their users) will be affected by default unless configured otherwise. \