162 lines
5.7 KiB
Markdown
162 lines
5.7 KiB
Markdown
# ldapdock
|
|
*_a configurable container running openLDAP_*
|
|
|
|
Step by step approach on how to setup and run an openLDAP server on a systemd-less docker image container
|
|
|
|
## _1- Creating the ldapdock image container_
|
|
|
|
build ldapdock from the dockerfile and run into it
|
|
|
|
```
|
|
> docker build -t ldapdock /path/to/dockerfile
|
|
```
|
|
|
|
```
|
|
> docker run -h example.com -i -t -v ldap_data:/var/lib/ldap -v ldap_config:/etc/ldap/slapd.d ldapdock /bin/bash
|
|
```
|
|
|
|
## _2- Run the openLDAP server and create an admin user_
|
|
|
|
Use the following command to start openLDAP
|
|
```
|
|
root@example:/# slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
|
|
```
|
|
Generate a password hash for our administrator user, Op3nLd4p! here being the password to comply with password policies
|
|
```
|
|
root@example:/# slappasswd -s Op3nLd4p!
|
|
{SSHA}vP1xt9t8+/GmOXmqlH1yNh305+MpUDe+
|
|
```
|
|
Create the .ldif file that will create the admin user, edit the _userPassword_ attribute with our password hash\
|
|
(you can copy & paste the entire command until userPassword, copy your password hash with the mouse, and paste it directly)
|
|
```
|
|
root@example:/# cat > create_admin.ldif << EOF
|
|
dn: cn=admin,dc=example,dc=com
|
|
changetype: add
|
|
objectClass: organizationalRole
|
|
objectClass: simpleSecurityObject
|
|
cn: admin
|
|
description: LDAP administrator
|
|
userPassword: {SSHA}vP1xt9t8+/GmOXmqlH1yNh305+MpUDe+ # Replace with the hash of your password
|
|
EOF
|
|
```
|
|
```
|
|
root@example:/# ldapadd -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -f create_admin.ldif
|
|
adding new entry "cn=admin,dc=example,dc=com"
|
|
```
|
|
That's all, our administrator user was properly done.
|
|
|
|
## _3- Load and enable policy modules_
|
|
|
|
We need to make use of new schemas and **policies**, which in large part exists in /usr/lib/ppolicy.so -since the module exists, we are going to create modify_ppolicy_module.ldif to be able to make use of it:
|
|
```
|
|
root@example:/# cat > modify_ppolicy_module.ldif << EOF
|
|
dn: cn=module{0},cn=config
|
|
changetype: modify
|
|
add: olcModuleLoad
|
|
olcModuleLoad: ppolicy.so
|
|
EOF
|
|
```
|
|
```
|
|
root@example:/# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f modify_ppolicy_module.ldif
|
|
modifying entry "cn=module{0},cn=config"
|
|
```
|
|
Reset slapd (openLDAP server)
|
|
```
|
|
root@example:/# kill $(pidof slapd)
|
|
root@example:/# slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
|
|
```
|
|
Now that we restarted our openLDAP server, we can load the new module, so we create the following .ldif file:
|
|
```
|
|
root@example:/# cat > enable_ppolicy.ldif << EOF
|
|
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
|
|
changetype: add
|
|
objectClass: olcOverlayConfig
|
|
objectClass: olcPPolicyConfig
|
|
olcOverlay: ppolicy
|
|
olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=com
|
|
EOF
|
|
```
|
|
```
|
|
root@example:/# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_ppolicy.ldif
|
|
adding new entry "olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config"
|
|
```
|
|
The policies module has been loaded and we can begin to configure password schemas and ACLs.
|
|
|
|
## _4- Configure default password policies_
|
|
|
|
Create a basic overlay of your password policies:
|
|
```
|
|
root@example:/# cat > passwd_ppolicy_overlay.ldif << EOF
|
|
dn: cn=default,ou=policies,dc=example,dc=com
|
|
objectClass: pwdPolicy
|
|
objectClass: organizationalRole
|
|
cn: default
|
|
pwdAttribute: userPassword
|
|
pwdMinLength: 8
|
|
pwdCheckQuality: 2
|
|
EOF
|
|
```
|
|
```
|
|
root@example:/# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f passwd_ppolicy_overlay.ldif
|
|
adding new entry "cn=default,ou=policies,dc=example,dc=com"
|
|
```
|
|
You can change password policies like pwdMinLength, pwdMaxFailure, pwdMaxAge, etc. and all organizationalUnits (and therefore, their users) will be affected by default using this *default ppolicy overlay*.
|
|
Refer to https://git.ozymandias.work/okasion/ldapdock/src/branch/main/README.md#ins_password-policy-default-modules-options_ins for a list of all password policies available by default.
|
|
|
|
### _<ins>Enforcing password policies example</ins>_
|
|
In order to enforce our password configuration we need something to control. This is a short example.
|
|
Create an organizationalUnit:
|
|
```
|
|
root@example:/# cat > create_ou.ldif << EOF
|
|
dn: ou=Supergirls,dc=example,dc=com
|
|
objectClass: organizationalUnit
|
|
ou: Supergirls
|
|
EOF
|
|
```
|
|
```
|
|
root@example:/etc/ldap/slapd.d# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f create_ou.ldif
|
|
adding new entry "ou=Supergirls,dc=example,dc=com"
|
|
```
|
|
|
|
Create a password hash for the new user marisa
|
|
```
|
|
root@example:/# slappasswd -s qwerty
|
|
{SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V
|
|
```
|
|
|
|
Create the new user marisa that will belong to organizationalUnit Supergirls (pay attention to copy the hashed password before EOF)
|
|
```
|
|
root@example:/# cat > create_user.ldif << EOF
|
|
dn: uid=marisa,ou=Supergirls,dc=example,dc=com
|
|
objectClass: inetOrgPerson
|
|
objectClass: posixAccount
|
|
cn: Marisa
|
|
sn: Kirisame
|
|
givenName: Marisa
|
|
displayName: Marisa Kirisame
|
|
uid: marisa
|
|
uidNumber: 1001
|
|
gidNumber: 5000
|
|
homeDirectory: /home/marisa
|
|
loginShell: /bin/bash
|
|
userPassword: {SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V
|
|
mail: marisa@example.com
|
|
EOF
|
|
```
|
|
```
|
|
root@example:/etc/ldap/slapd.d# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f create_user.ldif
|
|
adding new entry "uid=marisa,ou=Supergirls,dc=example,dc=com"
|
|
```
|
|
|
|
User marisa and all that are added to Supergirls will respect the password default policies, you can check it out, example:
|
|
```
|
|
root@example:/# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s marisakirisame
|
|
Result: Constraint violation (19)
|
|
Additional info: Password fails quality checking policy
|
|
```
|
|
Password "marisakirisame" is rejected because we established before pwdMinLength was 8.
|
|
```
|
|
root@example:/# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s kirisame
|
|
```
|
|
"kirisame" is accepted because it's within 8 length characters.
|