Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


centos7_openldap_ppolicy

CentOS 7 - OpenLDAP 2.4 password policy (ppolicy)

Configure Provider (master) and consumer (slave)

  • Load the ppolicy schema:
    # ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W -f /etc/openldap/schema/ppolicy.ldif
  • Load the module:
    # ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W <<EOF
    dn: cn=module,cn=config
    objectClass: olcModuleList
    cn: module
    olcModulePath: /usr/lib64/openldap
    olcModuleLoad: ppolicy.la
    EOF
  • Add the overlay:
    # ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W <<EOF
    dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
    objectClass: olcPPolicyConfig
    olcPPolicyDefault: cn=ppolicy,ou=policies,dc=domain,dc=tld
    EOF

Configure Provider (master)

  • Create the policies OU:
    # ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W <<EOF
    dn: ou=policies,dc=domain,dc=tld
    objectClass: top
    objectClass: organizationalUnit
    ou: policies
    EOF
  • Create the ppolicy object:
    # ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W <<EOF
    dn: cn=ppolicy,ou=policies,dc=domain,dc=tld
    cn: ppolicy
    objectClass: top
    objectClass: device
    objectClass: pwdPolicy
    objectClass: pwdPolicyChecker
    pwdAttribute: userPassword
    pwdInHistory: 8
    pwdMinLength: 8
    pwdMaxFailure: 3
    pwdFailureCountInterval: 1800
    pwdCheckQuality: 2
    pwdMustChange: TRUE
    pwdGraceAuthNLimit: 0
    pwdMaxAge: 7776000
    pwdExpireWarning: 1209600
    pwdLockoutDuration: 900
    pwdLockout: TRUE
    EOF
centos7_openldap_ppolicy.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1