Ben's notes

CentOS 7 - OpenLDAP 2.4 password policy (ppolicy)

Configure Provider (master) and consumer (slave)

Load the ppolicy schema:

# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W -f /etc/openldap/schema/ppolicy.ldif

Load the module:

# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W <<EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: ppolicy.la
EOF

Add the overlay:

# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W <<EOF
dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcPPolicyConfig
olcPPolicyDefault: cn=ppolicy,ou=policies,dc=domain,dc=tld
EOF

Configure Provider (master)

Create the policies OU:

# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W <<EOF
dn: ou=policies,dc=domain,dc=tld
objectClass: top
objectClass: organizationalUnit
ou: policies
EOF

Create the ppolicy object:

# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W <<EOF
dn: cn=ppolicy,ou=policies,dc=domain,dc=tld
cn: ppolicy
objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAttribute: userPassword
pwdInHistory: 8
pwdMinLength: 8
pwdMaxFailure: 3
pwdFailureCountInterval: 1800
pwdCheckQuality: 2
pwdMustChange: TRUE
pwdGraceAuthNLimit: 0
pwdMaxAge: 7776000
pwdExpireWarning: 1209600
pwdLockoutDuration: 900
pwdLockout: TRUE
EOF

Ben's notes

User Tools

Site Tools

Table of Contents

CentOS 7 - OpenLDAP 2.4 password policy (ppolicy)

Configure Provider (master) and consumer (slave)

Configure Provider (master)

Page Tools