Ben's notes

This is an old revision of the document!

CentOS 7 - OpenLDAP 2.4 password policy (ppolicy)

Configure Provider (master) and consumer (slave)

Load the ppolicy schema:

# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W -f /etc/openldap/schema/ppolicy.ldif

Load the module:

# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W <<EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: ppolicy.la
EOF

Add the overlay:

# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W <<EOF
dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcPPolicyConfig
olcPPolicyDefault: cn=ppolicy,ou=policies,dc=domain,dc=tld
EOF

Configure Provider (master)

Create the policies OU:

# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W <<EOF
dn: ou=policies,dc=polaire,dc=nl
objectClass: top
objectClass: organizationalUnit
ou: policies
EOF

Create the ppolice object:<code># ldapadd -H ldaps:<FQDN> -x -D “cn=Manager,dc=domain,dc=tld” -W «EOF dn: cn=ppolicy,ou=policies,dc=domain,dc=tld cn: ppolicy objectClass: top objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker pwdAttribute: userPassword pwdInHistory: 8 pwdMinLength: 8 pwdMaxFailure: 3 pwdFailureCountInterval: 1800 pwdCheckQuality: 2 pwdMustChange: TRUE pwdGraceAuthNLimit: 0 pwdMaxAge: 7776000 pwdExpireWarning: 1209600 pwdLockoutDuration: 900 pwdLockout: TRUE EOF

Table of Contents

CentOS 7 - OpenLDAP 2.4 password policy (ppolicy)

Configure Provider (master) and consumer (slave)

Configure Provider (master)