|
|
Openldap configuration file: SourceByrd's Weblog- https://note.t4x.org/project/openldap-master-configure/
M1:
zero one two three four five six seven eight nine ten eleven twelve thirteen fourteen fifteen sixteen seventeen eighteen nineteen twenty twenty-one twenty-two twenty-three twenty-four twenty-five twenty-six twenty-seven twenty-eight twenty-nine thirty thirty-one thirty-two thirty-three thirty-four thirty-five thirty-six thirty-seven thirty-eight thirty-nine forty forty-one forty-two forty-three forty-four forty-five forty-six forty-seven forty-eight forty-nine fifty fifty-one fifty-two fifty-three fifty-four fifty-five fifty-six fifty-seven fifty-eight fifty-nine sixty # egrep -v "#|^$" /usr/local/openldap/etc/openldap/slapd.conf include / usr / local / openldap / etc / openldap / schema / corba . schema include / usr / local / openldap / etc / openldap / schema / core . schema include / usr / local / openldap / etc / openldap / schema / cosine . schema include / usr / local / openldap / etc / openldap / schema / duaconf . schema include / usr / local / openldap / etc / openldap / schema / dyngroup . schema include / usr / local / openldap / etc / openldap / schema / inetorgperson . schema include / usr / local / openldap / etc / openldap / schema / java . schema include / usr / local / openldap / etc / openldap / schema / misc . schema include / usr / local / openldap / etc / openldap / schema / nis . schema include / usr / local / openldap / etc / openldap / schema / openldap . schema include / usr / local / openldap / etc / openldap / schema / ppolicy . schema include / usr / local / openldap / etc / openldap / schema / collective . schema pidfile / opt / openldap - 2.4.48 / var / run / slapd . pid argsfile / opt / openldap - 2.4.48 / var / run / slapd . args serverID one modulepath / opt / openldap - 2.4.48 / libexec / openldap moduleload ppolicy . la access to * by self write by anonymous auth by * read database mdb maxsize one billion seventy-three million seven hundred and forty-one thousand eight hundred and twenty-four suffix "dc=ldap,dc=t4x,dc=org" checkpoint two thousand and forty-eight ten rootdn "cn=admin,dc=ldap,dc=t4x,dc=org" directory / opt / openldap - 2.4.48 / var / openldap - data syncrepl rid = 001 provider = ldap : //192.168.227.34 binddn = "cn=admin,dc=ldap,dc=t4x,dc=org" bindmethod = simple credentials = admin searchbase = "dc=ldap,dc=t4x,dc=org" schemachecking = off type = refreshAndPersist retry = "60 +" TLSCACertificatePath / usr / local / openldap / ssl / TLSCertificateFile "\"OpenLDAP Server\"" TLSCACertificateFile / usr / local / openldap / ssl / cacert . pem TLSCertificateFile / usr / local / openldap / ssl / ldapcert . pem TLSCertificateKeyFile / usr / local / openldap / ssl / ldapkey . pem TlsVerifyClient never index objectClass eq , pres index ou , cn , , surname , givenname eq , pres , sub index uidNumber , gidNumber , loginShell eq , pres index uid , memberUid eq , pres , sub index nisMapName , nisMapEntry eq , pres , sub loglevel two hundred and ninety-six rootpw { SSHA } iMgn + YhiZm1O9QB6BBZuOS + ko / Gb / two hundred and sixty-two mirrormode TRUE overlay syncprov syncprov - nopresent TRUE syncprov - reloadhint TRUE syncprov - checkpoint one hundred two overlay ppolicy password - hash { SSHA } ppolicy_default cn = security , ou = Policies , dc = ldap , dc = t4x , dc = org ppolicy_hash_cleartext ppolicy_use_lockout
M2:
zero one two three four five six seven eight nine ten eleven twelve thirteen fourteen fifteen sixteen seventeen eighteen nineteen twenty twenty-one twenty-two twenty-three twenty-four twenty-five twenty-six twenty-seven twenty-eight twenty-nine thirty thirty-one thirty-two thirty-three thirty-four thirty-five thirty-six thirty-seven thirty-eight thirty-nine forty forty-one forty-two forty-three forty-four forty-five forty-six forty-seven forty-eight forty-nine fifty fifty-one fifty-two fifty-three fifty-four fifty-five fifty-six fifty-seven fifty-eight fifty-nine sixty # egrep -v "#|^$" /usr/local/openldap/etc/openldap/slapd.conf include / usr / local / openldap / etc / openldap / schema / corba . schema include / usr / local / openldap / etc / openldap / schema / core . schema include / usr / local / openldap / etc / openldap / schema / cosine . schema include / usr / local / openldap / etc / openldap / schema / duaconf . schema include / usr / local / openldap / etc / openldap / schema / dyngroup . schema include / usr / local / openldap / etc / openldap / schema / inetorgperson . schema include / usr / local / openldap / etc / openldap / schema / java . schema include / usr / local / openldap / etc / openldap / schema / misc . schema include / usr / local / openldap / etc / openldap / schema / nis . schema include / usr / local / openldap / etc / openldap / schema / openldap . schema include / usr / local / openldap / etc / openldap / schema / ppolicy . schema include / usr / local / openldap / etc / openldap / schema / collective . schema pidfile / opt / openldap - 2.4.48 / var / run / slapd . pid argsfile / opt / openldap - 2.4.48 / var / run / slapd . args serverID two modulepath / opt / openldap - 2.4.48 / libexec / openldap moduleload ppolicy . la access to * by self write by anonymous auth by * read database mdb maxsize one billion seventy-three million seven hundred and forty-one thousand eight hundred and twenty-four suffix "dc=ldap,dc=t4x,dc=org" checkpoint two thousand and forty-eight ten rootdn "cn=admin,dc=ldap,dc=t4x,dc=org" directory / opt / openldap - 2.4.48 / var / openldap - data syncrepl rid = 001 provider = ldap : //192.168.227.33 binddn = "cn=admin,dc=ldap,dc=t4x,dc=org" bindmethod = simple credentials = admin searchbase = "dc=ldap,dc=t4x,dc=org" schemachecking = off type = refreshAndPersist retry = "60 +" TLSCACertificatePath / usr / local / openldap / ssl / TLSCertificateFile "\"OpenLDAP Server\"" TLSCACertificateFile / usr / local / openldap / ssl / cacert . pem TLSCertificateFile / usr / local / openldap / ssl / ldapcert . pem TLSCertificateKeyFile / usr / local / openldap / ssl / ldapkey . pem TlsVerifyClient never index objectClass eq , pres index ou , cn , , surname , givenname eq , pres , sub index uidNumber , gidNumber , loginShell eq , pres index uid , memberUid eq , pres , sub index nisMapName , nisMapEntry eq , pres , sub loglevel two hundred and ninety-six mirrormode TRUE overlay syncprov syncprov - nopresent TRUE syncprov - reloadhint TRUE syncprov - checkpoint one hundred two rootpw { SSHA } KYesbO2q8mGAfXfTSjGgaOEI + j5bdfRa overlay ppolicy password - hash { SSHA } ppolicy_default cn = security , ou = Policies , dc = ldap , dc = t4x , dc = org ppolicy_hash_cleartext ppolicy_use_lockout SourceByrd's Weblog- https://note.t4x.org/project/openldap-master-configure/
Admin import:
zero one two three four five six seven eight nine ten $ ldapadd - x - D "cn=admin,dc=ldap,dc=t4x,dc=org" - W - f admin . ldif $ cat / usr / local / openldap / etc / openldap / admin . ldif dn : dc = ldap , dc = t4x , dc = org objectclass : dcObject objectclass : organization o : T4X . Inc dc : ldap dn : cn = admin , dc = ldap , dc = t4x , dc = org objectclass : organizationalRole cn : admin
OU people import:
zero one two three four $ ldapadd - x - D "cn=Manage,dc=ldap,dc=t4x,dc=org" - W - f people . ldif $ cat / usr / local / openldap / etc / openldap / people . lidf dn : ou = People , dc = ldap , dc = t4x , dc = org objectClass : organizationalUnit ou : People
Ordinary user import:
zero one two three four five six seven eight nine ten eleven # cat /usr/local/openldap/etc/openldap/byrd.lidf dn : uid = zane , ou = People , dc = ldap , dc = t4x , dc = org objectClass : posixAccount objectClass : inetOrgPerson objectClass : organizationalPerson objectClass : person homeDirectory : / home / byrd loginShell : / bin / byrd cn : byrd sn : byrd description : CTO userPassword : : e1NTSEF9RnNaUHFGQVJmUTRlZEtNS2FKQUxGKy9KaUZqT2dvSW0 = SourceByrd's Weblog- https://note.t4x.org/project/openldap-master-configure/
|
OU polices
zero one two three $ cat / usr / local / openldap / etc / openldap / policies . lidf dn : ou = Policies , dc = ldap , dc = t4x , dc = org objectClass : organizationalUnit ou : Policies
Default password rules:
zero one two three four five six seven eight nine ten eleven twelve thirteen fourteen fifteen sixteen seventeen eighteen nineteen twenty $ cat / usr / local / openldap / etc / openldap / security1 . ldif dn : cn = security , ou = Policies , dc = ldap , dc = t4x , dc = org cn : security objectClass : top objectClass : device objectClass : pwdPolicy objectClass : pwdPolicyChecker pwdAllowUserChange : TRUE pwdAttribute : userPassword pwdMaxAge : seven million seven hundred and seventy-six thousand pwdInHistory : five pwdCheckQuality : two pwdMinLength : eight pwdExpireWarning : six hundred and four thousand and eight hundred pwdGraceAuthNLimit : ten pwdFailureCountInterval : thirty pwdMustChange : TRUE pwdSafeModify : FALSE pwdLockout : TRUE pwdLockoutDuration : three hundred pwdMaxFailure : five
Complexity rule: pqchecker.so
zero one two three four $ cat / usr / local / openldap / etc / openldap / mode . lidf dn : cn = security , ou = Policies , dc = ldap , dc = t4x , dc = org changeType : modify add : pwdCheckModule pwdCheckModule : pqchecker . so SourceByrd's Weblog- https://note.t4x.org/project/openldap-master-configure/
Export all profiles:
zero one two three four five six seven eight nine ten eleven twelve thirteen fourteen fifteen sixteen seventeen eighteen nineteen twenty twenty-one twenty-two twenty-three twenty-four twenty-five twenty-six twenty-seven twenty-eight twenty-nine thirty thirty-one thirty-two thirty-three thirty-four thirty-five thirty-six thirty-seven thirty-eight thirty-nine forty forty-one forty-two forty-three forty-four forty-five forty-six forty-seven forty-eight forty-nine fifty fifty-one fifty-two fifty-three fifty-four fifty-five fifty-six fifty-seven fifty-eight fifty-nine sixty sixty-one sixty-two sixty-three sixty-four sixty-five sixty-six sixty-seven sixty-eight sixty-nine $ ldapsearch - LLL - w admin - x - H ldap : //ldap.t4x.org -D "cn=admin,dc=ldap,dc=t4x,dc=org" -b "dc=ldap,dc=t4x,dc=org" >/tmp/all.ldif $ cat / tmp / all . ldif dn : dc = ldap , dc = t4x , dc = org objectClass : dcObject objectClass : organization o : T4X . Inc dc : ldap dn : ou = People , dc = ldap , dc = t4x , dc = org objectClass : organizationalUnit ou : People dn : cn = admin , dc = ldap , dc = t4x , dc = org objectClass : organizationalRole cn : admin cn : admin dn : ou = Policies , dc = ldap , dc = t4x , dc = org objectClass : organizationalUnit ou : Policies dn : uid = byrd , ou = People , dc = ldap , dc = t4x , dc = org objectClass : posixAccount objectClass : top objectClass : inetOrgPerson gidNumber : zero givenName : byrd sn : byrd displayName : byrd uid : byrd homeDirectory : / home / byrd loginShell : / bin / bash cn : byrd uidNumber : forty-one thousand eight hundred and seventy-two dn : uid = t4x , ou = People , dc = ldap , dc = t4x , dc = org objectClass : posixAccount objectClass : top objectClass : inetOrgPerson gidNumber : zero givenName : t4x sn : t4x displayName : t4x uid : t4x homeDirectory : / home / t4x loginShell : / bin / bash cn : t4x uidNumber : fifteen thousand five hundred and fifty-seven dn : cn = security , ou = Policies , dc = ldap , dc = t4x , dc = org cn : : c2VjdXJpdHkg objectClass : top objectClass : device objectClass : pwdPolicy objectClass : pwdPolicyChecker pwdAllowUserChange : TRUE pwdAttribute : userPassword pwdMaxAge : seven million seven hundred and seventy-six thousand pwdInHistory : five pwdCheckQuality : two pwdMinLength : eight pwdExpireWarning : six hundred and four thousand and eight hundred pwdGraceAuthNLimit : ten pwdFailureCountInterval : thirty pwdMustChange : TRUE pwdSafeModify : FALSE pwdLockout : TRUE pwdLockoutDuration : three hundred pwdMaxFailure : five pwdCheckModule : pqchecker . so
Export user information:
zero one two three four five six seven eight nine ten eleven twelve thirteen fourteen ldapsearch - LLL - w admin - x - H ldap : //ldap.t4x.org -D "cn=admin,dc=ldap,dc=t4x,dc=org" -b "dc=ldap,dc=t4x,dc=org" "(uid=*)" > /tmp/user.ldif $ cat / tmp / user . ldif dn : uid = byrd , ou = People , dc = ldap , dc = t4x , dc = org objectClass : posixAccount objectClass : top objectClass : inetOrgPerson gidNumber : zero givenName : byrd sn : byrd displayName : byrd uid : byrd homeDirectory : / home / byrd loginShell : / bin / bash cn : byrd uidNumber : forty-one thousand eight hundred and seventy-two
Verify password policy:
zero one two three four five six seven eight nine ten eleven twelve thirteen fourteen fifteen sixteen seventeen eighteen nineteen twenty twenty-one twenty-two twenty-three twenty-four twenty-five twenty-six twenty-seven twenty-eight twenty-nine thirty thirty-one thirty-two thirty-three thirty-four thirty-five thirty-six thirty-seven thirty-eight thirty-nine forty forty-one forty-two forty-three forty-four forty-five forty-six forty-seven forty-eight forty-nine $ ldappasswd - H ldap : //ldap.t4x.org -x -D "uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org" -W -A -S Old password : one hundred and twenty-three thousand four hundred and fifty-six Re - enter old password : one hundred and twenty-three thousand four hundred and fifty-six New password : w34Q $ fqwe4 Re - enter new password : w34Q $ fqwe4 Enter LDAP Password : one hundred and twenty-three thousand four hundred and fifty-six Sep twenty-three ten : twenty-four : fifty-nine ldap - m1 pqchecker [ one thousand and eighty-nine ] : Checking password quality for uid = byrd , ou = People , dc = ldap , dc = t4x , dc = org . Sep twenty-three ten : twenty-four : fifty-nine ldap - m1 pqchecker [ one thousand and eighty-nine ] : The quality parameters used : zero | 01010101 Sep twenty-three ten : twenty-four : fifty-nine ldap - m1 pqchecker [ one thousand and eighty-nine ] : Password accepted . Sep twenty-three ten : twenty-four : fifty-nine ldap - m1 slapd [ one thousand and eighty-nine ] : conn = one thousand and ten op = one RESULT oid = err = zero text = [ root @ ldap - m1 openldap ] # ldappasswd -H ldap://ldap.t4x.org -x -D "uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org" -W -A -S Old password : w34Q $ fqwe4 Re - enter old password : w34Q $ fqwe4 New password : qwertyui Re - enter new password : qwertyui Enter LDAP Password : w34Q $ fqwe4 Result : Constraint violation ( nineteen ) Sep twenty-three ten : twenty-six : thirty-seven ldap - m1 pqchecker [ one thousand and eighty-nine ] : Checking password quality for uid = byrd , ou = People , dc = ldap , dc = t4x , dc = org . Sep twenty-three ten : twenty-six : thirty-seven ldap - m1 pqchecker [ one thousand and eighty-nine ] : The quality parameters used : zero | 01010101 Sep twenty-three ten : twenty-six : thirty-seven ldap - m1 pqchecker [ one thousand and eighty-nine ] : Password rejected . $ ldappasswd - H ldap : //ldap.t4x.org -x -D "uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org" -W -A -S Old password : w34Q $ fqwe4 Re - enter old password : w34Q $ fqwe4 New password : w34Q $ fq Re - enter new password : w34Q $ fq Enter LDAP Password : w34Q $ fqwe4 Result : Constraint violation ( nineteen ) Additional info : Password fails quality checking policy Sep twenty-three ten : twenty-six : thirty-seven ldap - m1 pqchecker [ one thousand and eighty-nine ] : Checking password quality for uid = byrd , ou = People , dc = ldap , dc = t4x , dc = org . Sep twenty-three ten : twenty-six : thirty-seven ldap - m1 pqchecker [ one thousand and eighty-nine ] : The quality parameters used : zero | 01010101 Sep twenty-three ten : twenty-six : thirty-seven ldap - m1 pqchecker [ one thousand and eighty-nine ] : Password rejected . Sep twenty-three ten : twenty-six : thirty-seven ldap - m1 slapd [ one thousand and eighty-nine ] : check_password_quality : module error : ( pqchecker . so ) The password does not pass quality check . . [ one ] Sep twenty-three ten : twenty-six : thirty-seven ldap - m1 slapd [ one thousand and eighty-nine ] : conn = one thousand and eleven op = one RESULT oid = err = nineteen text = # ldappasswd -H ldap://ldap.t4x.org -x -D "uid=byrd,ou=People,dc=ldap,dc=dz,dc=org" -W -A -S Old password : w34Q $ fqwe4 Re - enter old password : w34Q $ fqwe4 New password : w34Q $ fqwe4 Re - enter new password : w34Q $ fqwe4 Enter LDAP Password : w34Q $ fqwe4 Result : Constraint violation ( nineteen ) Additional info : Password is in history of old passwords < pre > $ ldapsearch - x - w admin - D "uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org" - b "uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org" SourceByrd's Weblog- https://note.t4x.org/project/openldap-master-configure/