1. 加载 ppolicy schema

  1. ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif

加完了再查看下 schema 列表,已经加上了:

  1. ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn

Ldap OpenLDAP ppolicy - 图1

2. 加载 ppolicy module

  1. vim ppolicy_module.ldif
  2. ----------------------------------------------------------------
  3. dn:cn=module{0},cn=config
  4. changetype: modify
  5. add: olcModuleLoad
  6. olcModuleLoad: ppolicy
  1. ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy_module.ldif

查看 module 是否加载好了:

  1. ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=module{0},cn=config

Ldap OpenLDAP ppolicy - 图2

3. 加载 ppolicy overlay

  1. vim ppolicy_overlay.ldif
  2. ----------------------------------------------------------------
  3. dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
  4. changetype: add
  5. objectClass: olcOverlayConfig
  6. objectClass: olcPPolicyConfig
  7. olcOverlay: ppolicy
  8. olcPPolicyDefault: cn=ppolicy,ou=policies,dc=demo,dc=com
  9. olcPPolicyHashCleartext: TRUE
  10. olcPPolicyUseLockout: TRUE
  1. ldapadd -YEXTERNAL -H ldapi:/// -f ./ppolicy_overlay.ldif

查看是否添加成功

  1. vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb/olcOverlay\=\{1\}ppolicy.ldif

Ldap OpenLDAP ppolicy - 图3

4. 配置 default PPolicy 和规则

  1. vi default_ppolicy.ldif
  2. ----------------------------------------------------------------
  3. dn: ou=policies,dc=demo,dc=com
  4. objectClass: organizationalUnit
  5. objectClass: top
  6. ou: policies
  8. dn: cn=default,ou=policies,dc=demo,dc=com
  9. cn: default
  10. objectClass: pwdPolicy
  11. objectClass: person
  12. objectClass: top
  13. pwdAttribute: userPassword
  14. pwdMinAge: 0
  15. pwdMaxAge: 7776000
  16. pwdInHistory: 5
  17. pwdCheckQuality: 0
  18. pwdMinLength: 5
  19. pwdExpireWarning: 6480000
  20. pwdGraceAuthNLimit: 5
  21. pwdLockout: TRUE
  22. pwdLockoutDuration: 300000
  23. pwdMaxFailure: 5
  24. pwdFailureCountInterval: 30
  25. pwdMustChange: FALSE
  26. pwdAllowUserChange: TRUE
  27. pwdSafeModify: FALSE
  28. sn: dummy value

Ldap OpenLDAP ppolicy - 图4

可以使用ldapwhoami命令来输入错误密码,制造登陆失败

  1. ldapwhoami -H ldap://192.168.141.136 -x -D "uid=chenxin,ou=People,dc=demo,dn=com" -w shay2000
  1. ldapsearch -H ldap://192.168.141.136 -x -LLL uid=chenxin +

Ldap OpenLDAP ppolicy - 图5

https://www.openldap.org/lists/openldap-technical/201111/msg00165.html

filter=(&(objectClass=inetOrgPerson)(!(organizationalStatus=0)))

(&(objectClass=*)(!(organizationalStatus=0)))

(&(objectClass=*)(!(pwdAccountLockedTime=000001010000Z)))

https://www.openldap.org/lists/openldap-technical/201504/msg00139.html