Friday, December 9, 2011

OpenLDAP with ppolicy

Overlays are dynamically configurable modules that provide additional functionality to OpenLDAP. The ppolicy overlay provides some useful functionalities for enforcing a password policy for the domain.

Our requirement was the following
  •  Account should be locked out after 5 failed authentication attempts.
  •  Password expiration on 90 days
  •  Minimum password length of 8
All our Ubuntu desktop's were authenticating the OpenLDAP server( which was setup on a CentOS box. We were able to achieve the 90 day password expiration using the default shadowAccount objectClass as given below.

# user1, People,
dn: uid=user1,ou=People,dc=example,dc=in
uid: user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJEMzOxxxxxxxxxx
shadowLastChange: 15299
shadowMax: 90
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 630
gidNumber: 1005
homeDirectory: /data/user1

But we couldn't find any way to implement the password expirartion and password length polcies using the default OpenLDAP configuration. So I started my experiment's with ppolicy overlays. The ppolicy overlays provides enhanced password management capabilities that are applied to non-rootdn bind attempts in OpenLDAP.

The password policy(ppolicy) and other overlays are included in the package openldap-servers-overlays for Redhat/Centos servers. So we nee first install this package assuming openldap server and dependencies are already installed..
yum install openldap-servers-overlays
The ppolicy module file should get installed at /usr/lib64/openldap/ and schema file at /etc/openldap/schema/ppolicy.schema  on a 64 bit CentOS/Redhat server. The module file should be in /usr/lib/openldap directory on an x86 server.

Server Configuartion
We need to configure the ppolicy overlays now. Add the following lines to /etc/openldap/slapd.conf in the respective sections.

include /etc/openldap/schema/ppolicy.schema

modulepath /usr/lib64/openldap

This is assuming that ppolicy overlay files are in respective locations. The ACL's should be set such that clients bind to OpenLDAP server by self-authentication. We should not allow anonymous or rootdn binds to the server. The default configuration is to allow anonymous binds to server. So I added ACL as given below in the ACL section of slapd.conf.

access to attrs=userPassword
by self =xw
by anonymous auth
by * none

access to *
by self write
by * read

Next we need to add default password policy we are going to enforce on the domain. Add the following after the DB section in slapd.conf.

overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=in"

This should complete the configuration of slapd.conf . You should be able to restart the LDAP server without any issues now.

Importing the password policy

Create a LDIF file with following content.

cat password-policy.ldif

dn: ou=policies,dc=example,dc=in
ou: policies
objectClass: top
objectClass: organizationalUnit

# default, policies,
dn: cn=default,ou=policies,dc=example,dc=in
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

This sets the following policies
  •  password expiration at 90 days
  •  password lockout on 5 failures and lockout duration of 15 mintues
  •  minimum password length of 8
  • 3 earlier password in history

To import the policy run the following command.

ldapadd  -D "cn=Manager,dc=example,dc=in" -W -x  -f password-policy.ldif

This ldapadd command should add to policy on authentication as LDAP administratorWe should be able to see the newly imported policy now when we do a ldapsearch.

 ldapsearch  -x -D "cn=Manager,dc=example,dc=in" -W -b "dc=example,dc=in"

This completes the server configuration. 

Client Side Configuartion
On the LDAP clients in my case Ubuntu desktops we need make the following change in LDAP client configuration file /etc/ldap.conf assuming the client was configured to authenticate to our LDAP server before. Uncomment the pam_lookup_policy line which should be already there in /etc/ldap.conf

pam_lookup_policy yes

Yes !! Now the password policy should be enforced for all non-rootdn authentication attempts !


OpenLDAP server Backup & Restore


To backup the entire LDAP database we can make use of the command slapcat. The slapcat command genetates a LDIF (LDAP Directory Interchange Format) file contianing the dump of entire LDAP database.

slapcat -v -l ldap-backup.ldif

The above command generates a backup file named ldap-backup.ldif in the current directory.

Without the -l option slapcat writes the content to standard output.

The slapcat command reads the ldap configuration file at the default location (/etc/openldap/slapd.conf) and takes the database dump. We can provide a LDAP configuartion file at a different location using -f option as given below.

slapcat -v -f /etc/openldap/slapd.conf -l ldap-backup.ldif


To restore the database from the earlier backup LDIF file we can use slapadd command.

slapadd -l ldap-backup.ldif 

In case files already exist in the LDAP database location we have to clear them before restoring using slapadd while retaining the DB_CONFIG file. The sample DB_CONFIG file should be in /etc/openldap/DB_CONFIG.example.

rm -fr /var/lib/ldap/*

Once the files are cleared you should be able to restore the database using slapadd given above. 

On successful completion of the restoration  restart the LDAP server.

service ldap restart