OpenLDAP Password Policy on Ubuntu 12.04 - Part One

From today on I publish some posts about how to make an Ubuntu system using OpenLDAP auth to act as defined in a password policy.
(Ez a cikk magyarul is olvasható.)
What is a password policy good for?
In my case it's three things:

• you can define the minimum length of the passwords
• passwords expire
• before the expiration the user gets a warning to change the password

If you intend to define an OpenLDAP password policy the first thing to do is enabling the ppolicy overlay. The process begins with installing the schema.

sudo ldapadd -Y EXTERNAL -f /etc/ldap/schema/ppolicy.ldif

See if it is really there:

sudo ldapsearch -Q -LLL -Y EXTERNAL -b cn=schema,cn=config dn

We need to put a default policy in the LDAP. Cretate the file policiesou.ldif :

dn: ou=Policies,dc=itthon,dc=cucc
objectClass: top
objectClass: organizationalUnit
ou: Policies
description: policies come here

Put the contents in the LDAP:

ldapadd -D cn=admin,dc=itthon,dc=cucc -w secret -f policiesou.ldif

We load the file handling the policies. Create the file ppolicy_moduleload.ldif :

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy

Put the contents in the LDAP:

sudo ldapadd -Y EXTERNAL -f ppolicy_moduleload.ldif

What modules are loaded?

sudo ldapsearch -Y EXTERNAL -b cn=module{0},cn=config

Create the file ppolicy_overlay.ldif . Among other things this will tell to LDAP where to search for the default policy.

dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=DefaultPPolicy,ou=Policies,dc=itthon,dc=cucc

Put the contents in the LDAP:

sudo ldapadd -Y EXTERNAL -f ppolicy_overlay.ldif

What overlays are in use?

sudo ldapsearch -Y EXTERNAL -b olcDatabase={1}hdb,cn=config

Now we write the deafult policy. We store it in the file ppolicy_default.ldif .

dn: cn=DefaultPPolicy,ou=Policies,dc=itthon,dc=cucc
cn: DefaultPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 3024000
pwdExpireWarning: 1814400
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

What is all this?
The password is valid for 5 weeks (60x60x24x7x5=3024000), and 3 weeks before expiration the user starts getting warnings (60x60x24x7x3=1814400). These values are good for testing - we'll talk about it later.
The password need to be at least 8 charactes long, and the last 3 password representations are stored and the user cannot reuse them. The wrong passwords cause the account to be locked. The locking will disappear after 5 minutes (leave us alone!:).  The pwdMustChange is there to make the admin able forcing a password change. We'll get back to it later.
We make LDAP eat this too:

ldapadd -D cn=admin,dc=itthon,dc=cucc -w secret -f ppolicy_default.ldif

Let us see what we have created:

sudo ldapsearch -Q -LLL -Y EXTERNAL -b cn=DefaultPPolicy,ou=Policies,dc=itthon,dc=cucc

Enough for today. To be continued.