FeministWiki:LDAP Schema: diferenças entre revisões

← Edição anterior

FeministWiki:LDAP Schema (ver código-fonte)

Revisão das 23h03min de 5 de fevereiro de 2020

1 615 bytes adicionados , 5 de fevereiro de 2020

→‎Password policy

Technician

Burocratas, Administradores da interface, Administradores

585

edições

@@ Linha 54: / Linha 54: @@
 === Custom objectClass ===
-The following LDIF statement may be passed to 'ldapadd' to create the <code>fwMember</code> object class.
+The following LDIF statement may be passed to <code>ldapadd</code> to create the <code>fwMember</code> object class.
   # Addition to be made via 'ldapadd'
@@ Linha 74: / Linha 74: @@
 === Attribute permissions ===
-We want members to be able to change some of their own settings without requiring privilege escalation.  We also want the read-only user to be able to find users via the combination of their username and recovery mail address (the password reset mechanism uses this) but not actually see recovery mail addresses.  The following LDIF statement may be passed to 'ldapmodify' to make the necessary access control changes:
+We want to make the following changes to the default LDAP permissions:
+* Members should be able to change their own display name (<code>sn</code>) and e-mail address (<code>mail</code>).
+* The read-only user should be able to find users via the combination of their username and recovery mail address (<code>fwRecoveryMail</code>), but not actually see their recovery mail addresses.  (The password reset mechanism uses this.)
+* Members should not be able to see who a member was added by (the <code>manager</code> field).
+The following LDIF statement may be passed to 'ldapmodify' to make the necessary access control changes:
   # Modification to be made via 'ldapmodify'
@@ Linha 82: / Linha 88: @@
   olcAccess: {2}to attrs=sn,mail by self write
   olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search
+ olcAccess: {4}to attrs=manager by self read
   -
-=== Password hashing ===
+Note that <code>olcAccess</code> entries are evaluated in order, and the first match takes effect.  This can affect performance.  In the statement above, we start inserting entries from index 2, because indexes 0 and 1 already have some meaningful default entries.
+=== Password policy ===
 To make sure passwords are stored with the <code>{SSHA}</code> scheme rather than plain text, the <code>ppolicy</code> "password policy overlay" is used.  ZYTRAX has a very nice book about LDAP which documents how to enable this: http://www.zytrax.com/books/ldap/ch6/ppolicy.html
@@ Linha 108: / Linha 117: @@
   olcPPolicyHashCleartext: TRUE
   EOF
+Further, <code>ppolicy</code> is used to enable brute-force protection.  For this, we need to add an entry of the object class <code>pwdPolicy</code> to the directory, add attributes related to brute-force protection, and then set it as the default password policy:
+ # Add an OU for password policies
+ ldapadd -xy ~/pwd/ldap <<EOF
+ dn: ou=pwdPolicies,dc=feministwiki,dc=org
+ objectClass: organizationalUnit
+ ou: pwdPolicies
+ EOF
+ # Add the pwdPolicy object
+ ldapadd -xy ~/pwd/ldap <<EOF
+ dn: cn=default,ou=pwdPolicies,dc=feministwiki,dc=org
+ objectClass: applicationProcess
+ objectClass: pwdPolicy
+ cn: default
+ pwdAttribute: userPassword
+ pwdLockout: TRUE
+ pwdLockoutDuration: 3600
+ pwdMaxFailure: 5
+ EOF
+ # Set it as the default password policy
+ ldapmodify -Y external -H ldapi:// <<EOF
+ dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
+ changetype: modify
+ add: olcPPolicyDefault
+ olcPPolicyDefault: cn=default,ou=pwdPolicies,dc=feministwiki,dc=org
+ EOF
+With these settings, five consecutive authentication failures with a username will lock the account for an hour.
 === Time of last login ===