585
edições
Sem resumo de edição |
|||
(Há 3 edições intermédias do mesmo utilizador que não estão a ser apresentadas) | |||
Linha 54: | Linha 54: | ||
=== Custom objectClass === | === Custom objectClass === | ||
The following LDIF statement may be passed to | The following LDIF statement may be passed to <code>ldapadd</code> to create the <code>fwMember</code> object class. | ||
# Addition to be made via 'ldapadd' | # Addition to be made via 'ldapadd' | ||
Linha 74: | Linha 74: | ||
=== Attribute permissions === | === Attribute permissions === | ||
We want | We want to make the following changes to the default LDAP permissions: | ||
* Members should be able to change their own display name (<code>sn</code>) and e-mail address (<code>mail</code>). | |||
* The read-only user should be able to find users via the combination of their username and recovery mail address (<code>fwRecoveryMail</code>), but not actually see their recovery mail addresses. (The password reset mechanism uses this.) | |||
* Members should not be able to see who a member was added by (the <code>manager</code> field). | |||
The following LDIF statement may be passed to 'ldapmodify' to make the necessary access control changes: | |||
# Modification to be made via 'ldapmodify' | # Modification to be made via 'ldapmodify' | ||
Linha 82: | Linha 88: | ||
olcAccess: {2}to attrs=sn,mail by self write | olcAccess: {2}to attrs=sn,mail by self write | ||
olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search | olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search | ||
olcAccess: {4}to attrs=manager by self read | |||
- | - | ||
=== Password | Note that <code>olcAccess</code> entries are evaluated in order, and the first match takes effect. This can affect performance. In the statement above, we start inserting entries from index 2, because indexes 0 and 1 already have some meaningful default entries. | ||
=== Password policy === | |||
To make sure passwords are stored with the <code>{SSHA}</code> scheme rather than plain text, the <code>ppolicy</code> "password policy overlay" is used. ZYTRAX has a very nice book about LDAP which documents how to enable this: http://www.zytrax.com/books/ldap/ch6/ppolicy.html | To make sure passwords are stored with the <code>{SSHA}</code> scheme rather than plain text, the <code>ppolicy</code> "password policy overlay" is used. ZYTRAX has a very nice book about LDAP which documents how to enable this: http://www.zytrax.com/books/ldap/ch6/ppolicy.html | ||
Linha 108: | Linha 117: | ||
olcPPolicyHashCleartext: TRUE | olcPPolicyHashCleartext: TRUE | ||
EOF | EOF | ||
Further, <code>ppolicy</code> is used to enable brute-force protection. For this, we need to add an entry of the object class <code>pwdPolicy</code> to the directory, add attributes related to brute-force protection, and then set it as the default password policy: | |||
# Add an OU for password policies | |||
ldapadd -xy ~/pwd/ldap <<EOF | |||
dn: ou=pwdPolicies,dc=feministwiki,dc=org | |||
objectClass: organizationalUnit | |||
ou: pwdPolicies | |||
EOF | |||
# Add the pwdPolicy object | |||
ldapadd -xy ~/pwd/ldap <<EOF | |||
dn: cn=default,ou=pwdPolicies,dc=feministwiki,dc=org | |||
objectClass: applicationProcess | |||
objectClass: pwdPolicy | |||
cn: default | |||
pwdAttribute: userPassword | |||
pwdLockout: TRUE | |||
pwdLockoutDuration: 3600 | |||
pwdMaxFailure: 5 | |||
EOF | |||
# Set it as the default password policy | |||
ldapmodify -Y external -H ldapi:// <<EOF | |||
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config | |||
changetype: modify | |||
add: olcPPolicyDefault | |||
olcPPolicyDefault: cn=default,ou=pwdPolicies,dc=feministwiki,dc=org | |||
EOF | |||
With these settings, five consecutive authentication failures with a username will lock the account for an hour. | |||
=== Time of last login === | === Time of last login === |