1,086
edits
FeministWiki:LDAP Schema: Difference between revisions
no edit summary
Technician (talk | contribs) mNo edit summary |
Technician (talk | contribs) No edit summary |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 38: | Line 38: | ||
* The <code>fwRecoveryMail</code> field may hold a mail address that will be used for password reset requests. It's different from the primary mail address because that one may be the member's FeministWiki address, which they can't access if they've lost their password. | * The <code>fwRecoveryMail</code> field may hold a mail address that will be used for password reset requests. It's different from the primary mail address because that one may be the member's FeministWiki address, which they can't access if they've lost their password. | ||
* The <code>manager</code> contains the DN (distinguished name) of the member who added the member. It may be empty for special member accounts like "Administrator" or the "Deleted" pseudo-account. | * The <code>manager</code> contains the DN (distinguished name) of the member who added the member. It may be empty for special member accounts like "Administrator" or the "Deleted" pseudo-account. | ||
=== Tips on the usage of ldap commands === | |||
Commands such as ldapsearch, ldapmodify, etc. require authentication. The correct method depends on whether you want to interact with the configuration database found in {{C|/etc/ldap/slapd.d}}, or the actual data database found in {{C|/var/lib/ldap}}. | |||
For configuration, use {{C|-Y external -H ldapi://}} to connect directly with root permissions, so no actual LDAP domain login is needed. | |||
For data, use {{C|-xy ~/pwd/ldap}} to use the LDAP domain admin password. The file {{C|~/.ldaprc}} should contain {{C|BINDDN cn=admin,dc=feministwiki,dc=org}} so you don't have to specify the domain admin explicitly every time. | |||
=== Read-only user === | === Read-only user === | ||
| Line 50: | Line 58: | ||
cn: readonly | cn: readonly | ||
description: Read-only user | description: Read-only user | ||
userPassword: $(cat ~/pwd/ldap-readonly) | |||
EOF | EOF | ||
| Line 102: | Line 111: | ||
In short, the steps go as follows (these commands ''should'' work verbatim): | In short, the steps go as follows (these commands ''should'' work verbatim): | ||
# | # Only needed on old versions of slapd, to add the ppolicy schema | ||
ldapadd -Y external -H ldapi:// < /etc/ldap/schema/ppolicy.ldif | #ldapadd -Y external -H ldapi:// < /etc/ldap/schema/ppolicy.ldif | ||
# Enable the ppolicy dynamic module | # Enable the ppolicy dynamic module | ||
| Line 139: | Line 148: | ||
pwdLockout: TRUE | pwdLockout: TRUE | ||
pwdLockoutDuration: 3600 | pwdLockoutDuration: 3600 | ||
pwdMaxFailure: | pwdMaxFailure: 10 | ||
pwdFailureCountInterval: 3600 | |||
EOF | EOF | ||
| Line 150: | Line 160: | ||
EOF | EOF | ||
With these settings, | With these settings, ten consecutive authentication failures with a username will lock the account for an hour. Login failures are also cleared after an hour. This means it's possible to try ten passwords per hour during a brute-force attack, which won't get the attacker very far. | ||
=== Time of last login === | === Time of last login === | ||