1,084
edits
FeministWiki:LDAP Schema: Difference between revisions
→Password hashing
Technician (talk | contribs) |
Technician (talk | contribs) |
||
| Line 93: | Line 93: | ||
Note that <code>olcAccess</code> entries are evaluated in order, and the first match takes effect. This can affect performance. In the statement above, we start inserting entries from index 2, because indexes 0 and 1 already have some meaningful default entries. | Note that <code>olcAccess</code> entries are evaluated in order, and the first match takes effect. This can affect performance. In the statement above, we start inserting entries from index 2, because indexes 0 and 1 already have some meaningful default entries. | ||
=== Password | === Password policy === | ||
To make sure passwords are stored with the <code>{SSHA}</code> scheme rather than plain text, the <code>ppolicy</code> "password policy overlay" is used. ZYTRAX has a very nice book about LDAP which documents how to enable this: http://www.zytrax.com/books/ldap/ch6/ppolicy.html | To make sure passwords are stored with the <code>{SSHA}</code> scheme rather than plain text, the <code>ppolicy</code> "password policy overlay" is used. ZYTRAX has a very nice book about LDAP which documents how to enable this: http://www.zytrax.com/books/ldap/ch6/ppolicy.html | ||
| Line 117: | Line 117: | ||
olcPPolicyHashCleartext: TRUE | olcPPolicyHashCleartext: TRUE | ||
EOF | EOF | ||
Further, <code>ppolicy</code> is used to enable brute-force protection. For this, we need to add an entry of the object class <code>pwdPolicy</code> to the directory, add attributes related to brute-force protection, and then set it as the default password policy: | |||
# Add an OU for password policies | |||
ldapadd -xy ~/pwd/ldap <<EOF | |||
dn: ou=pwdPolicies,dc=feministwiki,dc=org | |||
objectClass: organizationalUnit | |||
ou: pwdPolicies | |||
EOF | |||
# Add the pwdPolicy object | |||
ldapadd -xy ~/pwd/ldap <<EOF | |||
dn: cn=default,ou=pwdPolicies,dc=feministwiki,dc=org | |||
objectClass: applicationProcess | |||
objectClass: pwdPolicy | |||
cn: default | |||
pwdAttribute: userPassword | |||
pwdLockout: TRUE | |||
pwdLockoutDuration: 36000 | |||
pwdMaxFailure: 10 | |||
EOF | |||
# Set it as the default password policy | |||
ldapmodify -Y external -H ldapi:// <<EOF | |||
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config | |||
changetype: modify | |||
add: olcPPolicyDefault | |||
olcPPolicyDefault: cn=default,ou=pwdPolicies,dc=feministwiki,dc=org | |||
EOF | |||
With these settings, ten consecutive authentication failures with a username will lock the account for ten hours. | |||
=== Time of last login === | === Time of last login === | ||