OpenLDAP默认是没有密码检查策略的,123456这也得密码也能接受,这显然是管理员不希望看到的。
- 导入密码策略schema
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/ppolicy.ldif
- 加载模块,因为已经添加过syncprov模块了,所以只要追加ppolicy模块就可以了
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: ppolicy.laldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ppolicy.ldif
- 指定默认策略dn名
dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config changeType: add objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyDefault: cn=default,ou=ppolicy,dc=yaoge123,dc=com olcPPolicyHashCleartext: TRUEldapmodify -Y EXTERNAL -H ldapi:/// -f ppolicy.ldif
- 创建默认策略
dn: ou=ppolicy,dc=yaoge123,dc=com objectClass: organizationalUnit objectClass: top ou: ppolicy dn: cn=default,ou=ppolicy,dc=yaoge123,dc=com cn: default objectClass: top objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 604800 pwdFailureCountInterval: 0 pwdGraceAuthnLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 600 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: FALSE pwdSafeModify: FALSE pwdCheckModule: check_password.so
ldapadd -Y EXTERNAL -H ldapi:/// -f defaultppolicy.ldif
- 修改/etc/openldap/check_password.conf,定义check_password.so规则
- MirrorMode的两台LDAP均需进行上述同样的配置
