OpenLDAP 双主编译安装

September 5, 2023Comments

BerkeleyDB安装：

$ yum install gcc gcc-c++ gcc-objc gcc-objc++ libobjc openssl openssl-devel libtool-ltdl-devel openldap-devel
#$ yum install libacl-devel libblkid-devel gnutls-devel readline-devel python-devel autoconf gcc-c++ gcc glibc-devel glibc-headers kernel-headers libgomp libstdc++-devel openssl-devel e2fsprogs-devel keyutils-libs-devel krb5-devel libselinux-devel libsepol-devel libtool-ltdl-devel
$ wget http://download.oracle.com/berkeley-db/db-5.1.29.tar.gz
$ tar zxf db-5.1.29.tar.gz 
$ cd db-5.1.29/build_unix/
$ ../dist/configure 
$ make && make install
$ echo "/usr/local/BerkeleyDB.5.1/lib/" >> /etc/ld.so.conf                    
$ ldconfig 
$ ldconfig -v

$ yum install gcc gcc-c++ gcc-objc gcc-objc++ libobjc openssl openssl-devel libtool-ltdl-devel openldap-devel

#$ yum install libacl-devel libblkid-devel gnutls-devel readline-devel python-devel autoconf gcc-c++ gcc glibc-devel glibc-headers kernel-headers libgomp libstdc++-devel openssl-devel e2fsprogs-devel keyutils-libs-devel krb5-devel libselinux-devel libsepol-devel libtool-ltdl-devel

$ wget http://download.oracle.com/berkeley-db/db-5.1.29.tar.gz

$ tar zxf db-5.1.29.tar.gz

$ cd db-5.1.29/build_unix/

$ ../dist/configure

$ make && make install

$ echo "/usr/local/BerkeleyDB.5.1/lib/" >> /etc/ld.so.conf

$ ldconfig

$ ldconfig -v

openLDAP安装：

$ wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.48.tgz
$ tar zxf openldap-2.4.48.tgz
$ cd openldap-2.4.48
$ env CPPFLAGS="-I/usr/local/BerkeleyDB.5.1/include" LDFLAGS="-L/usr/local/BerkeleyDB.5.1/lib -D_GNU_SOURCE" ./configure --prefix=/opt/openldap-2.4.48 --enable-overlays=mod --enable-modules --enable-bdb --enable-mdb --with-tls --enable-crypt --enable-accesslog --enable-auditlog --enable-collect --enable-memberof --enable-syncprov
$ make depend && make && make install
$ for i in `ls -l /usr/local/openldap/bin/ | awk '{print $9}' | grep -v ^$`;do ln -s /usr/local/openldap/bin/$i /usr/local/bin/$i;done
$ for i in `ls -l /usr/local/openldap/sbin/ | awk '{print $9}' | grep -v ^$`;do ln -s /usr/local/openldap/sbin/$i /usr/local/sbin/$i;done
$ ln -s /usr/local/openldap/include/* /usr/local/include/

$ wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.48.tgz

$ tar zxf openldap-2.4.48.tgz

$ cd openldap-2.4.48

$ env CPPFLAGS="-I/usr/local/BerkeleyDB.5.1/include" LDFLAGS="-L/usr/local/BerkeleyDB.5.1/lib -D_GNU_SOURCE" ./configure --prefix=/opt/openldap-2.4.48 --enable-overlays=mod --enable-modules --enable-bdb --enable-mdb --with-tls --enable-crypt --enable-accesslog --enable-auditlog --enable-collect --enable-memberof --enable-syncprov

$ make depend && make && make install

$ for i in `ls -l /usr/local/openldap/bin/ | awk '{print $9}' | grep -v ^$`;do ln -s /usr/local/openldap/bin/$i /usr/local/bin/$i;done

$ for i in `ls -l /usr/local/openldap/sbin/ | awk '{print $9}' | grep -v ^$`;do ln -s /usr/local/openldap/sbin/$i /usr/local/sbin/$i;done

$ ln -s /usr/local/openldap/include/* /usr/local/include/

配置文件:

openldap配置文件:文章源自 note.t4x.orgByrd's Blog-https://note.t4x.org/project/openldap-master-configure/
M1:

# egrep -v "#|^$" /usr/local/openldap/etc/openldap/slapd.conf include /usr/local/openldap/etc/openldap/schema/corba.schema include /usr/local/openldap/etc/openldap/schema/core.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/duaconf.schema include /usr/local/openldap/etc/openldap/schema/dyngroup.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap/etc/openldap/schema/java.schema include /usr/local/openldap/etc/openldap/schema/misc.schema include /usr/local/openldap/etc/openldap/schema/nis.schema include /usr/local/openldap/etc/openldap/schema/openldap.schema include /usr/local/openldap/etc/openldap/schema/ppolicy.schema include /usr/local/openldap/etc/openldap/schema/collective.schema pidfile /opt/openldap-2.4.48/var/run/slapd.pid argsfile /opt/openldap-2.4.48/var/run/slapd.args serverID 1 modulepath /opt/openldap-2.4.48/libexec/openldap moduleload ppolicy.la access to * by self write by anonymous auth by * read database mdb maxsize 1073741824 suffix "dc=ldap,dc=t4x,dc=org" checkpoint 2048 10 rootdn "cn=admin,dc=ldap,dc=t4x,dc=org" directory /opt/openldap-2.4.48/var/openldap-data syncrepl rid=001 provider=ldap://192.168.227.34 binddn="cn=admin,dc=ldap,dc=t4x,dc=org" bindmethod=simple credentials=admin searchbase="dc=ldap,dc=t4x,dc=org" schemachecking=off type=refreshAndPersist retry="60 +" TLSCACertificatePath /usr/local/openldap/ssl/ TLSCertificateFile "\"OpenLDAP Server\"" TLSCACertificateFile /usr/local/openldap/ssl/cacert.pem TLSCertificateFile /usr/local/openldap/ssl/ldapcert.pem TLSCertificateKeyFile /usr/local/openldap/ssl/ldapkey.pem TlsVerifyClient never index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub loglevel 296 rootpw {SSHA}iMgn+YhiZm1O9QB6BBZuOS+ko/Gb/262 mirrormode TRUE overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE syncprov-checkpoint 100 2 overlay ppolicy password-hash {SSHA} ppolicy_default cn=security,ou=Policies,dc=ldap,dc=t4x,dc=org ppolicy_hash_cleartext ppolicy_use_lockout

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

# egrep -v "#|^$" /usr/local/openldap/etc/openldap/slapd.conf
include         /usr/local/openldap/etc/openldap/schema/corba.schema
include         /usr/local/openldap/etc/openldap/schema/core.schema
include         /usr/local/openldap/etc/openldap/schema/cosine.schema
include         /usr/local/openldap/etc/openldap/schema/duaconf.schema
include         /usr/local/openldap/etc/openldap/schema/dyngroup.schema
include         /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include         /usr/local/openldap/etc/openldap/schema/java.schema
include         /usr/local/openldap/etc/openldap/schema/misc.schema
include         /usr/local/openldap/etc/openldap/schema/nis.schema
include         /usr/local/openldap/etc/openldap/schema/openldap.schema
include         /usr/local/openldap/etc/openldap/schema/ppolicy.schema
include         /usr/local/openldap/etc/openldap/schema/collective.schema
pidfile         /opt/openldap-2.4.48/var/run/slapd.pid
argsfile        /opt/openldap-2.4.48/var/run/slapd.args
serverID 1
modulepath      /opt/openldap-2.4.48/libexec/openldap
moduleload      ppolicy.la
access to *
    by self write
    by anonymous auth
    by * read
database        mdb
maxsize         1073741824
suffix          "dc=ldap,dc=t4x,dc=org"
checkpoint      2048 10
rootdn          "cn=admin,dc=ldap,dc=t4x,dc=org"
directory       /opt/openldap-2.4.48/var/openldap-data
syncrepl rid=001
    provider=ldap://192.168.227.34
    binddn="cn=admin,dc=ldap,dc=t4x,dc=org"
    bindmethod=simple
    credentials=admin
    searchbase="dc=ldap,dc=t4x,dc=org"
    schemachecking=off
    type=refreshAndPersist
    retry="60 +"
TLSCACertificatePath /usr/local/openldap/ssl/
TLSCertificateFile "\"OpenLDAP Server\""
TLSCACertificateFile /usr/local/openldap/ssl/cacert.pem
TLSCertificateFile /usr/local/openldap/ssl/ldapcert.pem
TLSCertificateKeyFile  /usr/local/openldap/ssl/ldapkey.pem
TlsVerifyClient never
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
loglevel    296
rootpw  {SSHA}iMgn+YhiZm1O9QB6BBZuOS+ko/Gb/262
mirrormode TRUE
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
syncprov-checkpoint 100 2

overlay ppolicy
password-hash {SSHA}
ppolicy_default cn=security,ou=Policies,dc=ldap,dc=t4x,dc=org
ppolicy_hash_cleartext
ppolicy_use_lockout

M2:

# egrep -v "#|^$" /usr/local/openldap/etc/openldap/slapd.conf include /usr/local/openldap/etc/openldap/schema/corba.schema include /usr/local/openldap/etc/openldap/schema/core.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/duaconf.schema include /usr/local/openldap/etc/openldap/schema/dyngroup.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap/etc/openldap/schema/java.schema include /usr/local/openldap/etc/openldap/schema/misc.schema include /usr/local/openldap/etc/openldap/schema/nis.schema include /usr/local/openldap/etc/openldap/schema/openldap.schema include /usr/local/openldap/etc/openldap/schema/ppolicy.schema include /usr/local/openldap/etc/openldap/schema/collective.schema pidfile /opt/openldap-2.4.48/var/run/slapd.pid argsfile /opt/openldap-2.4.48/var/run/slapd.args serverID 2 modulepath /opt/openldap-2.4.48/libexec/openldap moduleload ppolicy.la access to * by self write by anonymous auth by * read database mdb maxsize 1073741824 suffix "dc=ldap,dc=t4x,dc=org" checkpoint 2048 10 rootdn "cn=admin,dc=ldap,dc=t4x,dc=org" directory /opt/openldap-2.4.48/var/openldap-data syncrepl rid=001 provider=ldap://192.168.227.33 binddn="cn=admin,dc=ldap,dc=t4x,dc=org" bindmethod=simple credentials=admin searchbase="dc=ldap,dc=t4x,dc=org" schemachecking=off type=refreshAndPersist retry="60 +" TLSCACertificatePath /usr/local/openldap/ssl/ TLSCertificateFile "\"OpenLDAP Server\"" TLSCACertificateFile /usr/local/openldap/ssl/cacert.pem TLSCertificateFile /usr/local/openldap/ssl/ldapcert.pem TLSCertificateKeyFile /usr/local/openldap/ssl/ldapkey.pem TlsVerifyClient never index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub loglevel 296 mirrormode TRUE overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE syncprov-checkpoint 100 2 rootpw {SSHA}KYesbO2q8mGAfXfTSjGgaOEI+j5bdfRa overlay ppolicy password-hash {SSHA} ppolicy_default cn=security,ou=Policies,dc=ldap,dc=t4x,dc=org ppolicy_hash_cleartext ppolicy_use_lockout

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

# egrep -v "#|^$" /usr/local/openldap/etc/openldap/slapd.conf
include         /usr/local/openldap/etc/openldap/schema/corba.schema
include         /usr/local/openldap/etc/openldap/schema/core.schema
include         /usr/local/openldap/etc/openldap/schema/cosine.schema
include         /usr/local/openldap/etc/openldap/schema/duaconf.schema
include         /usr/local/openldap/etc/openldap/schema/dyngroup.schema
include         /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include         /usr/local/openldap/etc/openldap/schema/java.schema
include         /usr/local/openldap/etc/openldap/schema/misc.schema
include         /usr/local/openldap/etc/openldap/schema/nis.schema
include         /usr/local/openldap/etc/openldap/schema/openldap.schema
include         /usr/local/openldap/etc/openldap/schema/ppolicy.schema
include         /usr/local/openldap/etc/openldap/schema/collective.schema
pidfile         /opt/openldap-2.4.48/var/run/slapd.pid
argsfile        /opt/openldap-2.4.48/var/run/slapd.args
serverID 2
modulepath    /opt/openldap-2.4.48/libexec/openldap
moduleload    ppolicy.la
access to *
    by self write
    by anonymous auth
    by * read
database        mdb
maxsize         1073741824
suffix          "dc=ldap,dc=t4x,dc=org"
checkpoint      2048 10
rootdn          "cn=admin,dc=ldap,dc=t4x,dc=org"
directory       /opt/openldap-2.4.48/var/openldap-data
syncrepl rid=001
    provider=ldap://192.168.227.33
    binddn="cn=admin,dc=ldap,dc=t4x,dc=org"
    bindmethod=simple
    credentials=admin
    searchbase="dc=ldap,dc=t4x,dc=org"
    schemachecking=off
    type=refreshAndPersist
    retry="60 +"
TLSCACertificatePath /usr/local/openldap/ssl/
TLSCertificateFile "\"OpenLDAP Server\""
TLSCACertificateFile /usr/local/openldap/ssl/cacert.pem
TLSCertificateFile /usr/local/openldap/ssl/ldapcert.pem
TLSCertificateKeyFile  /usr/local/openldap/ssl/ldapkey.pem
TlsVerifyClient never
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
loglevel    296
mirrormode TRUE
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
syncprov-checkpoint 100 2
rootpw  {SSHA}KYesbO2q8mGAfXfTSjGgaOEI+j5bdfRa

overlay ppolicy
password-hash {SSHA}
ppolicy_default cn=security,ou=Policies,dc=ldap,dc=t4x,dc=org
ppolicy_hash_cleartext
ppolicy_use_lockout

文章源自 note.t4x.orgByrd's Blog-https://note.t4x.org/project/openldap-master-configure/

admin导入:

$ ldapadd -x -D "cn=admin,dc=ldap,dc=t4x,dc=org" -W -f admin.ldif $ cat /usr/local/openldap/etc/openldap/admin.ldif dn: dc=ldap,dc=t4x,dc=org objectclass: dcObject objectclass: organization o: T4X.Inc dc: ldap dn: cn=admin,dc=ldap,dc=t4x,dc=org objectclass: organizationalRole cn: admin

0
1
2
3
4
5
6
7
8
9
10

$ ldapadd -x -D "cn=admin,dc=ldap,dc=t4x,dc=org" -W -f admin.ldif
$ cat /usr/local/openldap/etc/openldap/admin.ldif
dn: dc=ldap,dc=t4x,dc=org
objectclass: dcObject
objectclass: organization
o: T4X.Inc
dc: ldap

dn: cn=admin,dc=ldap,dc=t4x,dc=org
objectclass: organizationalRole
cn: admin

OU people导入：

$ ldapadd -x -D "cn=Manage,dc=ldap,dc=t4x,dc=org" -W -f people.ldif $ cat /usr/local/openldap/etc/openldap/people.lidf dn: ou=People,dc=ldap,dc=t4x,dc=org objectClass: organizationalUnit ou: People

0
1
2
3
4

$ ldapadd -x -D "cn=Manage,dc=ldap,dc=t4x,dc=org" -W -f people.ldif
$ cat /usr/local/openldap/etc/openldap/people.lidf
dn: ou=People,dc=ldap,dc=t4x,dc=org
objectClass: organizationalUnit
ou: People

普通用户导入:

# cat /usr/local/openldap/etc/openldap/byrd.lidf dn: uid=zane,ou=People,dc=ldap,dc=t4x,dc=org objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person homeDirectory: /home/byrd loginShell: /bin/byrd cn: byrd sn: byrd description: CTO userPassword:: e1NTSEF9RnNaUHFGQVJmUTRlZEtNS2FKQUxGKy9KaUZqT2dvSW0=

0
1
2
3
4
5
6
7
8
9
10
11

# cat /usr/local/openldap/etc/openldap/byrd.lidf
dn: uid=zane,ou=People,dc=ldap,dc=t4x,dc=org
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/byrd
loginShell: /bin/byrd
cn: byrd
sn: byrd
description: CTO
userPassword:: e1NTSEF9RnNaUHFGQVJmUTRlZEtNS2FKQUxGKy9KaUZqT2dvSW0=

文章源自 note.t4x.orgByrd's Blog-https://note.t4x.org/project/openldap-master-configure/

安装pqchecker:

$ git clone https://bitbucket.org/ameddeb/pqchecker.git
$ cd pqchecker/
$ sh ./adjustdate.bash
$ ./configure LDAPSRC=/byrd/tools/openldap-2.4.48 JAVAHOME=/opt/jdk1.8.0_191 libdir=/usr/local/openldap/libexec/openldap/ PARAMDIR=/etc/openldap/pqchecker
$ make && make install

$ git clone https://bitbucket.org/ameddeb/pqchecker.git

$ cd pqchecker/

$ sh ./adjustdate.bash

$ ./configure LDAPSRC=/byrd/tools/openldap-2.4.48 JAVAHOME=/opt/jdk1.8.0_191 libdir=/usr/local/openldap/libexec/openldap/ PARAMDIR=/etc/openldap/pqchecker

$ make && make install

安全模块导入:文章源自 note.t4x.orgByrd's Blog-https://note.t4x.org/project/openldap-master-configure/

OU polices

$ cat /usr/local/openldap/etc/openldap/policies.lidf dn: ou=Policies,dc=ldap,dc=t4x,dc=org objectClass: organizationalUnit ou: Policies

0
1
2
3

$ cat /usr/local/openldap/etc/openldap/policies.lidf
dn: ou=Policies,dc=ldap,dc=t4x,dc=org
objectClass: organizationalUnit
ou: Policies

默认密码规则:

$ cat /usr/local/openldap/etc/openldap/security1.ldif dn: cn=security,ou=Policies,dc=ldap,dc=t4x,dc=org cn: security objectClass: top objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdMaxAge: 7776000 pwdInHistory: 5 pwdCheckQuality: 2 pwdMinLength: 8 pwdExpireWarning: 604800 pwdGraceAuthNLimit: 10 pwdFailureCountInterval: 30 pwdMustChange: TRUE pwdSafeModify: FALSE pwdLockout: TRUE pwdLockoutDuration: 300 pwdMaxFailure: 5

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

$ cat /usr/local/openldap/etc/openldap/security1.ldif
dn: cn=security,ou=Policies,dc=ldap,dc=t4x,dc=org
cn: security
objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdMaxAge: 7776000
pwdInHistory: 5
pwdCheckQuality: 2
pwdMinLength: 8
pwdExpireWarning: 604800
pwdGraceAuthNLimit: 10
pwdFailureCountInterval: 30
pwdMustChange: TRUE
pwdSafeModify: FALSE
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxFailure: 5

复杂性规则:pqchecker.so

$ cat /usr/local/openldap/etc/openldap/mode.lidf dn: cn=security,ou=Policies,dc=ldap,dc=t4x,dc=org changeType: modify add: pwdCheckModule pwdCheckModule: pqchecker.so

0
1
2
3
4

$ cat /usr/local/openldap/etc/openldap/mode.lidf
dn: cn=security,ou=Policies,dc=ldap,dc=t4x,dc=org
changeType: modify
add: pwdCheckModule
pwdCheckModule: pqchecker.so

文章源自 note.t4x.orgByrd's Blog-https://note.t4x.org/project/openldap-master-configure/

常规操作:文章源自 note.t4x.orgByrd's Blog-https://note.t4x.org/project/openldap-master-configure/

导出所有配置文件:

$ ldapsearch -LLL -w admin -x -H ldap://ldap.t4x.org -D "cn=admin,dc=ldap,dc=t4x,dc=org" -b "dc=ldap,dc=t4x,dc=org" >/tmp/all.ldif $ cat /tmp/all.ldif dn: dc=ldap,dc=t4x,dc=org objectClass: dcObject objectClass: organization o: T4X.Inc dc: ldap dn: ou=People,dc=ldap,dc=t4x,dc=org objectClass: organizationalUnit ou: People dn: cn=admin,dc=ldap,dc=t4x,dc=org objectClass: organizationalRole cn: admin cn: admin dn: ou=Policies,dc=ldap,dc=t4x,dc=org objectClass: organizationalUnit ou: Policies dn: uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org objectClass: posixAccount objectClass: top objectClass: inetOrgPerson gidNumber: 0 givenName: byrd sn: byrd displayName: byrd uid: byrd homeDirectory: /home/byrd loginShell: /bin/bash cn: byrd uidNumber: 41872 dn: uid=t4x,ou=People,dc=ldap,dc=t4x,dc=org objectClass: posixAccount objectClass: top objectClass: inetOrgPerson gidNumber: 0 givenName: t4x sn: t4x displayName: t4x uid: t4x homeDirectory: /home/t4x loginShell: /bin/bash cn: t4x uidNumber: 15557 dn: cn=security,ou=Policies,dc=ldap,dc=t4x,dc=org cn:: c2VjdXJpdHkg objectClass: top objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdMaxAge: 7776000 pwdInHistory: 5 pwdCheckQuality: 2 pwdMinLength: 8 pwdExpireWarning: 604800 pwdGraceAuthNLimit: 10 pwdFailureCountInterval: 30 pwdMustChange: TRUE pwdSafeModify: FALSE pwdLockout: TRUE pwdLockoutDuration: 300 pwdMaxFailure: 5 pwdCheckModule: pqchecker.so

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

$ ldapsearch -LLL -w admin -x -H ldap://ldap.t4x.org -D "cn=admin,dc=ldap,dc=t4x,dc=org" -b "dc=ldap,dc=t4x,dc=org" >/tmp/all.ldif
$ cat /tmp/all.ldif
dn: dc=ldap,dc=t4x,dc=org
objectClass: dcObject
objectClass: organization
o: T4X.Inc
dc: ldap

dn: ou=People,dc=ldap,dc=t4x,dc=org
objectClass: organizationalUnit
ou: People

dn: cn=admin,dc=ldap,dc=t4x,dc=org
objectClass: organizationalRole
cn: admin
cn: admin

dn: ou=Policies,dc=ldap,dc=t4x,dc=org
objectClass: organizationalUnit
ou: Policies

dn: uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
gidNumber: 0
givenName: byrd
sn: byrd
displayName: byrd
uid: byrd
homeDirectory: /home/byrd
loginShell: /bin/bash
cn: byrd
uidNumber: 41872

dn: uid=t4x,ou=People,dc=ldap,dc=t4x,dc=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
gidNumber: 0
givenName: t4x
sn: t4x
displayName: t4x
uid: t4x
homeDirectory: /home/t4x
loginShell: /bin/bash
cn: t4x
uidNumber: 15557

dn: cn=security,ou=Policies,dc=ldap,dc=t4x,dc=org
cn:: c2VjdXJpdHkg
objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdMaxAge: 7776000
pwdInHistory: 5
pwdCheckQuality: 2
pwdMinLength: 8
pwdExpireWarning: 604800
pwdGraceAuthNLimit: 10
pwdFailureCountInterval: 30
pwdMustChange: TRUE
pwdSafeModify: FALSE
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxFailure: 5
pwdCheckModule: pqchecker.so

导出用户信息:

ldapsearch -LLL -w admin -x -H ldap://ldap.t4x.org -D "cn=admin,dc=ldap,dc=t4x,dc=org" -b "dc=ldap,dc=t4x,dc=org" "(uid=*)" > /tmp/user.ldif $ cat /tmp/user.ldif dn: uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org objectClass: posixAccount objectClass: top objectClass: inetOrgPerson gidNumber: 0 givenName: byrd sn: byrd displayName: byrd uid: byrd homeDirectory: /home/byrd loginShell: /bin/bash cn: byrd uidNumber: 41872

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14

ldapsearch -LLL -w admin -x -H ldap://ldap.t4x.org -D "cn=admin,dc=ldap,dc=t4x,dc=org" -b "dc=ldap,dc=t4x,dc=org" "(uid=*)" > /tmp/user.ldif
$ cat /tmp/user.ldif
dn: uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
gidNumber: 0
givenName: byrd
sn: byrd
displayName: byrd
uid: byrd
homeDirectory: /home/byrd
loginShell: /bin/bash
cn: byrd
uidNumber: 41872

验证密码策略:

$ ldappasswd -H ldap://ldap.t4x.org -x -D "uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org" -W -A -S Old password: 123456 Re-enter old password: 123456 New password: w34Q$fqwe4 Re-enter new password: w34Q$fqwe4 Enter LDAP Password: 123456 Sep 23 10:24:59 ldap-m1 pqchecker[1089]: Checking password quality for uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org. Sep 23 10:24:59 ldap-m1 pqchecker[1089]: The quality parameters used: 0|01010101 Sep 23 10:24:59 ldap-m1 pqchecker[1089]: Password accepted. Sep 23 10:24:59 ldap-m1 slapd[1089]: conn=1010 op=1 RESULT oid= err=0 text= [root@ldap-m1 openldap]# ldappasswd -H ldap://ldap.t4x.org -x -D "uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org" -W -A -S Old password: w34Q$fqwe4 Re-enter old password: w34Q$fqwe4 New password: qwertyui Re-enter new password: qwertyui Enter LDAP Password: w34Q$fqwe4 Result: Constraint violation (19) Sep 23 10:26:37 ldap-m1 pqchecker[1089]: Checking password quality for uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org. Sep 23 10:26:37 ldap-m1 pqchecker[1089]: The quality parameters used: 0|01010101 Sep 23 10:26:37 ldap-m1 pqchecker[1089]: Password rejected. $ ldappasswd -H ldap://ldap.t4x.org -x -D "uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org" -W -A -S Old password: w34Q$fqwe4 Re-enter old password: w34Q$fqwe4 New password: w34Q$fq Re-enter new password: w34Q$fq Enter LDAP Password: w34Q$fqwe4 Result: Constraint violation (19) Additional info: Password fails quality checking policy Sep 23 10:26:37 ldap-m1 pqchecker[1089]: Checking password quality for uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org. Sep 23 10:26:37 ldap-m1 pqchecker[1089]: The quality parameters used: 0|01010101 Sep 23 10:26:37 ldap-m1 pqchecker[1089]: Password rejected. Sep 23 10:26:37 ldap-m1 slapd[1089]: check_password_quality: module error: (pqchecker.so) The password does not pass quality check..[1] Sep 23 10:26:37 ldap-m1 slapd[1089]: conn=1011 op=1 RESULT oid= err=19 text= # ldappasswd -H ldap://ldap.t4x.org -x -D "uid=byrd,ou=People,dc=ldap,dc=dz,dc=org" -W -A -S Old password: w34Q$fqwe4 Re-enter old password: w34Q$fqwe4 New password: w34Q$fqwe4 Re-enter new password: w34Q$fqwe4 Enter LDAP Password: w34Q$fqwe4 Result: Constraint violation (19) Additional info: Password is in history of old passwords <pre> $ ldapsearch -x -w admin -D "uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org" -b "uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org"

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

$ ldappasswd -H ldap://ldap.t4x.org -x -D "uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org" -W -A -S
Old password: 123456
Re-enter old password: 123456
New password: w34Q$fqwe4
Re-enter new password: w34Q$fqwe4
Enter LDAP Password: 123456

Sep 23 10:24:59 ldap-m1 pqchecker[1089]: Checking password quality for uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org.
Sep 23 10:24:59 ldap-m1 pqchecker[1089]: The quality parameters used: 0|01010101
Sep 23 10:24:59 ldap-m1 pqchecker[1089]: Password accepted.
Sep 23 10:24:59 ldap-m1 slapd[1089]: conn=1010 op=1 RESULT oid= err=0 text=

[root@ldap-m1 openldap]# ldappasswd -H ldap://ldap.t4x.org -x -D "uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org" -W -A -S
Old password: w34Q$fqwe4
Re-enter old password: w34Q$fqwe4
New password: qwertyui
Re-enter new password: qwertyui
Enter LDAP Password: w34Q$fqwe4
Result: Constraint violation (19)

Sep 23 10:26:37 ldap-m1 pqchecker[1089]: Checking password quality for uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org.
Sep 23 10:26:37 ldap-m1 pqchecker[1089]: The quality parameters used: 0|01010101
Sep 23 10:26:37 ldap-m1 pqchecker[1089]: Password rejected.

$ ldappasswd -H ldap://ldap.t4x.org -x -D "uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org" -W -A -S
Old password: w34Q$fqwe4
Re-enter old password: w34Q$fqwe4
New password: w34Q$fq
Re-enter new password: w34Q$fq
Enter LDAP Password: w34Q$fqwe4
Result: Constraint violation (19)
Additional info: Password fails quality checking policy

Sep 23 10:26:37 ldap-m1 pqchecker[1089]: Checking password quality for uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org.
Sep 23 10:26:37 ldap-m1 pqchecker[1089]: The quality parameters used: 0|01010101
Sep 23 10:26:37 ldap-m1 pqchecker[1089]: Password rejected.
Sep 23 10:26:37 ldap-m1 slapd[1089]: check_password_quality: module error: (pqchecker.so) The password does not pass quality check..[1]
Sep 23 10:26:37 ldap-m1 slapd[1089]: conn=1011 op=1 RESULT oid= err=19 text=

# ldappasswd -H ldap://ldap.t4x.org -x -D "uid=byrd,ou=People,dc=ldap,dc=dz,dc=org" -W -A -S
Old password: w34Q$fqwe4
Re-enter old password: w34Q$fqwe4
New password: w34Q$fqwe4
Re-enter new password: w34Q$fqwe4
Enter LDAP Password: w34Q$fqwe4
Result: Constraint violation (19)
Additional info: Password is in history of old passwords
<pre>
$ ldapsearch -x -w admin -D "uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org" -b "uid=byrd,ou=People,dc=ldap,dc=t4x,dc=org"

文章源自 note.t4x.orgByrd's Blog-https://note.t4x.org/project/openldap-master-configure/

备注:*.lidf后面均需要空一行、冒号后面空一格、结尾不空格
帮助文档：
1:http://www.meddeb.net/pqchecker
2:http://www.openldap.org/doc/admin24/quickstart.html
3:https://ltb-project.org/documentation/self-service-password文章源自 note.t4x.orgByrd's Blog-https://note.t4x.org/project/openldap-master-configure/ 文章源自 note.t4x.orgByrd's Blog-https://note.t4x.org/project/openldap-master-configure/

申明：除非注明Byrd's Blog内容均为原创,未经许可禁止转载!详情请阅读版权申明!

On this day in past years

September

2014Linux Shell常用技巧(九)

Hot search

On this day in past years

Comment