如何测试ldap政策执行 [英] How to test ldap ppolicy enforcement

查看:90
本文介绍了如何测试ldap政策执行的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用openldap 2.4.我已经按照以下配置对其进行了配置.

I am using openldap 2.4. I have configured it with following configuration.

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/HFSchema.schema
include         /etc/ldap/schema/ppolicy.schema

pidfile         /var/run/slapd/slapd.pid

modulepath      /usr/lib/ldap
moduleload      back_hdb.la
moduleload      ppolicy.la

database    hdb
suffix      "dc=example,dc=com"
rootdn      "cn=admin,dc=example,dc=com"
rootpw      {SSHA}xzW0DfNFHahvm/C68ZR4YvbZGFQJjfz5

overlay ppolicy
ppolicy_default "cn=DefaultPwdPolicy,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext

我还添加了默认密码策略

Also I added default password policy

# DefaultPwdPolicy, Policies, example.com
dn: cn=DefaultPwdPolicy,ou=Policies,dc=example,dc=com
cn: DefaultPwdPolicy
pwdAttribute: 2.5.4.35
objectClass: pwdPolicy
objectClass: top
objectClass: device
pwdAllowUserChange: TRUE
pwdMaxAge: 7776000
pwdInHistory: 5
pwdCheckQuality: 2
pwdMinLength: 8
pwdExpireWarning: 432000
pwdLockoutDuration: 900
pwdMaxFailure: 3
pwdMustChange: TRUE
pwdSafeModify: TRUE
pwdLockout: TRUE

但是管理员仍然可以在没有这些限制的情况下创建用户.我如何确认我的政策覆盖范围是否正常工作?我该如何测试这些约束是否真的被应用了??

But still admin is able to create users without these constraints. How will I confirm if my ppolicy overlay is working? How can I test if these constraint are actually been applied.?

推荐答案

  1. 唯一不受密码策略约束的用户是内部rootdn用户.您不应该将自己用于任何事情. slapd本身就是用来更新DIT的用户.您应该在DIT中定义另一个管理员用户, ,并具有必要的权限.使用rootdn用户执行管理任务将绕过人类已知的所有约束.

  1. The only user that is free from the password policy constraints is the internal rootdn user. You shouldn't use that yourself for anything. It is the user that slapd itself uses to update the DIT. You should define another admin user, in the DIT, with the necessary permissions. Using the rootdn user for admin tasks will bypass every constraint known to man.

要完全使用ppolicy,您必须使用密码策略请求控件并检查代码中的相应响应控件,以便发现即将到期的时间,宽限期等.

To use the ppolicy fully, you have to use the password policy request control and check for the corresponding response control in your code so you can discover impending expiry, grace periods, etc.

这篇关于如何测试ldap政策执行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆