如何测试ldap政策执行 [英] How to test ldap ppolicy enforcement
问题描述
我正在使用openldap 2.4.我已经按照以下配置对其进行了配置.
I am using openldap 2.4. I have configured it with following configuration.
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/HFSchema.schema
include /etc/ldap/schema/ppolicy.schema
pidfile /var/run/slapd/slapd.pid
modulepath /usr/lib/ldap
moduleload back_hdb.la
moduleload ppolicy.la
database hdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}xzW0DfNFHahvm/C68ZR4YvbZGFQJjfz5
overlay ppolicy
ppolicy_default "cn=DefaultPwdPolicy,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
我还添加了默认密码策略
Also I added default password policy
# DefaultPwdPolicy, Policies, example.com
dn: cn=DefaultPwdPolicy,ou=Policies,dc=example,dc=com
cn: DefaultPwdPolicy
pwdAttribute: 2.5.4.35
objectClass: pwdPolicy
objectClass: top
objectClass: device
pwdAllowUserChange: TRUE
pwdMaxAge: 7776000
pwdInHistory: 5
pwdCheckQuality: 2
pwdMinLength: 8
pwdExpireWarning: 432000
pwdLockoutDuration: 900
pwdMaxFailure: 3
pwdMustChange: TRUE
pwdSafeModify: TRUE
pwdLockout: TRUE
但是管理员仍然可以在没有这些限制的情况下创建用户.我如何确认我的政策覆盖范围是否正常工作?我该如何测试这些约束是否真的被应用了??
But still admin is able to create users without these constraints. How will I confirm if my ppolicy overlay is working? How can I test if these constraint are actually been applied.?
推荐答案
-
唯一不受密码策略约束的用户是内部
rootdn
用户.您不应该将自己用于任何事情.slapd
本身就是用来更新DIT的用户.您应该在DIT中定义另一个管理员用户, ,并具有必要的权限.使用rootdn
用户执行管理任务将绕过人类已知的所有约束.
The only user that is free from the password policy constraints is the internal
rootdn
user. You shouldn't use that yourself for anything. It is the user thatslapd
itself uses to update the DIT. You should define another admin user, in the DIT, with the necessary permissions. Using therootdn
user for admin tasks will bypass every constraint known to man.
要完全使用ppolicy
,您必须使用密码策略请求控件并检查代码中的相应响应控件,以便发现即将到期的时间,宽限期等.
To use the ppolicy
fully, you have to use the password policy request control and check for the corresponding response control in your code so you can discover impending expiry, grace periods, etc.
这篇关于如何测试ldap政策执行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!