修改ldap密码默认加密算法

默认ldap中用户的密码是明文存储的，为了防止数据库泄露后，用户密码被泄露，需要配置用户密码的加密算法。

ldap最强的加密算法是 SSHA

在/etc/openldap/slapd.conf 增加配置项 password-hash {SSHA}

保证在修改密码时，使用SSHA加密密码字段:userPassword。

如执行如下命令,新创建的密码加密方式是SSHA

[root@localhost ldap]# ldappasswd -H ldap://127.0.0.1:389 -x -D "cn=Manager,dc=website80,dc=com" -W -S "uid=user1,ou=People,dc=website80,dc=com"
New password:
Re-enter new password:
Enter LDAP Password:
[root@localhost ldap]#  ldapsearch -x -b "uid=user1,ou=People,dc=website80,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=user1,ou=People,dc=website80,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# user1, People, website80.com
dn: uid=user1,ou=People,dc=website80,dc=com
uid: oladmin
uid: user1
cn: oladmin
sn: oladmin
mail: [email protected]
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
uidNumber: 501
gidNumber: 501
homeDirectory: /home/oladmin
userPassword:: e1NTSEF9TnRIZlc4SUFhV052b2Jrd3J2SW0vL0Q1R25rN1lCODU=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

确认修改的密码，密文格式已经是ssha的base64编码，解码后内容({SSHA}NtHfW8IAaWNvobkwrvIm//D5Gnk7YB85) 是加盐存储的

修改管理员的密码

管理员的密码保存在配置文件 /etc/openldap/slapd.conf

生成一个管理员密码 slappasswd -h {SSHA} -s "newpass"

配置如下:

rootpw          {SSHA}ZetDtaJNLTSYNftseu5+Af02I7TNvBAQ

添加访问控制 (禁止匿名访问userPassword字段)

1)在/etc/openldap/slapd.conf 增加如下配置项

access to attrs=userPassword

by self write 

by anonymous auth

by dn.base="cn=Manager,dc=website80,dc=com" write

by \* none

access to dn.base="ou=People,dc=website80,dc=com"

by self write

by dn.base="cn=Manager,dc=website80,dc=com" write

by \* read

access to *

by self write

by dn.base="cn=Manager,dc=website80,dc=com" write

by * none

2)精简版

access to attrs=userPassword,mobile

by self write

by anonymous auth

by dn.base="uid=username,ou=People,dc=website80,dc=com" write

by \* none

access to *

by anonymous auth

by self write

by dn.regex="cn=[^,]+,ou=People,dc=website80,dc=com" read

by dn.base="uid=username1,ou=People,dc=website80,dc=com" read

by dn.base="uid=username2,ou=People,dc=website80,dc=com" read

by * none

3）最终规则 1.个人可以获得自己信息

#限制admin账号只能从localhost和10.8.0.0/16地址段进行访问，通过该条策略可以将管理员与服务器ip进行绑定

access to dn.base="uid=admin,ou=People,dc=website80,dc=com"

by peername.ip=127.0.0.1 auth

by peername.regex=10.8..\* auth

by \* none

access to attrs=userPassword

by self write

by anonymous auth

by dn.base="uid=admin1,ou=People,dc=website80,dc=com" read

by \* none

access to attrs=mobile

by self write

by anonymous auth

by dn.base="uid=admin2,ou=People,dc=website80,dc=com" read

by dn.base="uid=admin1,ou=People,dc=website80,dc=com" read

by \* none

access to dn.base="ou=People,dc=website80,dc=com"

by self write

by dn.base="uid=admin3,ou=People,dc=website80,dc=com" read

by dn.base="uid=admin2,ou=People,dc=website80,dc=com" read

by dn.regex="cn=[^,]+,ou=People,dc=website80,dc=com" read

by dn.base="uid=admin1,ou=People,dc=website80,dc=com" read

by * read

access to *

by self write

by dn.base="uid=admin3,ou=People,dc=website80,dc=com" read

by dn.base="uid=admin2,ou=People,dc=website80,dc=com" read

by dn.regex="cn=[^,]+,ou=People,dc=website80,dc=com" read

by dn.base="uid=admin1,ou=People,dc=website80,dc=com" read

by * none

除管理员外，只有登录成功的用户才能看到自己的userPassword字段内容。

安全加固

修改ldap密码默认加密算法

修改管理员的密码

添加访问控制 (禁止匿名访问userPassword字段)

results matching ""

No results matching ""