389 Directory Server 1.3.x Password Policy
Last time we installed 389-ds and did some basic configuration, see 389 Directory Server 1.3.x on Red Hat Enterprise Linux 7.6.
Let's implement a password policy now. We have the following requirements:
- Password Minimum Length: 8
- Maximum Password Failures: 100
- Reset Password Failure Count After: 30 days
- Password Must Change: yes (we want our users to change their password when they first bind to the directory server or when the password has been reset by the Manager DN)
- Password Storage Scheme: we want the strongest, which is currently PBKDF2_SHA256 with 30,000 iterations
Let's enforce those rules:
dirsrv@ldap01 $ ldapmodify -D "cn=Directory Manager" -y /etc/dirsrv/.dmpw -x -ZZ dn: cn=config changetype: modify replace: passwordCheckSyntax passwordCheckSyntax: on - replace: passwordLockout passwordLockout: on - replace: passwordMaxFailure passwordMaxFailure: 100 - replace: passwordMinCategories passwordMinCategories: 1 - replace: passwordMinLength passwordMinLength: 8 - replace: passwordResetFailureCount passwordResetFailureCount: 2592000 - replace: passwordMustChange passwordMustChange: on - replace: passwordStorageScheme passwordStorageScheme: PBKDF2_SHA256 - replace: passwordTrackUpdateTime passwordTrackUpdateTime: on - replace: passwordUnlock passwordUnlock: off - replace: nsslapd-rootpwstoragescheme nsslapd-rootpwstoragescheme: PBKDF2_SHA256 ^D modifying entry "cn=config"
This should make us comply (well mostly) with NIST's Special Publication 800-63 Digital Identity Guidelines.
If you have more strict password rules (like passwords can only be changed after xx hours), don't forget to add your directory admins to the passwordAdminDN
role to bypass those rules:
dirsrv@ldap01 $ ldapmodify -D "cn=Directory Manager" -y /etc/dirsrv/.dmpw -x -ZZ dn: cn=config changetype: modify replace: passwordAdminDN passwordAdminDN: cn=Directory Administrators,ou=Groups,dc=unix,dc=mycompany,dc=com ^D
Read the next part here 389 Directory Server 1.3.x Users, Groups and ACIs.
Links
- Administration Guide / Managing the Password Policy
- Administration Guide / Configuring a Password-Based Account Lockout Policy
- Configuration, Command, and File Reference / Core Server Configuration Reference
- Configuration, Command, and File Reference / Plug-in Implemented Server / Password Storage Schemes
- Administration Guide / Managing the Directory Manager Password
- Administration Guide / Setting Password Administrators
- NIST Special Publication 800-63B
No comments:
Post a Comment