[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
deploying password policy module
- To: <openldap-technical@openldap.org>
- Subject: deploying password policy module
- From: "Paul B. Henson" <henson@acm.org>
- Date: Wed, 23 Apr 2014 17:23:28 -0700
- Content-language: en-us
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:subject:date:message-id:mime-version:content-type :content-transfer-encoding:thread-index:content-language; bh=9iBOVTMwuCiFcA18jgdMW0C4kQp4nas3dtoSEaGHdaM=; b=H14JIdsqH1mQDcwDFCqF8o1iwrNj6Ft3rEhEzEwn77CLnlVUr6VY2hMtSZbxrpH4SN h6h3AOBqyw55XFu+7CEcDPOSfiPX3+Z0niO5heoLNPVehrw4ewDTTQZHKRQei4Ive/Az otBCdJpsjOxxqEciEhdv2eegH023Q6yUmJiGYIk1rLqEVlnlHOt4HDN7fUWGzkINPP07 5kxZe9jN5FGYv8XOSGOuWQf9MdhnrEk0vxqwMU28I7A4ET15LiR55YaD8WKzYIR7K56n sc9UQqPb9P+LRBIqJ8nnWdVIbsCCdpJEQRP1nH7YWGwutazJ6o7+xaa8OAqAhQdHrjED sTEQ==
- Thread-index: Ac9fUDqoIlDZDu5qTsq7RuaQlLiUOg==
We are planning to deploy the password policy module to satisfy our security
groups requirement for account lockouts (a.k.a., intentionally provided DoS
attack vectors <sigh>). I had a couple of questions regarding the deployment
I was hoping someone might be kind enough to answer.
Does the password policy module need to be loaded on all of the servers
simultaneously, even if there are no password policies defined? We typically
stage configuration changes, pulling servers out of the load balancer,
updating them, testing them, and then putting them back, such that at no
time is service unavailable. The password policy module extends the schema
though, and I don't want a server with it loaded potentially trying to
replicate unknown attributes to one without it loaded. It's not clear
whether simply loading the module would potentially cause this, or if
password policy attributes would only be replicated if the module was
actually configured with a default policy or if a user had a specifically
defined policy. So, would it be safe to stage the initial configuration
change loading the module as long as no policies are in place or used (until
all of the servers have been updated), or is it required to shut down all of
the servers simultaneously to make the change?
We are only planning to avail of account lockouts, not any of the other
functionality of the module. As such, unless I misunderstand, the following
policy should enable lockouts but not apply any of the other restrictions:
dn: cn=default,ou=policies,dc=example,dc=com
cn: default
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxFailure: 100
pwdFailureCountInterval: 300
This would be the default policy. We also have some number of service
accounts which we would not want subject to lockouts, if I understand
correctly, configuring those accounts with an explicit password policy
pwdPolicySubentry like this:
dn: cn=serviceaccount,ou=policies,dc=example,dc=com
cn: default
objectClass: pwdPolicy
pwdAttribute: userPassword
Should leave them with no restrictions?
Finally, there is a requirement for the helpdesk to be able to manually
unlock a locked out account. For an account that is currently locked out,
would deleting the pwdAccountLockedTime and pwdFailureTime attributes reset
it to a normal state?
Thanks much.