OpenLDAP密码审计
阅读视图
- 密码审计的作用
- 操作实践
1. 密码审计的作用
开启密码审计的功能主要用于记录OpenLDAP用户修改密码,以及密码审计。
2. 操作实践
-
开启密码审计模块并配置密码审计模块
[root@mldap01 cn=config]# cat >> /etc/openldap/slapd.conf << EOF moduleload auditlog.la overlay auditlog auditlog /var/log/slapd/audit.log EOF 删除旧配置库并重启 [root@mldap01 cn=config]# rm -rf /etc/openldap/slapd.d/* [root@mldap01 cn=config]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ config file testing succeeded [root@mldap01 cn=config]# chown -R ldap.ldap /etc/openldap/slapd.d/ [root@mldap01 cn=config]# service slapd restart Stopping slapd: [ OK ] Starting slapd: [ OK ] -
验证配置
-
在客户端修改用户密码
[root@test01 ~]# ssh user1@127.0.0.1 user1@127.0.0.1's password: Permission denied, please try again. user1@127.0.0.1's password: Last login: Wed May 30 16:16:44 2018 from localhost [user1@test01 ~]$ passwd Changing password for user user1. Enter login(LDAP) password: New password: Retype new password: LDAP password information changed for user1 passwd: all authentication tokens updated successfully. -
在服务端查看日志
[root@mldap01 slapd]# cat /var/log/slapd/audit.log # modify 1527675658 dc=gdy,dc=com uid=user1,ou=people,dc=gdy,dc=com IP=192.168.244.18:38656 conn=1009 dn: uid=user1,ou=people,dc=gdy,dc=com changetype: modify replace: userPassword userPassword:: e2NyeXB0fSQxJGI1aDVaVFVvJFhKQmczaWZFTW4zcWc4a0pvYnZuVDE= - replace: pwdChangedTime pwdChangedTime: 20180530102058Z验证成功。