OpenLDAP密码审计

阅读视图

1. 密码审计的作用
2. 操作实践

1. 密码审计的作用

开启密码审计的功能主要用于记录OpenLDAP用户修改密码，以及密码审计。

2. 操作实践

1. 开启密码审计模块并配置密码审计模块

   [root@mldap01 cn=config]# cat >> /etc/openldap/slapd.conf << EOF
   
   moduleload auditlog.la
   
   overlay auditlog
   
   auditlog /var/log/slapd/audit.log
   
   EOF
   
   删除旧配置库并重启
   
   [root@mldap01 cn=config]# rm -rf /etc/openldap/slapd.d/*
   
   [root@mldap01 cn=config]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
   
   config file testing succeeded
   
   [root@mldap01 cn=config]# chown -R ldap.ldap /etc/openldap/slapd.d/
   
   [root@mldap01 cn=config]# service slapd restart
   
   Stopping slapd:                                            [  OK  ]
   
   Starting slapd:                                            [  OK  ]
   

2. 验证配置

   

   

3. 在客户端修改用户密码

   [root@test01 ~]# ssh user1@127.0.0.1
   
   user1@127.0.0.1's password:
   
   Permission denied, please try again.
   
   user1@127.0.0.1's password:
   
   Last login: Wed May 30 16:16:44 2018 from localhost
   
   [user1@test01 ~]$ passwd
   
   Changing password for user user1.
   
   Enter login(LDAP) password:
   
   New password:
   
   Retype new password:
   
   LDAP password information changed for user1
   
   passwd: all authentication tokens updated successfully.
   

4. 在服务端查看日志

   [root@mldap01 slapd]# cat /var/log/slapd/audit.log
   
   # modify 1527675658 dc=gdy,dc=com uid=user1,ou=people,dc=gdy,dc=com IP=192.168.244.18:38656 conn=1009
   
   dn: uid=user1,ou=people,dc=gdy,dc=com
   
   changetype: modify
   
   replace: userPassword
   
   userPassword:: e2NyeXB0fSQxJGI1aDVaVFVvJFhKQmczaWZFTW4zcWc4a0pvYnZuVDE=
   
   -
   
   replace: pwdChangedTime
   
   pwdChangedTime: 20180530102058Z
   

   验证成功。