07-OpenLDAP密码审计

OpenLDAP密码审计

阅读视图

1. 密码审计的作用
2. 操作实践

1. 密码审计的作用

开启密码审计的功能主要用于记录OpenLDAP用户修改密码，以及密码审计。

2. 操作实践

1. 开启密码审计模块并配置密码审计模块

   [root@mldap01 cn=config]# cat >> /etc/openldap/slapd.conf << EOF
   moduleload auditlog.la
   overlay auditlog
   auditlog /var/log/slapd/audit.log
   EOF
   
   删除旧配置库并重启
   [root@mldap01 cn=config]# rm -rf /etc/openldap/slapd.d/*
   [root@mldap01 cn=config]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
   config file testing succeeded
   [root@mldap01 cn=config]# chown -R ldap.ldap /etc/openldap/slapd.d/
   [root@mldap01 cn=config]# service slapd restart                                           
   Stopping slapd:                                            [  OK  ]
   Starting slapd:                                            [  OK  ]
   

2. 验证配置

   

   

3. 在客户端修改用户密码

   [root@test01 ~]# ssh user1@127.0.0.1
   user1@127.0.0.1's password: 
   Permission denied, please try again.
   user1@127.0.0.1's password: 
   Last login: Wed May 30 16:16:44 2018 from localhost
   [user1@test01 ~]$ passwd
   Changing password for user user1.
   Enter login(LDAP) password: 
   New password: 
   Retype new password: 
   LDAP password information changed for user1
   passwd: all authentication tokens updated successfully.
   

4. 在服务端查看日志

   [root@mldap01 slapd]# cat /var/log/slapd/audit.log 
   # modify 1527675658 dc=gdy,dc=com uid=user1,ou=people,dc=gdy,dc=com IP=192.168.244.18:38656 conn=1009
   dn: uid=user1,ou=people,dc=gdy,dc=com
   changetype: modify
   replace: userPassword
   userPassword:: e2NyeXB0fSQxJGI1aDVaVFVvJFhKQmczaWZFTW4zcWc4a0pvYnZuVDE=
   -
   replace: pwdChangedTime
   pwdChangedTime: 20180530102058Z
   

   验证成功。