OpenLDAP一登录系统就修改密码
1:修改配置文件
在前面打开注释
moduleload ppolicy.la
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
还要在database config前面加上这两段
access to attrs=userPassword
by self write
by anonymous auth
by dn="cn=Captain,dc=le,dc=com" write
by * none
access to *
by self write
by dn="cn=Captain,dc=le,dc=com" write
by * read
![](https://images2015.cnblogs.com/blog/746846/201701/746846-20170109214405916-1743823160.png)
在末尾添加
overlay ppolicy
ppolicy_default cn=Captain,ou=pwpolicies,dc=le,dc=com
2:重新生成数据库并加载slapd
rm -rf /etc/openldap/slapd.d/*
[root@ll ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded
[root@ll ~]# chown -R ldap.ldap /etc/openldap/*
[root@ll ~]# chown -R ldap.ldap /var/lib/ldap
[root@ll ~]# /etc/init.d/slapd restart
3:可以看到ppolicy.la模块已经加载进来了
![](https://images2015.cnblogs.com/blog/746846/201701/746846-20170109214406494-382297315.png)
也可以看到这个也加进来了
![](https://images2015.cnblogs.com/blog/746846/201701/746846-20170109214407103-1689408327.png)
4:编辑
cat 1.ldif
dn: ou=pwpolicies,dc=le,dc=com
objectClass: organizationalUnit
ou: pwpolicies
ldapadd -x -D "cn=Captain,dc=le,dc=com" -W -f 1.ldif
添加进去
![](https://images2015.cnblogs.com/blog/746846/201701/746846-20170109214407510-425417289.png)
从phpLdapadmin看到多了
![](https://images2015.cnblogs.com/blog/746846/201701/746846-20170109214407791-1773826345.png)
添加cn=Captain,ou=pwpolicies,dc=le,dc=com这个的一些属性值
[root@ll ~]# cat 2.ldif
dn: cn=Captain,ou=pwpolicies,dc=le,dc=com
cn: Captain
objectClass: pwdPolicy
objectClass: person
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdExpireWarning: 259200
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxAge: 2592000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: TRUE
sn: dummy value
然后导入:ldapadd -x -D "cn=Captain,dc=le,dc=com" -W -f 2.ldif
![](https://images2015.cnblogs.com/blog/746846/201701/746846-20170109214408135-1990963866.png)
![](https://images2015.cnblogs.com/blog/746846/201701/746846-20170109214408463-242960454.png)
然后修改用户的属性
[root@ll ~]# cat modify.ldif
dn: uid=test5,ou=people,dc=le,dc=com
changetype: modify
replace: pwdReset
pwdReset: TRUE
ldapmodify -x -D "cn=Captain,dc=le,dc=com" -W -f modify.ldif 导入
![](https://images2015.cnblogs.com/blog/746846/201701/746846-20170109214409244-689447500.png)
ldapwhoami -x -D uid=test5,ou=people,dc=le,dc=com -W -e ppolicy -v 查看test5用户的策略信息
![](https://images2015.cnblogs.com/blog/746846/201701/746846-20170109214409619-1652984123.png)
然后测试:ssh test5@10.0.0.61,一直报错,改不了:
![](https://images2015.cnblogs.com/blog/746846/201701/746846-20170109214410056-762517777.png)
这是因为配置文件变了:
![](https://images2015.cnblogs.com/blog/746846/201701/746846-20170109214410353-776835842.png)
这个里面的内容没有使用ldap
正确的形式:
![](https://images2015.cnblogs.com/blog/746846/201701/746846-20170109214410791-1147743692.png)
若passwd修改不了密码,那是因为,没有添加,Samba的按照Samba的再添加sambaLMPassword,sambaNTPassword即可
access to attrs=userPassword
by self write
by anonymous auth
by dn="cn=Captain,dc=le,dc=com" write
by * none
access to *
by self write
by dn="cn=Captain,dc=le,dc=com" write
by * read
作者:李先生
-------------------------------------------
个性签名:在平凡中坚持前行,总有一天会遇见不一样的自己!
如果觉得这篇文章对你有小小的帮助的话,记得在右下角点个“推荐”哦,博主在此感谢!
万水千山总是情,打赏一分行不行,所以如果你心情还比较高兴,也是可以扫码打赏博主,哈哈哈(っ•̀ω•́)っ✎⁾⁾!
![微信公众号](https://images.cnblogs.com/cnblogs_com/lemon-le/871591/o_w2.png)
![微信打赏](https://www.cnblogs.com/images/cnblogs_com/lemon-le/871591/o_wechat.png)
![微信打赏](https://www.cnblogs.com/images/cnblogs_com/lemon-le/871591/o_zhifubao.png)
微信公众号 微信打赏 支付宝打赏
posted on 2017-01-07 14:00 Captain_Li 阅读(14897) 评论(9) 编辑 收藏 举报