OpenLDAP密码审计

阅读视图

1. 密码审计的作用
2. 操作实践

1. 密码审计的作用

开启密码审计的功能主要用于记录OpenLDAP用户修改密码，以及密码审计。

2. 操作实践

1. 开启密码审计模块并配置密码审计模块

   [root@mldap01 cn=config]# cat >> /etc/openldap/slapd.conf << EOFmoduleload auditlog.laoverlay auditlogauditlog /var/log/slapd/audit.logEOF删除旧配置库并重启[root@mldap01 cn=config]# rm -rf /etc/openldap/slapd.d/*[root@mldap01 cn=config]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/config file testing succeeded[root@mldap01 cn=config]# chown -R ldap.ldap /etc/openldap/slapd.d/[root@mldap01 cn=config]# service slapd restart                                           Stopping slapd:                                            [  OK  ]Starting slapd:                                            [  OK  ]

2. 验证配置

   

   

3. 在客户端修改用户密码

   [root@test01 ~]# ssh user1@127.0.0.1user1@127.0.0.1's password: Permission denied, please try again.user1@127.0.0.1's password: Last login: Wed May 30 16:16:44 2018 from localhost[user1@test01 ~]$ passwdChanging password for user user1.Enter login(LDAP) password: New password: Retype new password: LDAP password information changed for user1passwd: all authentication tokens updated successfully.

4. 在服务端查看日志

   [root@mldap01 slapd]# cat /var/log/slapd/audit.log # modify 1527675658 dc=gdy,dc=com uid=user1,ou=people,dc=gdy,dc=com IP=192.168.244.18:38656 conn=1009dn: uid=user1,ou=people,dc=gdy,dc=comchangetype: modifyreplace: userPassworduserPassword:: e2NyeXB0fSQxJGI1aDVaVFVvJFhKQmczaWZFTW4zcWc4a0pvYnZuVDE=-replace: pwdChangedTimepwdChangedTime: 20180530102058Z

   验证成功。