Onboard OpenLDAP
GreenRADIUS comes equipped with an onboard OpenLDAP server, in case an external LDAP is not desired. A third-party LDAP admin tool can be used to manage the onboard OpenLDAP, such as LDAP Admin.
The onboard OpenLDAP, by default, is configured with a sample domain (greenradius.demo
) with five test users (user1
through user5
). Each of the users has a default password of GreenRocket!23
To overwrite the default OpenLDAP domain with a new OpenLDAP domain, follow these steps:
Pre-requisites
A resolvable hostname/FQDN and a corresponding certificate must be configured in GreenRADIUS.
- Global Configuration tab > General
- Set the value of the Server Hostname/FQDN field
- Click the Save button to save the configuration
- Global Configuration tab > Certificate
- Under the
Generate a CSR/Upload the Certificate
section, clickUpload a certificate
and provide the server certificate, private key, and CA chain. Then click theInstall Certificate
button.
- To install a self-signed certificate, in the
Create Certificate
section, enter a common name matching the hostname/FQDN configured earlier. Click theCreate and Install
button.
Changing the Onboard OpenLDAP Domain
- Global Configuration tab > On-board LDAP Server
- Provide the following inputs:
- DNS Domain Name
- Organization Name
- Current Admin Password (default password is
GreenRocket!23
) - Enable Secure Connection for Replication
- Server ID
- Click the Update button to save the new configuration
Changing the OpenLDAP Admin Password
To change the onboard OpenLDAP password of the admin
user, follow these steps:
- Global Configuration tab > On-board LDAP Server
- Provide the following inputs:
- Current Admin Password (default password is
GreenRocket!23
) - New Admin Password
- Confirm Admin Password
- Click the Update button to change the admin password
Users Changing Their Own Onboard OpenLDAP Password
Users can change their own onboard OpenLDAP password.
Pre-requisites
- A RedHat, CentOS, or Ubuntu machine that has OpenLDAP utilities installed:
- In RedHat/CentOS,
openldap-clients
should be installed - In Ubuntu,
ldap-utils
should be installed - The above Linux machine must be able to reach GreenRADIUS
Steps
- On the command line of the Linux machine, run the following command:
ldappasswd -h <ip address of GreenRADIUS> -p 389 -x -D "uid=<username>,ou=<user's OU>,dc=<domain component 1>,dc=<domain component 2>,dc=<domain component etc>" -W -A -S
- The user enters his current password twice
- Then the user enters his new password twice
- Then the user enters his current/old password once again
- A successful password change is silent. If there is an error, an error message will appear.
Setting Up OpenLDAP Password Policies
The onboard OpenLDAP comes with an optional module which can enforce certain password policies, such as password expiration and minimum password lengths.
All commands must be performed in the terminal of GreenRADIUS, either directly or via SSH.
For simplicity, the domain shown in the steps below is always greenradius.demo
, represented as dc=greenradius,dc=demo
. If your own domain varies, you will need to make the appropriate substitutions.
Several of the commands below will prompt for multiple lines of text. Simply enter the text into your terminal. When everything has been input, press Ctrl-D on a blank line to finish the entry and execute the command.
First, you must load the appropriate module:
sudo docker exec -it GRS-OPENLDAP ldapmodify -Q -Y EXTERNAL -H ldapi:///
This will prompt for LDAP data to insert. Use the following:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.la
As mentioned above, press Ctrl-D on a blank line when done. The command should report success with a message:
modifying entry "cn=module{0},cn=config"
Next, load the ppolicy
schema. To do this, you will need to download the schema from here and upload it to GreenRADIUS. Copy it into the /var/lib/docker/volumes/grs-docker-compose_gras-config/_data
directory. (This will require root permissions.)
To load the schema into LDAP, execute this command:
sudo docker exec -it GRS-OPENLDAP ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /opt/grs/greenradius/ppolicy.ldif
This will load the stored ppolicy schema. You should receive a message upon success.
Now the ppolicy
module must be enabled:
sudo docker exec -it GRS-OPENLDAP ldapadd -Q -Y EXTERNAL -H ldapi:///
Input the following data to the command, pressing Ctrl-D when done as said above:
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=greenradius,dc=demo
As mentioned, replace dc=greenradius,dc=demo
with the LDAP-formatted specification for your own domain, and press Ctrl-D on a blank line when finished.
Now add the object which will hold your password policies:
sudo docker exec -it GRS-OPENLDAP ldapadd -c -x -D "cn=admin,dc=greenradius,dc=demo" -W
You will be prompted for your administrative password. Once this is entered, the command takes the following data:
dn: ou=policies,dc=greenradius,dc=demo
objectClass: organizationalUnit
ou: policies
Press Ctrl-D on a blank line when finished, as before, to add the policy container. The final step is to create the password policy. Shown below is a simple, example policy that requires the following:
- passwords must have a minimum of eight (8) characters
- passwords expire after 60 days (or 5,184,000 in seconds)
Complete documentation on the available password settings can be here.
Run this command:
sudo docker exec -it GRS-OPENLDAP ldapadd -c -x -D "cn=admin,dc=greenradius,dc=demo" -W
As before, you will be prompted for your password, and once this is entered you will need to input the following:
dn: cn=default,ou=policies,dc=greenradius,dc=demo
objectClass: pwdPolicy
objectClass: organizationalRole
cn: default
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdMinLength: 8
pwdMaxAge: 5184000
Replace pwdMinLength: 8
and pwdMaxAge: 5184000
with your own custom configurations as desired. Press Ctrl-D to save the changes as before. You should see a success message and find that your password policies are now enforced.
© 2024 Green Rocket Security Inc. All rights reserved.