Onboard OpenLDAP

GreenRADIUS comes equipped with an onboard OpenLDAP server, in case an external LDAP is not desired. A third-party LDAP admin tool can be used to manage the onboard OpenLDAP, such as LDAP Admin.

The onboard OpenLDAP, by default, is configured with a sample domain (greenradius.demo) with five test users (user1 through user5). Each of the users has a default password of GreenRocket!23

To overwrite the default OpenLDAP domain with a new OpenLDAP domain, follow these steps:

Pre-requisites

A resolvable hostname/FQDN and a corresponding certificate must be configured in GreenRADIUS.

  1. Global Configuration tab > General
  2. Set the value of the Server Hostname/FQDN field
  3. Click the Save button to save the configuration
  4. Global Configuration tab > Certificate
  5. Under the Generate a CSR/Upload the Certificate section, click Upload a certificate and provide the server certificate, private key, and CA chain. Then click the Install Certificate button.
  • To install a self-signed certificate, in the Create Certificate section, enter a common name matching the hostname/FQDN configured earlier. Click the Create and Install button.

Changing the Onboard OpenLDAP Domain

  1. Global Configuration tab > On-board LDAP Server
  2. Provide the following inputs:
  • DNS Domain Name
  • Organization Name
  • Current Admin Password (default password is GreenRocket!23)
  • Enable Secure Connection for Replication
  • Server ID
  1. Click the Update button to save the new configuration

Changing the OpenLDAP Admin Password

To change the onboard OpenLDAP password of the admin user, follow these steps:

  1. Global Configuration tab > On-board LDAP Server
  2. Provide the following inputs:
  • Current Admin Password (default password is GreenRocket!23)
  • New Admin Password
  • Confirm Admin Password
  1. Click the Update button to change the admin password

Users Changing Their Own Onboard OpenLDAP Password

Users can change their own onboard OpenLDAP password.

Pre-requisites

  • A RedHat, CentOS, or Ubuntu machine that has OpenLDAP utilities installed:
  • In RedHat/CentOS, openldap-clients should be installed
  • In Ubuntu, ldap-utils should be installed
  • The above Linux machine must be able to reach GreenRADIUS

Steps

  1. On the command line of the Linux machine, run the following command: ldappasswd -h <ip address of GreenRADIUS> -p 389 -x -D "uid=<username>,ou=<user's OU>,dc=<domain component 1>,dc=<domain component 2>,dc=<domain component etc>" -W -A -S
  2. The user enters his current password twice
  3. Then the user enters his new password twice
  4. Then the user enters his current/old password once again
  5. A successful password change is silent. If there is an error, an error message will appear.

OpenLDAP password change screen

Setting Up OpenLDAP Password Policies

The onboard OpenLDAP comes with an optional module which can enforce certain password policies, such as password expiration and minimum password lengths.

All commands must be performed in the terminal of GreenRADIUS, either directly or via SSH.

For simplicity, the domain shown in the steps below is always greenradius.demo, represented as dc=greenradius,dc=demo. If your own domain varies, you will need to make the appropriate substitutions.

Several of the commands below will prompt for multiple lines of text. Simply enter the text into your terminal. When everything has been input, press Ctrl-D on a blank line to finish the entry and execute the command.

First, you must load the appropriate module:

sudo docker exec -it GRS-OPENLDAP ldapmodify -Q -Y EXTERNAL -H ldapi:///

This will prompt for LDAP data to insert. Use the following:

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.la

As mentioned above, press Ctrl-D on a blank line when done. The command should report success with a message:

modifying entry "cn=module{0},cn=config"

Next, load the ppolicy schema. To do this, you will need to download the schema from here and upload it to GreenRADIUS. Copy it into the /var/lib/docker/volumes/grs-docker-compose_gras-config/_data directory. (This will require root permissions.)

To load the schema into LDAP, execute this command:

sudo docker exec -it GRS-OPENLDAP ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /opt/grs/greenradius/ppolicy.ldif

This will load the stored ppolicy schema. You should receive a message upon success.

Now the ppolicy module must be enabled:

sudo docker exec -it GRS-OPENLDAP ldapadd -Q -Y EXTERNAL -H ldapi:///

Input the following data to the command, pressing Ctrl-D when done as said above:

dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=greenradius,dc=demo

As mentioned, replace dc=greenradius,dc=demo with the LDAP-formatted specification for your own domain, and press Ctrl-D on a blank line when finished.

Now add the object which will hold your password policies:

sudo docker exec -it GRS-OPENLDAP ldapadd -c -x -D "cn=admin,dc=greenradius,dc=demo" -W

You will be prompted for your administrative password. Once this is entered, the command takes the following data:

dn: ou=policies,dc=greenradius,dc=demo
objectClass: organizationalUnit
ou: policies

Press Ctrl-D on a blank line when finished, as before, to add the policy container. The final step is to create the password policy. Shown below is a simple, example policy that requires the following:

  • passwords must have a minimum of eight (8) characters
  • passwords expire after 60 days (or 5,184,000 in seconds)

Complete documentation on the available password settings can be here.

Run this command:

sudo docker exec -it GRS-OPENLDAP ldapadd -c -x -D "cn=admin,dc=greenradius,dc=demo" -W

As before, you will be prompted for your password, and once this is entered you will need to input the following:

dn: cn=default,ou=policies,dc=greenradius,dc=demo
objectClass: pwdPolicy
objectClass: organizationalRole
cn: default
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdMinLength: 8
pwdMaxAge: 5184000

Replace pwdMinLength: 8 and pwdMaxAge: 5184000 with your own custom configurations as desired. Press Ctrl-D to save the changes as before. You should see a success message and find that your password policies are now enforced.

Web Analytics Made Easy -
StatCounter

Updated 2020-06-12
© 2020 Green Rocket Security Inc. All rights reserved.