/usr/local.org

User Tools

Site Tools

You are here: Home » Documents » Tips 'n tricks (IT) » LDAP
docs:tips_n_tricks:ldap.html

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
docs:tips_n_tricks:ldap.html [26.09.2014 21:12 CEST] – [Configure phpldapadmin] peterdocs:tips_n_tricks:ldap.html [27.02.2024 17:30 CET] – [Write olcAccess.ldif in "human readable" format from actual config] peter
Line 1: Line 1:
 ====== LDAP ====== ====== LDAP ======
  
-====== Count Persons (objects derived from 'person'======+===== Count Persons (objects derived from 'person') =====
  
   ldapsearch [-h hostname] -D "cn=root" -w '?' -b "o=/usr/local,c=de" -s sub 'objectclass=person' dn | grep -c =   ldapsearch [-h hostname] -D "cn=root" -w '?' -b "o=/usr/local,c=de" -s sub 'objectclass=person' dn | grep -c =
  
-  * ''-w '?' '' will prompt for a password (without echo)+  * ''-w '?' '' will prompt for a password (without echo)((true for IBM LDAP installations, when using OpenLDAP utilities, use ''-W'' instead)
   * ''-s scope'' search scope (base, one, or sub)   * ''-s scope'' search scope (base, one, or sub)
   * ''dn'' is a dummy output attribute (distinguished name is printed in any case)   * ''dn'' is a dummy output attribute (distinguished name is printed in any case)
Line 11: Line 11:
  --- //Courtesy of Oliver D. 2010/05/04 15:04//  --- //Courtesy of Oliver D. 2010/05/04 15:04//
  
-====== Use OpenLDAP and phpldapadmin on Ubuntu 14.04 ======+===== Read cn=config =====
  
-===== Installation =====+  ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no '(objectclass=*)' \ 
 +  | sed -e '/^olcAccess: /s/ by /\n  by /gi' -e '/olcSyncrepl/s/ \([a-zA-Z0-9_-]\+\)=/\n  \1=/gi' \ 
 +  | less -S 
 + 
 +===== Get DIT ===== 
 + 
 +  ldapsearch -Y EXTERNAL -H ldapi:/// (objectclass=*) dn \ 
 +  | sed -ne 's/^dn: [a-zA-Z0-9_]\+=[^,]\+,\(.*\)$/\1/gp'
 +  | sort -u 
 +===== Use OpenLDAP and phpldapadmin on Ubuntu 14.04 ===== 
 +==== Server ==== 
 + 
 +=== Installation ===
  
   apt-get install slapd phpldapadmin ldap-auth-config   apt-get install slapd phpldapadmin ldap-auth-config
      
-===== Configure phpldapadmin =====+=== Configure phpldapadmin ===
  
   * Disable\\ ''$servers->setValue('server','base',array('dc=example,dc=com'));''\\ in ''/etc/phpldapadmin/config.php'' to get automatically the base DN you configured on your LDAP server   * Disable\\ ''$servers->setValue('server','base',array('dc=example,dc=com'));''\\ in ''/etc/phpldapadmin/config.php'' to get automatically the base DN you configured on your LDAP server
Line 23: Line 35:
   * To get rid of the error "Error trying to get a non-existant value (appearance,password_hash)" replace //password_hash// by //password_hash_custom// in line 2469 of ''/usr/share/phpldapadmin/lib/TemplateRender.php'' ([[http://stackoverflow.com/questions/20673186/getting-error-for-setting-password-feild-when-creating-generic-user-account-phpl|Thanks]])   * To get rid of the error "Error trying to get a non-existant value (appearance,password_hash)" replace //password_hash// by //password_hash_custom// in line 2469 of ''/usr/share/phpldapadmin/lib/TemplateRender.php'' ([[http://stackoverflow.com/questions/20673186/getting-error-for-setting-password-feild-when-creating-generic-user-account-phpl|Thanks]])
   * Uncomment und edit the line\\ ''$servers->setValue('auto_number','min',array('uidNumber'=>2000,'gidNumber'=>500));''\\ in ''/etc/phpldapadmin/config.php'' to get a numerical uid range different from the one selected by local //useradd//.   * Uncomment und edit the line\\ ''$servers->setValue('auto_number','min',array('uidNumber'=>2000,'gidNumber'=>500));''\\ in ''/etc/phpldapadmin/config.php'' to get a numerical uid range different from the one selected by local //useradd//.
-==== Remarks ====+== Remarks ==
  
   * When creating //Posix groups//, the //gid// is preset and fixed by phpldapadmin, but you can modify it afterwards in the editor.   * When creating //Posix groups//, the //gid// is preset and fixed by phpldapadmin, but you can modify it afterwards in the editor.
   * The ldap adminstrator account is of the object class //organizationalRole// with auxilary class //simpleSecurityObject//. Maybe this can be used for simple accounts to authenticate against ldap itself with ''cn=...'' as well?   * The ldap adminstrator account is of the object class //organizationalRole// with auxilary class //simpleSecurityObject//. Maybe this can be used for simple accounts to authenticate against ldap itself with ''cn=...'' as well?
  
-===== Configure nsswitch =====+=== Configure OpenLDAP Logging === 
 + 
 +It should be done by //ldapmodify//, but as //ldapsearch// did not work((see [[#set_password_for_cn_config|"Set password for cn=config" below]] for how to get it working)), I modified ''/etc/ldap/slapd.d/cn=config.ldif'' 
 + 
 +  olcLogLevel: ACL stats stats2 shell 
 + 
 +to confirm that //libpam_ldap.so// did use the right accounts, DNs and credentials.((See [[#change_loglevel_of_openldap|Change Loglevel of OpenLDAP]] for a more elaborate explanation on how to change log levels)) 
 + 
 +=== Enable ldapi access with apparmor === 
 + 
 +If you get the error ''ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)'' when using authentication options ''-Y External -H ldapi:/''''/''''/'' this might be due to slapd's //apparmor// profile. Run 
 + 
 +  aa-complain slapd 
 + 
 +and try again to verify. If this helps, add the following lines to ''/etc/apparmor.d/local/usr.sbin.slapd'': 
 + 
 +  /run/slapd/ldapi rw, 
 + 
 +In any case, make sure to re-enforce with 
 + 
 +  aa-enforce slapd 
 +  /etc/init.d/slapd stop 
 +  /etc/init.d/slapd start 
 + 
 +Only leave it in //complain// mode (on your own responsibility), if you know what you're doing 
 + 
 +{{tag>apparmor}} 
 +{{entry>apparmor}} 
 + 
 +=== Set password for cn=config === 
 + 
 +To configure OpenLDAP you need to access it by //ldapmodify// and Bind DN ''cn=config''((unless //olcRootDN// was modified in //olcDatabase={0}config,cn=config//)) , which does not have a known password by default. To set it, create an ldif file 
 + 
 +<code ldif> 
 +dn: olcDatabase={0}config,cn=config 
 +changetype: modify 
 +replace: olcRootPW 
 +olcRootPW: <PW in Clear> 
 +</code> 
 + 
 +and load it as //root// with((In case of errors, see above)) 
 + 
 +  ldapmodify -Y EXTERNAL -H ldapi:/// -f <file> 
 + 
 +__NOTE__: :!: This will leave the password in cleartext in the config files. To avoid this, use the cli-tool //slappasswd// to create a SSHA hash of the password. The output of the tool can be pasted directly into the ldif file. Create the hash: 
 + 
 +   ~ $ slappasswd 
 +  New password:  
 +  Re-enter new password:  
 +  {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx 
 +   ~ $  
 +    
 +and paste it into the ldif file: 
 + 
 +<code ldif> 
 +dn: olcDatabase={0}config,cn=config 
 +changetype: modify 
 +replace: olcRootPW 
 +olcRootPW: {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx 
 +</code> 
 + 
 +Afterwards you cann access the config by  
 + 
 +  ldapsearch -x -D cn=config -w <PW in Clear> -b cn=config 
 + 
 +(Finally found [[https://help.ubuntu.com/community/OpenLDAPServer|here]]) 
 + 
 +Of course you can skip setting the password and using external SASL authorization for ''ldapsearh'' by running: 
 + 
 +  ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=*)' 
 +   
 +as //root//. 
 +=== Enable "memberOf" === 
 + 
 +1) 
 +  su -  
 +  ldapadd -Y EXTERNAL -H ldapi:/// -f enableMemberOf.ldif 
 + 
 +''enableMemberOf.ldif'': 
 +<code ldif enableMemberOf.ldif> 
 +dn: cn=module,cn=config 
 +objectClass: olcModuleList 
 +cn: module 
 +olcModuleLoad: memberof 
 +</code> 
 +2)  
 +  su -  
 +  ldapadd -Y EXTERNAL -H ldapi:/// -f configureMemberOf.ldif 
 + 
 +''configureMemberOf.ldif'': 
 +<code ldif configureMemberOf.ldif> 
 +dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config 
 +objectClass: olcConfig 
 +objectClass: olcMemberOf 
 +objectClass: olcOverlayConfig 
 +objectClass: top 
 +olcOverlay: memberof 
 +olcMemberOfDangling: ignore 
 +olcMemberOfRefInt: TRUE 
 +olcMemberOfGroupOC: groupOfNames 
 +olcMemberOfMemberAD: member 
 +olcMemberOfMemberOfAD: memberOf 
 +</code> 
 + 
 +:!: I assume this depends on where your LDAP tree data is stored - this example assumes it to be in //olcDatabase={1}hdb,cn=config//. You can list all database objects with their respective suffix by calling 
 + 
 +  ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" '(olcSuffix=*)' dn olcSuffix 
 + 
 +as //root//. 
 + 
 +__References__: 
 + 
 +  * https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/ 
 +=== Write olcAccess.ldif in "human readable" format from actual config  === 
 + 
 +  ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L '(objectclass=*)'
 +  | sed -n -e '/^dn: /{s/^\(.*\)$/\n\1\nchangetype: modify\nreplace: olcAccess/;h};/^olcAccess/{s/ by /\n  by /gi;H;x;p}' 
 +   
 +[[docs:tips_n_tricks:ldap.html?rev=1709050872#read_olcaccess_anc_convert_it_into_human_readable_format|Read olcAccess anc convert it into "human readable" format]] 
 +==== Client ==== 
 +=== Configure nsswitch ===
  
 Add ''ldap'' to list of methods in ''/etc/nsswitch.con'' behind ''passwd'' and ''groups'' Add ''ldap'' to list of methods in ''/etc/nsswitch.con'' behind ''passwd'' and ''groups''
Line 37: Line 169:
   :   :
  
-===== Configure PAM =====+=== Configure PAM ===
  
 add ''pam_mkhomedirs.so'' to ''common-session'' add ''pam_mkhomedirs.so'' to ''common-session''
Line 44: Line 176:
   session required pam_mkhomedir.so   session required pam_mkhomedir.so
  
-===== Configure OpenLDAP Logging =====+=== Override Home Directory settings ===
  
-It should be done by //ldapmodify//, but as //ldapsearch// did not work, I modified ''/etc/ldap/slapd.d/cn=config.ldif''+   apt-get install libpam-ldapd libnss-ldapd
  
-  olcLogLevelACL stats stats2 shell+This will remove //libpam-ldap// and //libnss-ldap// but install //nslcd// which is capable of overwriting values from LDAP entries more flexible. I.e. to have all users their home directories in ''/local/home'' instead of the LDAP entries value //homeDirectory//, add this line to ''/etc/nslcd.conf'':
  
-to confirm that //libpam_ldap.so// did use the right accounts, DNs and credentials. +  : 
-===== Set password for cn=config =====+  map passwd homeDirectory "/local/home/$uid" 
 +  :  
 +(Found [[http://ubuntuforums.org/showthread.php?t=1766427|here]])
  
-To configure OpenLDAP you need to access it by //ldapmodify// and Bind DN cn=root, which does not have a known password by default. To set it, create an ldif file 
  
-  dn: olcDatabase={0}config,cn=config +===== Self Service Password on Ubuntu 14.10 =====
-  changetype: modify +
-  replace: olcRootPW +
-  olcRootPW: <PW in Clear>+
  
-and load it with +  * Download self-service-password_0.9-1_all.deb (or later) from http://ltb-project.org/wiki/download#self_service_password
  
-  ldapmodify -Y EXTERNAL -H ldapi:/// -f <file>+  dpkg -i self-service-password_0.9-1_all.deb 
 +  apt-get install php5-mcrypt'' 
 +  php5enmod mcrypt
  
-Afterwards you cann access the config by +  * Edit //Apache// configuration: 
 +  
 +  <code>Alias /passwd /usr/share/self-service-password/</code>
  
-  ldapsearch --D cn=config -w <PW in Clear> -b cn=config+  * Edit /usr/share/self-service-password/conf/config.ini.php 
 +    * (ldap_url) 
 +    * ldap_binddn 
 +    * ldap_bindpw 
 +    * ldap_base 
 +    * hash 
 +    * mail_from 
 +    * (notify_on_change) 
 +    * (debug)
  
-(Finally found [[https://help.ubuntu.com/community/OpenLDAPServer|here]])+  /etc/init.d/apache2 stop 
 +  /etc/init.d/apache2 start 
 +   
 +===== Change Loglevel of OpenLDAP ===== 
 + 
 +Simply change attribute //olcLogLevel// of the object //cn=config// by //phpLDAPAdmin// or //ldapmodify// using the credentials for the OLC((on-line configuration)) access, by default //cn=config// and value of attribute olcRootPW of object //olcDatabase={0}config,cn=config//, e.g. 
 + 
 +  ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif 
 + 
 +with 
 +<code ldif config.ldif> 
 +dn: cn=config 
 +changeType: modify 
 +replace: olcLogLevel 
 +olcLogLevel: stats stats2 shell 
 +</code> 
 + 
 +or 
 + 
 +<code ldif config.ldif> 
 +dn: cn=config 
 +changeType: modify 
 +replace: olcLogLevel 
 +olcLogLevel: none 
 +</code> 
 + 
 + 
 +===== Adding indexes ===== 
 + 
 +Find out what is the right suffix for your tree by either of the following lines((The first one works only by the local root account, the second one will require a password)): 
 + 
 +  ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" '(olcSuffix=*)' olcDbIndex olcSuffix 
 + 
 +  ldapsearch -D cn=config -W          -b "cn=config" '(olcSuffix=*)' olcDbIndex olcSuffix 
 + 
 +This will also show you the indices already existing. Now create a file in //LDIF// format, using the database found out in the previous step for the dn: 
 + 
 +<code ldif add_indices.ldif> 
 +dn: olcDatabase={1}hdb,cn=config 
 +changetype: modify 
 +add: olcDbIndex 
 +olcDbIndex: uid eq 
 +
 +add: olcDbIndex 
 +olcDbIndex: cn eq 
 +</code> 
 + 
 +Apply it with either of the following commands((The first one works only by the local root account, the second one will require a password)): 
 + 
 +  ldapmodify -Y EXTERNAL -H ldapi:/// -f add_indices.ldif 
 + 
 +  ldapmodify -D cn=config -W          -f add_indices.ldif 
 + 
 +===== References & Credits ===== 
 +  * http://www.zytrax.com/books/ldap/ch6/slapd-config.html 
 +  * https://www.openldap.org/doc/admin24/slapdconf2.html#cn=config 
 +  * https://www.digitalocean.com/community/tutorials/how-to-change-account-passwords-on-an-openldap-server 
 + 
 +======  ======
  
 {{tag>LDAP Ubuntu OpenLDAP PAM}} {{tag>LDAP Ubuntu OpenLDAP PAM}}
docs/tips_n_tricks/ldap.html.txt · Last modified: 27.02.2024 23:32 CET by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki