Differences

This shows you the differences between two versions of the page.

--- docs:tips_n_tricks:ldap.html [26.09.2014 21:12 CEST] – [Configure phpldapadmin] peter
+++ docs:tips_n_tricks:ldap.html [27.02.2024 23:32 CET] (current) – [Write olcAccess.ldif in "human readable" format from actual config] peter
@@ Line 1: / Line 1: @@
 ====== LDAP ======
-====== Count Persons (objects derived from 'person') ======
+===== Count Persons (objects derived from 'person') =====
   ldapsearch [-h hostname] -D "cn=root" -w '?' -b "o=/usr/local,c=de" -s sub 'objectclass=person' dn | grep -c =
-  * ''-w '?' '' will prompt for a password (without echo)
+  * ''-w '?' '' will prompt for a password (without echo)((true for IBM LDAP installations, when using OpenLDAP utilities, use ''-W'' instead))
   * ''-s scope'' search scope (base, one, or sub)
   * ''dn'' is a dummy output attribute (distinguished name is printed in any case)
@@ Line 11: / Line 11: @@
  --- //Courtesy of Oliver D. 2010/05/04 15:04//
-====== Use OpenLDAP and phpldapadmin on Ubuntu 14.04 ======
+===== Read cn=config =====
-===== Installation =====
+  ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no '(objectclass=*)' \
+  | sed -e '/^olcAccess: /s/ by /\n  by /gi' -e '/olcSyncrepl/s/ \([a-zA-Z0-9_-]\+\)=/\n  \1=/gi' \
+  | less -S
+===== Get DIT =====
+  ldapsearch -Y EXTERNAL -H ldapi:/// (objectclass=*) dn \
+  | sed -ne 's/^dn: [a-zA-Z0-9_]\+=[^,]\+,\(.*\)$/\1/gp'\
+  | sort -u
+===== Use OpenLDAP and phpldapadmin on Ubuntu 14.04 =====
+==== Server ====
+=== Installation ===
   apt-get install slapd phpldapadmin ldap-auth-config
-===== Configure phpldapadmin =====
+=== Configure phpldapadmin ===
   * Disable\\ ''$servers->setValue('server','base',array('dc=example,dc=com'));''\\ in ''/etc/phpldapadmin/config.php'' to get automatically the base DN you configured on your LDAP server
@@ Line 23: / Line 35: @@
   * To get rid of the error "Error trying to get a non-existant value (appearance,password_hash)" replace //password_hash// by //password_hash_custom// in line 2469 of ''/usr/share/phpldapadmin/lib/TemplateRender.php'' ([[http://stackoverflow.com/questions/20673186/getting-error-for-setting-password-feild-when-creating-generic-user-account-phpl|Thanks]])
   * Uncomment und edit the line\\ ''$servers->setValue('auto_number','min',array('uidNumber'=>2000,'gidNumber'=>500));''\\ in ''/etc/phpldapadmin/config.php'' to get a numerical uid range different from the one selected by local //useradd//.
-==== Remarks ====
+== Remarks ==
   * When creating //Posix groups//, the //gid// is preset and fixed by phpldapadmin, but you can modify it afterwards in the editor.
   * The ldap adminstrator account is of the object class //organizationalRole// with auxilary class //simpleSecurityObject//. Maybe this can be used for simple accounts to authenticate against ldap itself with ''cn=...'' as well?
-===== Configure nsswitch =====
+=== Configure OpenLDAP Logging ===
+It should be done by //ldapmodify//, but as //ldapsearch// did not work((see [[#set_password_for_cn_config|"Set password for cn=config" below]] for how to get it working)), I modified ''/etc/ldap/slapd.d/cn=config.ldif''
+  olcLogLevel: ACL stats stats2 shell
+to confirm that //libpam_ldap.so// did use the right accounts, DNs and credentials.((See [[#change_loglevel_of_openldap|Change Loglevel of OpenLDAP]] for a more elaborate explanation on how to change log levels))
+=== Enable ldapi access with apparmor ===
+If you get the error ''ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)'' when using authentication options ''-Y External -H ldapi:/''''/''''/'' this might be due to slapd's //apparmor// profile. Run
+  aa-complain slapd
+and try again to verify. If this helps, add the following lines to ''/etc/apparmor.d/local/usr.sbin.slapd'':
+  /run/slapd/ldapi rw,
+In any case, make sure to re-enforce with
+  aa-enforce slapd
+  /etc/init.d/slapd stop
+  /etc/init.d/slapd start
+Only leave it in //complain// mode (on your own responsibility), if you know what you're doing
+{{tag>apparmor}}
+{{entry>apparmor}}
+=== Set password for cn=config ===
+To configure OpenLDAP you need to access it by //ldapmodify// and Bind DN ''cn=config''((unless //olcRootDN// was modified in //olcDatabase={0}config,cn=config//)) , which does not have a known password by default. To set it, create an ldif file
+<code ldif>
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: <PW in Clear>
+</code>
+and load it as //root// with((In case of errors, see above))
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f <file>
+__NOTE__: :!: This will leave the password in cleartext in the config files. To avoid this, use the cli-tool //slappasswd// to create a SSHA hash of the password. The output of the tool can be pasted directly into the ldif file. Create the hash:
+   ~ $ slappasswd
+  New password:
+  Re-enter new password:
+  {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx
+   ~ $
+and paste it into the ldif file:
+<code ldif>
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx
+</code>
+Afterwards you cann access the config by
+  ldapsearch -x -D cn=config -w <PW in Clear> -b cn=config
+(Finally found [[https://help.ubuntu.com/community/OpenLDAPServer|here]])
+Of course you can skip setting the password and using external SASL authorization for ''ldapsearh'' by running:
+  ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=*)'
+as //root//.
+=== Enable "memberOf" ===
+)
+  su -
+  ldapadd -Y EXTERNAL -H ldapi:/// -f enableMemberOf.ldif
+''enableMemberOf.ldif'':
+<code ldif enableMemberOf.ldif>
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModuleLoad: memberof
+</code>
+)
+  su -
+  ldapadd -Y EXTERNAL -H ldapi:/// -f configureMemberOf.ldif
+''configureMemberOf.ldif'':
+<code ldif configureMemberOf.ldif>
+dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
+objectClass: olcConfig
+objectClass: olcMemberOf
+objectClass: olcOverlayConfig
+objectClass: top
+olcOverlay: memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfNames
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf
+</code>
+:!: I assume this depends on where your LDAP tree data is stored - this example assumes it to be in //olcDatabase={1}hdb,cn=config//. You can list all database objects with their respective suffix by calling
+  ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" '(olcSuffix=*)' dn olcSuffix
+as //root//.
+__References__:
+  * https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/
+=== Write olcAccess.ldif in "human readable" format from actual config  ===
+  ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L '(objectclass=*)' \
+  | sed -e '/^dn: /{s/^\(.*\)$/\n\1\nchangetype: modify\nreplace: olcAccess/;h;d};/^olcAccess/{s/ by /\n  by /gi;H;s/^.*$//;x;s/^\nolcAccess/olcAccess/g;p;d};d'
+or
+  ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L '(objectclass=*)' | ./olcAcces.sed
+<file sed olcAccess.sed>
+#!/bin/sed -f
+/^dn: /{
+s/^\(.*\)$/\n\1\nchangetype: modify\nreplace: olcAccess/
+h
+d
+}
+/^olcAccess/{
+s/ by /\n  by /gi
+H
+s/^.*$//
+x
+s/^\nolcAccess/olcAccess/g
+p
+d
+}
+d
+</file>
+[[docs:tips_n_tricks:ldap.html?rev=1709050872#read_olcaccess_anc_convert_it_into_human_readable_format|Read olcAccess and convert it into "human readable" format]]
+==== Client ====
+=== Configure nsswitch ===
 Add ''ldap'' to list of methods in ''/etc/nsswitch.con'' behind ''passwd'' and ''groups''
@@ Line 37: / Line 192: @@
   :
-===== Configure PAM =====
+=== Configure PAM ===
 add ''pam_mkhomedirs.so'' to ''common-session''
@@ Line 44: / Line 199: @@
   session required pam_mkhomedir.so
-===== Configure OpenLDAP Logging =====
+=== Override Home Directory settings ===
-It should be done by //ldapmodify//, but as //ldapsearch// did not work, I modified ''/etc/ldap/slapd.d/cn=config.ldif''
+   apt-get install libpam-ldapd libnss-ldapd
-  olcLogLevel: ACL stats stats2 shell
+This will remove //libpam-ldap// and //libnss-ldap// but install //nslcd// which is capable of overwriting values from LDAP entries more flexible. I.e. to have all users their home directories in ''/local/home'' instead of the LDAP entries value //homeDirectory//, add this line to ''/etc/nslcd.conf'':
-to confirm that //libpam_ldap.so// did use the right accounts, DNs and credentials.
+  :
-===== Set password for cn=config =====
+  map passwd homeDirectory "/local/home/$uid"
+  :
+(Found [[http://ubuntuforums.org/showthread.php?t=1766427|here]])
-To configure OpenLDAP you need to access it by //ldapmodify// and Bind DN cn=root, which does not have a known password by default. To set it, create an ldif file
-  dn: olcDatabase={0}config,cn=config
+===== Self Service Password on Ubuntu 14.10 =====
-  changetype: modify
-  replace: olcRootPW
-  olcRootPW: <PW in Clear>
-and load it with
+  * Download self-service-password_0.9-1_all.deb (or later) from http://ltb-project.org/wiki/download#self_service_password
-  ldapmodify -Y EXTERNAL -H ldapi:/// -f <file>
+  dpkg -i self-service-password_0.9-1_all.deb
+  apt-get install php5-mcrypt''
+  php5enmod mcrypt
-Afterwards you cann access the config by
+  * Edit //Apache// configuration:
+  <code>Alias /passwd /usr/share/self-service-password/</code>
-  ldapsearch -x -D cn=config -w <PW in Clear> -b cn=config
+  * Edit /usr/share/self-service-password/conf/config.ini.php
+    * (ldap_url)
+    * ldap_binddn
+    * ldap_bindpw
+    * ldap_base
+    * hash
+    * mail_from
+    * (notify_on_change)
+    * (debug)
-(Finally found [[https://help.ubuntu.com/community/OpenLDAPServer|here]])
+  /etc/init.d/apache2 stop
+  /etc/init.d/apache2 start
+===== Change Loglevel of OpenLDAP =====
+Simply change attribute //olcLogLevel// of the object //cn=config// by //phpLDAPAdmin// or //ldapmodify// using the credentials for the OLC((on-line configuration)) access, by default //cn=config// and value of attribute olcRootPW of object //olcDatabase={0}config,cn=config//, e.g.
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif
+with
+<code ldif config.ldif>
+dn: cn=config
+changeType: modify
+replace: olcLogLevel
+olcLogLevel: stats stats2 shell
+</code>
+or
+<code ldif config.ldif>
+dn: cn=config
+changeType: modify
+replace: olcLogLevel
+olcLogLevel: none
+</code>
+===== Adding indexes =====
+Find out what is the right suffix for your tree by either of the following lines((The first one works only by the local root account, the second one will require a password)):
+  ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" '(olcSuffix=*)' olcDbIndex olcSuffix
+  ldapsearch -D cn=config -W          -b "cn=config" '(olcSuffix=*)' olcDbIndex olcSuffix
+This will also show you the indices already existing. Now create a file in //LDIF// format, using the database found out in the previous step for the dn:
+<code ldif add_indices.ldif>
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+add: olcDbIndex
+olcDbIndex: uid eq
+-
+add: olcDbIndex
+olcDbIndex: cn eq
+</code>
+Apply it with either of the following commands((The first one works only by the local root account, the second one will require a password)):
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f add_indices.ldif
+  ldapmodify -D cn=config -W          -f add_indices.ldif
+===== References & Credits =====
+  * http://www.zytrax.com/books/ldap/ch6/slapd-config.html
+  * https://www.openldap.org/doc/admin24/slapdconf2.html#cn=config
+  * https://www.digitalocean.com/community/tutorials/how-to-change-account-passwords-on-an-openldap-server
+======  ======
 {{tag>LDAP Ubuntu OpenLDAP PAM}}