docs:tips_n_tricks:ldap.html
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
docs:tips_n_tricks:ldap.html [26.09.2014 21:12 CEST] – [Configure phpldapadmin] peter | docs:tips_n_tricks:ldap.html [27.02.2024 23:32 CET] (current) – [Write olcAccess.ldif in "human readable" format from actual config] peter | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== LDAP ====== | ====== LDAP ====== | ||
- | ====== Count Persons (objects derived from ' | + | ===== Count Persons (objects derived from ' |
ldapsearch [-h hostname] -D " | ldapsearch [-h hostname] -D " | ||
- | * '' | + | * '' |
* '' | * '' | ||
* '' | * '' | ||
Line 11: | Line 11: | ||
--- //Courtesy of Oliver D. 2010/05/04 15:04// | --- //Courtesy of Oliver D. 2010/05/04 15:04// | ||
- | ====== | + | ===== Read cn=config |
- | ===== Installation | + | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no ' |
+ | | sed -e '/ | ||
+ | | less -S | ||
+ | |||
+ | ===== Get DIT ===== | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// (objectclass=*) dn \ | ||
+ | | sed -ne ' | ||
+ | | sort -u | ||
+ | ===== Use OpenLDAP and phpldapadmin on Ubuntu 14.04 ===== | ||
+ | ==== Server ==== | ||
+ | |||
+ | === Installation | ||
apt-get install slapd phpldapadmin ldap-auth-config | apt-get install slapd phpldapadmin ldap-auth-config | ||
| | ||
- | ===== Configure phpldapadmin | + | === Configure phpldapadmin === |
* Disable\\ '' | * Disable\\ '' | ||
Line 23: | Line 35: | ||
* To get rid of the error "Error trying to get a non-existant value (appearance, | * To get rid of the error "Error trying to get a non-existant value (appearance, | ||
* Uncomment und edit the line\\ '' | * Uncomment und edit the line\\ '' | ||
- | ==== Remarks | + | == Remarks == |
* When creating //Posix groups//, the //gid// is preset and fixed by phpldapadmin, | * When creating //Posix groups//, the //gid// is preset and fixed by phpldapadmin, | ||
* The ldap adminstrator account is of the object class // | * The ldap adminstrator account is of the object class // | ||
- | ===== Configure nsswitch | + | === Configure OpenLDAP Logging |
+ | |||
+ | It should be done by // | ||
+ | |||
+ | olcLogLevel: | ||
+ | |||
+ | to confirm that // | ||
+ | |||
+ | === Enable ldapi access with apparmor === | ||
+ | |||
+ | If you get the error '' | ||
+ | |||
+ | aa-complain slapd | ||
+ | |||
+ | and try again to verify. If this helps, add the following lines to ''/ | ||
+ | |||
+ | / | ||
+ | |||
+ | In any case, make sure to re-enforce with | ||
+ | |||
+ | aa-enforce slapd | ||
+ | / | ||
+ | / | ||
+ | |||
+ | Only leave it in // | ||
+ | |||
+ | {{tag> | ||
+ | {{entry> | ||
+ | |||
+ | === Set password for cn=config === | ||
+ | |||
+ | To configure OpenLDAP you need to access it by // | ||
+ | |||
+ | <code ldif> | ||
+ | dn: olcDatabase={0}config, | ||
+ | changetype: modify | ||
+ | replace: olcRootPW | ||
+ | olcRootPW: <PW in Clear> | ||
+ | </ | ||
+ | |||
+ | and load it as //root// with((In case of errors, see above)) | ||
+ | |||
+ | ldapmodify -Y EXTERNAL -H ldapi:/// -f < | ||
+ | |||
+ | __NOTE__: :!: This will leave the password in cleartext in the config files. To avoid this, use the cli-tool // | ||
+ | |||
+ | ~ $ slappasswd | ||
+ | New password: | ||
+ | Re-enter new password: | ||
+ | {SSHA}Dine679cmHIezcn< | ||
+ | ~ $ | ||
+ | |||
+ | and paste it into the ldif file: | ||
+ | |||
+ | <code ldif> | ||
+ | dn: olcDatabase={0}config, | ||
+ | changetype: modify | ||
+ | replace: olcRootPW | ||
+ | olcRootPW: {SSHA}Dine679cmHIezcn< | ||
+ | </ | ||
+ | |||
+ | Afterwards you cann access the config by | ||
+ | |||
+ | ldapsearch -x -D cn=config -w <PW in Clear> -b cn=config | ||
+ | |||
+ | (Finally found [[https:// | ||
+ | |||
+ | Of course you can skip setting the password and using external SASL authorization for '' | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config ' | ||
+ | |||
+ | as //root//. | ||
+ | === Enable " | ||
+ | |||
+ | 1) | ||
+ | su - | ||
+ | ldapadd -Y EXTERNAL -H ldapi:/// -f enableMemberOf.ldif | ||
+ | |||
+ | '' | ||
+ | <code ldif enableMemberOf.ldif> | ||
+ | dn: cn=module, | ||
+ | objectClass: | ||
+ | cn: module | ||
+ | olcModuleLoad: | ||
+ | </ | ||
+ | 2) | ||
+ | su - | ||
+ | ldapadd -Y EXTERNAL -H ldapi:/// -f configureMemberOf.ldif | ||
+ | |||
+ | '' | ||
+ | <code ldif configureMemberOf.ldif> | ||
+ | dn: olcOverlay={0}memberof, | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | olcOverlay: memberof | ||
+ | olcMemberOfDangling: | ||
+ | olcMemberOfRefInt: | ||
+ | olcMemberOfGroupOC: | ||
+ | olcMemberOfMemberAD: | ||
+ | olcMemberOfMemberOfAD: | ||
+ | </ | ||
+ | |||
+ | :!: I assume this depends on where your LDAP tree data is stored - this example assumes it to be in // | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// -b " | ||
+ | |||
+ | as //root//. | ||
+ | |||
+ | __References__: | ||
+ | |||
+ | * https:// | ||
+ | === Write olcAccess.ldif in "human readable" | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L ' | ||
+ | | sed -e '/^dn: / | ||
+ | |||
+ | or | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L ' | ||
+ | |||
+ | <file sed olcAccess.sed> | ||
+ | #!/bin/sed -f | ||
+ | /^dn: /{ | ||
+ | s/ | ||
+ | h | ||
+ | d | ||
+ | } | ||
+ | / | ||
+ | s/ by /\n by /gi | ||
+ | H | ||
+ | s/^.*$// | ||
+ | x | ||
+ | s/ | ||
+ | p | ||
+ | d | ||
+ | } | ||
+ | d | ||
+ | </ | ||
+ | |||
+ | [[docs: | ||
+ | ==== Client ==== | ||
+ | === Configure nsswitch | ||
Add '' | Add '' | ||
Line 37: | Line 192: | ||
: | : | ||
- | ===== Configure PAM ===== | + | === Configure PAM === |
add '' | add '' | ||
Line 44: | Line 199: | ||
session required pam_mkhomedir.so | session required pam_mkhomedir.so | ||
- | ===== Configure OpenLDAP Logging ===== | + | === Override Home Directory settings |
- | It should be done by // | + | |
- | olcLogLevel: ACL stats stats2 shell | + | This will remove // |
- | to confirm that //libpam_ldap.so// did use the right accounts, DNs and credentials. | + | : |
- | ===== Set password for cn=config ===== | + | map passwd homeDirectory "/local/home/$uid" |
+ | : | ||
+ | (Found [[http:// | ||
- | To configure OpenLDAP you need to access it by // | ||
- | dn: olcDatabase={0}config, | + | ===== Self Service Password on Ubuntu 14.10 ===== |
- | changetype: modify | + | |
- | replace: olcRootPW | + | |
- | olcRootPW: <PW in Clear> | + | |
- | and load it with | + | * Download self-service-password_0.9-1_all.deb (or later) from http:// |
- | | + | |
+ | apt-get install php5-mcrypt'' | ||
+ | php5enmod mcrypt | ||
- | Afterwards you cann access the config by | + | * Edit //Apache// configuration: |
+ | |||
+ | < | ||
- | | + | |
+ | * (ldap_url) | ||
+ | * ldap_binddn | ||
+ | * ldap_bindpw | ||
+ | * ldap_base | ||
+ | * hash | ||
+ | * mail_from | ||
+ | * (notify_on_change) | ||
+ | * (debug) | ||
- | (Finally | + | / |
+ | / | ||
+ | |||
+ | ===== Change Loglevel of OpenLDAP ===== | ||
+ | |||
+ | Simply change attribute // | ||
+ | |||
+ | ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif | ||
+ | |||
+ | with | ||
+ | <code ldif config.ldif> | ||
+ | dn: cn=config | ||
+ | changeType: modify | ||
+ | replace: olcLogLevel | ||
+ | olcLogLevel: | ||
+ | </ | ||
+ | |||
+ | or | ||
+ | |||
+ | <code ldif config.ldif> | ||
+ | dn: cn=config | ||
+ | changeType: modify | ||
+ | replace: olcLogLevel | ||
+ | olcLogLevel: | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Adding indexes ===== | ||
+ | |||
+ | Find out what is the right suffix for your tree by either of the following lines((The first one works only by the local root account, the second one will require a password)): | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// -b " | ||
+ | |||
+ | ldapsearch -D cn=config -W -b " | ||
+ | |||
+ | This will also show you the indices already existing. Now create a file in //LDIF// format, using the database | ||
+ | |||
+ | <code ldif add_indices.ldif> | ||
+ | dn: olcDatabase={1}hdb, | ||
+ | changetype: modify | ||
+ | add: olcDbIndex | ||
+ | olcDbIndex: uid eq | ||
+ | - | ||
+ | add: olcDbIndex | ||
+ | olcDbIndex: cn eq | ||
+ | </ | ||
+ | |||
+ | Apply it with either of the following commands((The first one works only by the local root account, the second one will require a password)): | ||
+ | |||
+ | ldapmodify -Y EXTERNAL -H ldapi:/// -f add_indices.ldif | ||
+ | |||
+ | ldapmodify -D cn=config -W -f add_indices.ldif | ||
+ | |||
+ | ===== References & Credits ===== | ||
+ | * http:// | ||
+ | * https://www.openldap.org/ | ||
+ | * https:// | ||
+ | |||
+ | ====== | ||
{{tag> | {{tag> |
docs/tips_n_tricks/ldap.html.txt · Last modified: 27.02.2024 23:32 CET by peter