docs:tips_n_tricks:ldap.html
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
docs:tips_n_tricks:ldap.html [09.10.2015 16:22 CEST] – [Password Self Service on Ubuntu 14.10] peter | docs:tips_n_tricks:ldap.html [27.02.2024 23:32 CET] (current) – [Write olcAccess.ldif in "human readable" format from actual config] peter | ||
---|---|---|---|
Line 5: | Line 5: | ||
ldapsearch [-h hostname] -D " | ldapsearch [-h hostname] -D " | ||
- | * '' | + | * '' |
* '' | * '' | ||
* '' | * '' | ||
Line 11: | Line 11: | ||
--- //Courtesy of Oliver D. 2010/05/04 15:04// | --- //Courtesy of Oliver D. 2010/05/04 15:04// | ||
+ | ===== Read cn=config ===== | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no ' | ||
+ | | sed -e '/ | ||
+ | | less -S | ||
+ | |||
+ | ===== Get DIT ===== | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// (objectclass=*) dn \ | ||
+ | | sed -ne ' | ||
+ | | sort -u | ||
===== Use OpenLDAP and phpldapadmin on Ubuntu 14.04 ===== | ===== Use OpenLDAP and phpldapadmin on Ubuntu 14.04 ===== | ||
==== Server ==== | ==== Server ==== | ||
Line 31: | Line 42: | ||
=== Configure OpenLDAP Logging === | === Configure OpenLDAP Logging === | ||
- | It should be done by // | + | It should be done by // |
olcLogLevel: | olcLogLevel: | ||
- | to confirm that // | + | to confirm that // |
+ | |||
+ | === Enable ldapi access with apparmor === | ||
+ | |||
+ | If you get the error '' | ||
+ | |||
+ | aa-complain slapd | ||
+ | |||
+ | and try again to verify. If this helps, add the following lines to ''/ | ||
+ | |||
+ | / | ||
+ | |||
+ | In any case, make sure to re-enforce with | ||
+ | |||
+ | aa-enforce slapd | ||
+ | / | ||
+ | / | ||
+ | |||
+ | Only leave it in // | ||
+ | |||
+ | {{tag> | ||
+ | {{entry> | ||
=== Set password for cn=config === | === Set password for cn=config === | ||
- | To configure OpenLDAP you need to access it by // | + | To configure OpenLDAP you need to access it by // |
- | | + | <code ldif> |
- | changetype: modify | + | dn: olcDatabase={0}config, |
- | replace: olcRootPW | + | changetype: modify |
- | olcRootPW: <PW in Clear> | + | replace: olcRootPW |
+ | olcRootPW: <PW in Clear> | ||
+ | </code> | ||
- | and load it with | + | and load it as // |
ldapmodify -Y EXTERNAL -H ldapi:/// -f < | ldapmodify -Y EXTERNAL -H ldapi:/// -f < | ||
+ | |||
+ | __NOTE__: :!: This will leave the password in cleartext in the config files. To avoid this, use the cli-tool // | ||
+ | |||
+ | ~ $ slappasswd | ||
+ | New password: | ||
+ | Re-enter new password: | ||
+ | {SSHA}Dine679cmHIezcn< | ||
+ | ~ $ | ||
+ | |||
+ | and paste it into the ldif file: | ||
+ | |||
+ | <code ldif> | ||
+ | dn: olcDatabase={0}config, | ||
+ | changetype: modify | ||
+ | replace: olcRootPW | ||
+ | olcRootPW: {SSHA}Dine679cmHIezcn< | ||
+ | </ | ||
Afterwards you cann access the config by | Afterwards you cann access the config by | ||
Line 55: | Line 107: | ||
(Finally found [[https:// | (Finally found [[https:// | ||
+ | Of course you can skip setting the password and using external SASL authorization for '' | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config ' | ||
+ | | ||
+ | as //root//. | ||
+ | === Enable " | ||
+ | |||
+ | 1) | ||
+ | su - | ||
+ | ldapadd -Y EXTERNAL -H ldapi:/// -f enableMemberOf.ldif | ||
+ | |||
+ | '' | ||
+ | <code ldif enableMemberOf.ldif> | ||
+ | dn: cn=module, | ||
+ | objectClass: | ||
+ | cn: module | ||
+ | olcModuleLoad: | ||
+ | </ | ||
+ | 2) | ||
+ | su - | ||
+ | ldapadd -Y EXTERNAL -H ldapi:/// -f configureMemberOf.ldif | ||
+ | |||
+ | '' | ||
+ | <code ldif configureMemberOf.ldif> | ||
+ | dn: olcOverlay={0}memberof, | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | olcOverlay: memberof | ||
+ | olcMemberOfDangling: | ||
+ | olcMemberOfRefInt: | ||
+ | olcMemberOfGroupOC: | ||
+ | olcMemberOfMemberAD: | ||
+ | olcMemberOfMemberOfAD: | ||
+ | </ | ||
+ | |||
+ | :!: I assume this depends on where your LDAP tree data is stored - this example assumes it to be in // | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// -b " | ||
+ | |||
+ | as //root//. | ||
+ | |||
+ | __References__: | ||
+ | |||
+ | * https:// | ||
+ | === Write olcAccess.ldif in "human readable" | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L ' | ||
+ | | sed -e '/^dn: / | ||
+ | |||
+ | or | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L ' | ||
+ | |||
+ | <file sed olcAccess.sed> | ||
+ | #!/bin/sed -f | ||
+ | /^dn: /{ | ||
+ | s/ | ||
+ | h | ||
+ | d | ||
+ | } | ||
+ | / | ||
+ | s/ by /\n by /gi | ||
+ | H | ||
+ | s/^.*$// | ||
+ | x | ||
+ | s/ | ||
+ | p | ||
+ | d | ||
+ | } | ||
+ | d | ||
+ | </ | ||
+ | |||
+ | [[docs: | ||
==== Client ==== | ==== Client ==== | ||
=== Configure nsswitch === | === Configure nsswitch === | ||
Line 83: | Line 210: | ||
(Found [[http:// | (Found [[http:// | ||
- | ===== Password | + | |
+ | ===== Self Service | ||
* Download self-service-password_0.9-1_all.deb (or later) from http:// | * Download self-service-password_0.9-1_all.deb (or later) from http:// | ||
Line 93: | Line 221: | ||
* Edit //Apache// configuration: | * Edit //Apache// configuration: | ||
- | Alias /passwd / | + | |
* Edit / | * Edit / | ||
Line 107: | Line 235: | ||
/ | / | ||
/ | / | ||
- | ====== | + | |
+ | ===== Change Loglevel of OpenLDAP | ||
+ | |||
+ | Simply change attribute // | ||
+ | |||
+ | ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif | ||
+ | |||
+ | with | ||
+ | <code ldif config.ldif> | ||
+ | dn: cn=config | ||
+ | changeType: modify | ||
+ | replace: olcLogLevel | ||
+ | olcLogLevel: | ||
+ | </ | ||
+ | |||
+ | or | ||
+ | |||
+ | <code ldif config.ldif> | ||
+ | dn: cn=config | ||
+ | changeType: modify | ||
+ | replace: olcLogLevel | ||
+ | olcLogLevel: | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Adding indexes ===== | ||
+ | |||
+ | Find out what is the right suffix for your tree by either of the following lines((The first one works only by the local root account, the second one will require a password)): | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// -b " | ||
+ | |||
+ | ldapsearch -D cn=config -W -b " | ||
+ | |||
+ | This will also show you the indices already existing. Now create a file in //LDIF// format, using the database found out in the previous step for the dn: | ||
+ | |||
+ | <code ldif add_indices.ldif> | ||
+ | dn: olcDatabase={1}hdb, | ||
+ | changetype: modify | ||
+ | add: olcDbIndex | ||
+ | olcDbIndex: uid eq | ||
+ | - | ||
+ | add: olcDbIndex | ||
+ | olcDbIndex: cn eq | ||
+ | </ | ||
+ | |||
+ | Apply it with either of the following commands((The first one works only by the local root account, the second one will require a password)): | ||
+ | |||
+ | ldapmodify -Y EXTERNAL -H ldapi:/// -f add_indices.ldif | ||
+ | |||
+ | ldapmodify -D cn=config -W -f add_indices.ldif | ||
+ | |||
+ | ===== References & Credits ===== | ||
+ | * http:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | ====== | ||
{{tag> | {{tag> |
docs/tips_n_tricks/ldap.html.txt · Last modified: 27.02.2024 23:32 CET by peter