docs:tips_n_tricks:ldap.html
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
docs:tips_n_tricks:ldap.html [10.07.2018 17:03 CEST] – [_] peter | docs:tips_n_tricks:ldap.html [27.02.2024 17:30 CET] – [Write olcAccess.ldif in "human readable" format from actual config] peter | ||
---|---|---|---|
Line 5: | Line 5: | ||
ldapsearch [-h hostname] -D " | ldapsearch [-h hostname] -D " | ||
- | * '' | + | * '' |
* '' | * '' | ||
* '' | * '' | ||
Line 11: | Line 11: | ||
--- //Courtesy of Oliver D. 2010/05/04 15:04// | --- //Courtesy of Oliver D. 2010/05/04 15:04// | ||
+ | ===== Read cn=config ===== | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no ' | ||
+ | | sed -e '/ | ||
+ | | less -S | ||
+ | |||
+ | ===== Get DIT ===== | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// (objectclass=*) dn \ | ||
+ | | sed -ne ' | ||
+ | | sort -u | ||
===== Use OpenLDAP and phpldapadmin on Ubuntu 14.04 ===== | ===== Use OpenLDAP and phpldapadmin on Ubuntu 14.04 ===== | ||
==== Server ==== | ==== Server ==== | ||
Line 31: | Line 42: | ||
=== Configure OpenLDAP Logging === | === Configure OpenLDAP Logging === | ||
- | It should be done by // | + | It should be done by // |
olcLogLevel: | olcLogLevel: | ||
- | to confirm that // | + | to confirm that // |
=== Enable ldapi access with apparmor === | === Enable ldapi access with apparmor === | ||
Line 60: | Line 71: | ||
=== Set password for cn=config === | === Set password for cn=config === | ||
- | To configure OpenLDAP you need to access it by // | + | To configure OpenLDAP you need to access it by // |
- | | + | <code ldif> |
- | changetype: modify | + | dn: olcDatabase={0}config, |
- | replace: olcRootPW | + | changetype: modify |
- | olcRootPW: <PW in Clear> | + | replace: olcRootPW |
+ | olcRootPW: <PW in Clear> | ||
+ | </code> | ||
and load it as //root// with((In case of errors, see above)) | and load it as //root// with((In case of errors, see above)) | ||
Line 71: | Line 84: | ||
ldapmodify -Y EXTERNAL -H ldapi:/// -f < | ldapmodify -Y EXTERNAL -H ldapi:/// -f < | ||
- | __NOTE__: :!: This will propably | + | __NOTE__: :!: This will leave the password in cleartext in the config files. To avoid this, use the cli-tool // |
~ $ slappasswd | ~ $ slappasswd | ||
Line 81: | Line 94: | ||
and paste it into the ldif file: | and paste it into the ldif file: | ||
- | | + | <code ldif> |
- | changetype: modify | + | dn: olcDatabase={0}config, |
- | replace: olcRootPW | + | changetype: modify |
- | olcRootPW: {SSHA}Dine679cmHIezcn< | + | replace: olcRootPW |
+ | olcRootPW: {SSHA}Dine679cmHIezcn< | ||
+ | </ | ||
Afterwards you cann access the config by | Afterwards you cann access the config by | ||
Line 92: | Line 107: | ||
(Finally found [[https:// | (Finally found [[https:// | ||
- | Of course you can skip setting the password and using external SASL authorization for '' | + | Of course you can skip setting the password and using external SASL authorization for '' |
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config ' | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config ' | ||
Line 104: | Line 119: | ||
'' | '' | ||
- | + | <code ldif enableMemberOf.ldif> | |
- | dn: cn=module, | + | dn: cn=module, |
- | objectClass: | + | objectClass: |
- | cn: module | + | cn: module |
- | olcModuleLoad: | + | olcModuleLoad: |
+ | </ | ||
2) | 2) | ||
su - | su - | ||
Line 115: | Line 130: | ||
'' | '' | ||
- | | + | <code ldif configureMemberOf.ldif> |
- | objectClass: | + | dn: olcOverlay={0}memberof, |
- | objectClass: | + | objectClass: |
- | objectClass: | + | objectClass: |
- | objectClass: | + | objectClass: |
- | olcOverlay: memberof | + | objectClass: |
- | olcMemberOfDangling: | + | olcOverlay: memberof |
- | olcMemberOfRefInt: | + | olcMemberOfDangling: |
- | olcMemberOfGroupOC: | + | olcMemberOfRefInt: |
- | olcMemberOfMemberAD: | + | olcMemberOfGroupOC: |
- | olcMemberOfMemberOfAD: | + | olcMemberOfMemberAD: |
+ | olcMemberOfMemberOfAD: | ||
+ | </ | ||
- | :!: I assume this depends on where your LDAP tree data is stored - this example assumes it to be in //lcDatabase={1}hdb, | + | :!: I assume this depends on where your LDAP tree data is stored - this example assumes it to be in //olcDatabase={1}hdb, |
- | ldapsearch -Y EXTERNAL -H ldapi:/// -b " | + | ldapsearch -Y EXTERNAL -H ldapi:/// -b " |
as //root//. | as //root//. | ||
Line 136: | Line 153: | ||
* https:// | * https:// | ||
+ | === Write olcAccess.ldif in "human readable" | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L ' | ||
+ | | sed -n -e '/^dn: / | ||
+ | | ||
+ | [[docs: | ||
==== Client ==== | ==== Client ==== | ||
=== Configure nsswitch === | === Configure nsswitch === | ||
Line 164: | Line 187: | ||
(Found [[http:// | (Found [[http:// | ||
- | ===== Password Self Service on Ubuntu 14.10 ===== | + | |
===== Self Service Password on Ubuntu 14.10 ===== | ===== Self Service Password on Ubuntu 14.10 ===== | ||
Line 175: | Line 198: | ||
* Edit //Apache// configuration: | * Edit //Apache// configuration: | ||
- | Alias /passwd / | + | |
* Edit / | * Edit / | ||
Line 189: | Line 212: | ||
/ | / | ||
/ | / | ||
+ | | ||
+ | ===== Change Loglevel of OpenLDAP ===== | ||
+ | |||
+ | Simply change attribute // | ||
+ | |||
+ | ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif | ||
+ | |||
+ | with | ||
+ | <code ldif config.ldif> | ||
+ | dn: cn=config | ||
+ | changeType: modify | ||
+ | replace: olcLogLevel | ||
+ | olcLogLevel: | ||
+ | </ | ||
+ | |||
+ | or | ||
+ | |||
+ | <code ldif config.ldif> | ||
+ | dn: cn=config | ||
+ | changeType: modify | ||
+ | replace: olcLogLevel | ||
+ | olcLogLevel: | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Adding indexes ===== | ||
+ | |||
+ | Find out what is the right suffix for your tree by either of the following lines((The first one works only by the local root account, the second one will require a password)): | ||
+ | |||
+ | ldapsearch -Y EXTERNAL -H ldapi:/// -b " | ||
+ | |||
+ | ldapsearch -D cn=config -W -b " | ||
+ | |||
+ | This will also show you the indices already existing. Now create a file in //LDIF// format, using the database found out in the previous step for the dn: | ||
+ | |||
+ | <code ldif add_indices.ldif> | ||
+ | dn: olcDatabase={1}hdb, | ||
+ | changetype: modify | ||
+ | add: olcDbIndex | ||
+ | olcDbIndex: uid eq | ||
+ | - | ||
+ | add: olcDbIndex | ||
+ | olcDbIndex: cn eq | ||
+ | </ | ||
+ | |||
+ | Apply it with either of the following commands((The first one works only by the local root account, the second one will require a password)): | ||
+ | |||
+ | ldapmodify -Y EXTERNAL -H ldapi:/// -f add_indices.ldif | ||
+ | |||
+ | ldapmodify -D cn=config -W -f add_indices.ldif | ||
+ | |||
+ | ===== References & Credits ===== | ||
+ | * http:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
====== | ====== | ||
docs/tips_n_tricks/ldap.html.txt · Last modified: 27.02.2024 23:32 CET by peter