Differences

This shows you the differences between two versions of the page.

--- docs:tips_n_tricks:ldap.html [10.07.2018 17:16 CEST] – [Self Service Password on Ubuntu 14.10] peter
+++ docs:tips_n_tricks:ldap.html [10.07.2018 17:47 CEST] – peter
@@ Line 5: / Line 5: @@
   ldapsearch [-h hostname] -D "cn=root" -w '?' -b "o=/usr/local,c=de" -s sub 'objectclass=person' dn | grep -c =
-  * ''-w '?' '' will prompt for a password (without echo)
+  * ''-w '?' '' will prompt for a password (without echo)((true for IBM LDAP installations, when using OpenLDAP utilities, use ''-W'' instead))
   * ''-s scope'' search scope (base, one, or sub)
   * ''dn'' is a dummy output attribute (distinguished name is printed in any case)
@@ Line 31: / Line 31: @@
 === Configure OpenLDAP Logging ===
-It should be done by //ldapmodify//, but as //ldapsearch// did not work, I modified ''/etc/ldap/slapd.d/cn=config.ldif''
+It should be done by //ldapmodify//, but as //ldapsearch// did not work((see [[#set_password_for_cn_config|"Set password for cn=config" below]] for how to get it working)), I modified ''/etc/ldap/slapd.d/cn=config.ldif''
   olcLogLevel: ACL stats stats2 shell
-to confirm that //libpam_ldap.so// did use the right accounts, DNs and credentials.
+to confirm that //libpam_ldap.so// did use the right accounts, DNs and credentials.((See [[#change_loglevel_of_openldap|Change Loglevel of OpenLDAP]] for a more elaborate explanation on how to change log levels))
 === Enable ldapi access with apparmor ===
@@ Line 60: / Line 60: @@
 === Set password for cn=config ===
-To configure OpenLDAP you need to access it by //ldapmodify// and Bind DN cn=root, which does not have a known password by default. To set it, create an ldif file
+To configure OpenLDAP you need to access it by //ldapmodify// and Bind DN ''cn=config''((unless //olcRootDN// was modified in //olcDatabase={0}config,cn=config//)) , which does not have a known password by default. To set it, create an ldif file
-  dn: olcDatabase={0}config,cn=config
+<code ldif>
-  changetype: modify
+dn: olcDatabase={0}config,cn=config
-  replace: olcRootPW
+changetype: modify
-  olcRootPW: <PW in Clear>
+replace: olcRootPW
+olcRootPW: <PW in Clear>
+</code>
 and load it as //root// with((In case of errors, see above))
@@ Line 71: / Line 73: @@
   ldapmodify -Y EXTERNAL -H ldapi:/// -f <file>
-__NOTE__: :!: This will propably leave the password in cleartext in the config files. To avoid this, use the cli-tool //slappasswd// to create a SSHA hash of the password. The output of the tool can be pasted directly into the ldif file. Create the hash:
+__NOTE__: :!: This will leave the password in cleartext in the config files. To avoid this, use the cli-tool //slappasswd// to create a SSHA hash of the password. The output of the tool can be pasted directly into the ldif file. Create the hash:
    ~ $ slappasswd
@@ Line 81: / Line 83: @@
 and paste it into the ldif file:
-  dn: olcDatabase={0}config,cn=config
+<code ldif>
-  changetype: modify
+dn: olcDatabase={0}config,cn=config
-  replace: olcRootPW
+changetype: modify
-  olcRootPW: {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx
+replace: olcRootPW
+olcRootPW: {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx
+</code>
 Afterwards you cann access the config by
@@ Line 92: / Line 96: @@
 (Finally found [[https://help.ubuntu.com/community/OpenLDAPServer|here]])
-Of course you can skip setting the password and using external SASL authorization for ''ldapsearh'' by runnint:
+Of course you can skip setting the password and using external SASL authorization for ''ldapsearh'' by running:
   ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=*)'
@@ Line 104: / Line 108: @@
 ''enableMemberOf.ldif'':
+<code ldif enableMemberOf.ldif>
-  dn: cn=module,cn=config
+dn: cn=module,cn=config
-  objectClass: olcModuleList
+objectClass: olcModuleList
-  cn: module
+cn: module
-  olcModuleLoad: memberof
+olcModuleLoad: memberof
+</code>
 )
   su -
@@ Line 115: / Line 119: @@
 ''configureMemberOf.ldif'':
-  dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
+<code ldif configureMemberOf.ldif>
-  objectClass: olcConfig
+dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
-  objectClass: olcMemberOf
+objectClass: olcConfig
-  objectClass: olcOverlayConfig
+objectClass: olcMemberOf
-  objectClass: top
+objectClass: olcOverlayConfig
-  olcOverlay: memberof
+objectClass: top
-  olcMemberOfDangling: ignore
+olcOverlay: memberof
-  olcMemberOfRefInt: TRUE
+olcMemberOfDangling: ignore
-  olcMemberOfGroupOC: groupOfNames
+olcMemberOfRefInt: TRUE
-  olcMemberOfMemberAD: member
+olcMemberOfGroupOC: groupOfNames
-  olcMemberOfMemberOfAD: memberOf
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf
+</code>
 :!: I assume this depends on where your LDAP tree data is stored - this example assumes it to be in //lcDatabase={1}hdb,cn=config//. You check it with
@@ Line 175: / Line 181: @@
   * Edit //Apache// configuration:
-  Alias /passwd /usr/share/self-service-password/
+  <code>Alias /passwd /usr/share/self-service-password/</code>
   * Edit /usr/share/self-service-password/conf/config.ini.php
@@ Line 214: / Line 220: @@
-==== References & Credits ====
+===== References & Credits =====
   * http://www.zytrax.com/books/ldap/ch6/slapd-config.html
+  * https://www.openldap.org/doc/admin24/slapdconf2.html#cn=config
+  * https://www.digitalocean.com/community/tutorials/how-to-change-account-passwords-on-an-openldap-server
 ======  ======