/usr/local.org

User Tools

Site Tools

You are here: Home » Documents » Tips 'n tricks (IT) » LDAP
docs:tips_n_tricks:ldap.html

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
docs:tips_n_tricks:ldap.html [10.07.2018 17:16 CEST] – [Self Service Password on Ubuntu 14.10] peterdocs:tips_n_tricks:ldap.html [15.02.2019 20:55 CET] – [References & Credits] peter
Line 5: Line 5:
   ldapsearch [-h hostname] -D "cn=root" -w '?' -b "o=/usr/local,c=de" -s sub 'objectclass=person' dn | grep -c =   ldapsearch [-h hostname] -D "cn=root" -w '?' -b "o=/usr/local,c=de" -s sub 'objectclass=person' dn | grep -c =
  
-  * ''-w '?' '' will prompt for a password (without echo)+  * ''-w '?' '' will prompt for a password (without echo)((true for IBM LDAP installations, when using OpenLDAP utilities, use ''-W'' instead)
   * ''-s scope'' search scope (base, one, or sub)   * ''-s scope'' search scope (base, one, or sub)
   * ''dn'' is a dummy output attribute (distinguished name is printed in any case)   * ''dn'' is a dummy output attribute (distinguished name is printed in any case)
Line 31: Line 31:
 === Configure OpenLDAP Logging === === Configure OpenLDAP Logging ===
  
-It should be done by //ldapmodify//, but as //ldapsearch// did not work, I modified ''/etc/ldap/slapd.d/cn=config.ldif''+It should be done by //ldapmodify//, but as //ldapsearch// did not work((see [[#set_password_for_cn_config|"Set password for cn=config" below]] for how to get it working)), I modified ''/etc/ldap/slapd.d/cn=config.ldif''
  
   olcLogLevel: ACL stats stats2 shell   olcLogLevel: ACL stats stats2 shell
  
-to confirm that //libpam_ldap.so// did use the right accounts, DNs and credentials.+to confirm that //libpam_ldap.so// did use the right accounts, DNs and credentials.((See [[#change_loglevel_of_openldap|Change Loglevel of OpenLDAP]] for a more elaborate explanation on how to change log levels))
  
 === Enable ldapi access with apparmor === === Enable ldapi access with apparmor ===
Line 60: Line 60:
 === Set password for cn=config === === Set password for cn=config ===
  
-To configure OpenLDAP you need to access it by //ldapmodify// and Bind DN cn=root, which does not have a known password by default. To set it, create an ldif file+To configure OpenLDAP you need to access it by //ldapmodify// and Bind DN ''cn=config''((unless //olcRootDN// was modified in //olcDatabase={0}config,cn=config//)) , which does not have a known password by default. To set it, create an ldif file
  
-  dn: olcDatabase={0}config,cn=config +<code ldif> 
-  changetype: modify +dn: olcDatabase={0}config,cn=config 
-  replace: olcRootPW +changetype: modify 
-  olcRootPW: <PW in Clear>+replace: olcRootPW 
 +olcRootPW: <PW in Clear
 +</code>
  
 and load it as //root// with((In case of errors, see above)) and load it as //root// with((In case of errors, see above))
Line 71: Line 73:
   ldapmodify -Y EXTERNAL -H ldapi:/// -f <file>   ldapmodify -Y EXTERNAL -H ldapi:/// -f <file>
  
-__NOTE__: :!: This will propably leave the password in cleartext in the config files. To avoid this, use the cli-tool //slappasswd// to create a SSHA hash of the password. The output of the tool can be pasted directly into the ldif file. Create the hash:+__NOTE__: :!: This will leave the password in cleartext in the config files. To avoid this, use the cli-tool //slappasswd// to create a SSHA hash of the password. The output of the tool can be pasted directly into the ldif file. Create the hash:
  
    ~ $ slappasswd    ~ $ slappasswd
Line 81: Line 83:
 and paste it into the ldif file: and paste it into the ldif file:
  
-  dn: olcDatabase={0}config,cn=config +<code ldif> 
-  changetype: modify +dn: olcDatabase={0}config,cn=config 
-  replace: olcRootPW +changetype: modify 
-  olcRootPW: {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx+replace: olcRootPW 
 +olcRootPW: {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx 
 +</code>
  
 Afterwards you cann access the config by  Afterwards you cann access the config by 
Line 92: Line 96:
 (Finally found [[https://help.ubuntu.com/community/OpenLDAPServer|here]]) (Finally found [[https://help.ubuntu.com/community/OpenLDAPServer|here]])
  
-Of course you can skip setting the password and using external SASL authorization for ''ldapsearh'' by runnint:+Of course you can skip setting the password and using external SASL authorization for ''ldapsearh'' by running:
  
   ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=*)'   ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=*)'
Line 104: Line 108:
  
 ''enableMemberOf.ldif'': ''enableMemberOf.ldif'':
- +<code ldif enableMemberOf.ldif> 
-  dn: cn=module,cn=config +dn: cn=module,cn=config 
-  objectClass: olcModuleList +objectClass: olcModuleList 
-  cn: module +cn: module 
-  olcModuleLoad: memberof +olcModuleLoad: memberof 
 +</code>
 2)  2) 
   su -    su - 
Line 115: Line 119:
  
 ''configureMemberOf.ldif'': ''configureMemberOf.ldif'':
-  dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config +<code ldif configureMemberOf.ldif> 
-  objectClass: olcConfig +dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config 
-  objectClass: olcMemberOf +objectClass: olcConfig 
-  objectClass: olcOverlayConfig +objectClass: olcMemberOf 
-  objectClass: top +objectClass: olcOverlayConfig 
-  olcOverlay: memberof +objectClass: top 
-  olcMemberOfDangling: ignore +olcOverlay: memberof 
-  olcMemberOfRefInt: TRUE +olcMemberOfDangling: ignore 
-  olcMemberOfGroupOC: groupOfNames +olcMemberOfRefInt: TRUE 
-  olcMemberOfMemberAD: member +olcMemberOfGroupOC: groupOfNames 
-  olcMemberOfMemberOfAD: memberOf+olcMemberOfMemberAD: member 
 +olcMemberOfMemberOfAD: memberOf 
 +</code>
  
 :!: I assume this depends on where your LDAP tree data is stored - this example assumes it to be in //lcDatabase={1}hdb,cn=config//. You check it with :!: I assume this depends on where your LDAP tree data is stored - this example assumes it to be in //lcDatabase={1}hdb,cn=config//. You check it with
Line 175: Line 181:
   * Edit //Apache// configuration:   * Edit //Apache// configuration:
    
-  Alias /passwd /usr/share/self-service-password/+  <code>Alias /passwd /usr/share/self-service-password/</code>
  
   * Edit /usr/share/self-service-password/conf/config.ini.php   * Edit /usr/share/self-service-password/conf/config.ini.php
Line 214: Line 220:
  
  
-==== References & Credits ====+===== Adding indexes ===== 
 + 
 +Find out what is the right suffix for your tree by either of the following lines((The first one works only by the local root account, the second one will require a password)): 
 + 
 +  ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" '(olcSuffix=*)' olcDbIndex olcSuffix 
 + 
 +  ldapsearch -D cn=config -W          -b "cn=config" '(olcSuffix=*)' olcDbIndex olcSuffix 
 + 
 +This will also show you the indices already existing. Now create a file in //LDIF// format, using the database found out in the previous step for the dn: 
 + 
 +<code ldif add_indices.ldif> 
 +dn: olcDatabase={1}hdb,cn=config 
 +changetype: modify 
 +add: olcDbIndex 
 +olcDbIndex: uid eq 
 +
 +add: olcDbIndex 
 +olcDbIndex: cn eq 
 +</code> 
 + 
 +Apply it with either of the following commands((The first one works only by the local root account, the second one will require a password)): 
 + 
 +  ldapmodify -Y EXTERNAL -H ldapi:/// -f add_indices.ldif 
 + 
 +  ldapmodify -D cn=config -W          -f add_indices.ldif 
 + 
 +===== References & Credits =====
   * http://www.zytrax.com/books/ldap/ch6/slapd-config.html   * http://www.zytrax.com/books/ldap/ch6/slapd-config.html
 +  * https://www.openldap.org/doc/admin24/slapdconf2.html#cn=config
 +  * https://www.digitalocean.com/community/tutorials/how-to-change-account-passwords-on-an-openldap-server
  
 ======  ====== ======  ======
docs/tips_n_tricks/ldap.html.txt · Last modified: 27.02.2024 23:32 CET by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki