-W
insteadldapsearch [-h hostname] -D "cn=root" -w '?' -b "o=/usr/local,c=de" -s sub 'objectclass=person' dn | grep -c =
-w '?'
will prompt for a password (without echo)1) -s scope
search scope (base, one, or sub)dn
is a dummy output attribute (distinguished name is printed in any case)— Courtesy of Oliver D. 2010/05/04 15:04
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no '(objectclass=*)' \ | sed -e '/^olcAccess: /s/ by /\n by /gi' -e '/olcSyncrepl/s/ \([a-zA-Z0-9_-]\+\)=/\n \1=/gi' \ | less -S
ldapsearch -Y EXTERNAL -H ldapi:/// (objectclass=*) dn \ | sed -ne 's/^dn: [a-zA-Z0-9_]\+=[^,]\+,\(.*\)$/\1/gp'\ | sort -u
apt-get install slapd phpldapadmin ldap-auth-config
$servers→setValue('server','base',array('dc=example,dc=com'));
/etc/phpldapadmin/config.php
to get automatically the base DN you configured on your LDAP server/usr/share/phpldapadmin/lib/TemplateRender.php
(Thanks)$servers→setValue('auto_number','min',array('uidNumber'⇒2000,'gidNumber'⇒500));
/etc/phpldapadmin/config.php
to get a numerical uid range different from the one selected by local useradd.cn=…
as well?
It should be done by ldapmodify, but as ldapsearch did not work2), I modified /etc/ldap/slapd.d/cn=config.ldif
olcLogLevel: ACL stats stats2 shell
to confirm that libpam_ldap.so did use the right accounts, DNs and credentials.3)
If you get the error ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
when using authentication options -Y External -H ldapi:/
/
/
this might be due to slapd's apparmor profile. Run
aa-complain slapd
and try again to verify. If this helps, add the following lines to /etc/apparmor.d/local/usr.sbin.slapd
:
/run/slapd/ldapi rw,
In any case, make sure to re-enforce with
aa-enforce slapd /etc/init.d/slapd stop /etc/init.d/slapd start
Only leave it in complain mode (on your own responsibility), if you know what you're doing
To configure OpenLDAP you need to access it by ldapmodify and Bind DN cn=config
4) , which does not have a known password by default. To set it, create an ldif file
dn: olcDatabase={0}config,cn=config changetype: modify replace: olcRootPW olcRootPW: <PW in Clear>
and load it as root with5)
ldapmodify -Y EXTERNAL -H ldapi:/// -f <file>
NOTE: This will leave the password in cleartext in the config files. To avoid this, use the cli-tool slappasswd to create a SSHA hash of the password. The output of the tool can be pasted directly into the ldif file. Create the hash:
~ $ slappasswd New password: Re-enter new password: {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx ~ $
and paste it into the ldif file:
dn: olcDatabase={0}config,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx
Afterwards you cann access the config by
ldapsearch -x -D cn=config -w <PW in Clear> -b cn=config
(Finally found here)
Of course you can skip setting the password and using external SASL authorization for ldapsearh
by running:
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=*)'
as root.
1)
su - ldapadd -Y EXTERNAL -H ldapi:/// -f enableMemberOf.ldif
enableMemberOf.ldif
:
dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModuleLoad: memberof
2)
su - ldapadd -Y EXTERNAL -H ldapi:/// -f configureMemberOf.ldif
configureMemberOf.ldif
:
dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf
I assume this depends on where your LDAP tree data is stored - this example assumes it to be in olcDatabase={1}hdb,cn=config. You can list all database objects with their respective suffix by calling
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" '(olcSuffix=*)' dn olcSuffix
as root.
References:
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L '(objectclass=*)' \ | sed -e '/^dn: /{s/^\(.*\)$/\n\1\nchangetype: modify\nreplace: olcAccess/;h;d};/^olcAccess/{s/ by /\n by /gi;H;s/^.*$//;x;s/^\nolcAccess/olcAccess/g;p;d};d'
or
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L '(objectclass=*)' | ./olcAcces.sed
#!/bin/sed -f /^dn: /{ s/^\(.*\)$/\n\1\nchangetype: modify\nreplace: olcAccess/ h d } /^olcAccess/{ s/ by /\n by /gi H s/^.*$// x s/^\nolcAccess/olcAccess/g p d } d
Add ldap
to list of methods in /etc/nsswitch.con
behind passwd
and groups
: passwd: compat ldap group: compat ldap :
add pam_mkhomedirs.so
to common-session
: session required pam_mkhomedir.so
apt-get install libpam-ldapd libnss-ldapd
This will remove libpam-ldap and libnss-ldap but install nslcd which is capable of overwriting values from LDAP entries more flexible. I.e. to have all users their home directories in /local/home
instead of the LDAP entries value homeDirectory, add this line to /etc/nslcd.conf
:
: map passwd homeDirectory "/local/home/$uid" :
(Found here)
dpkg -i self-service-password_0.9-1_all.deb apt-get install php5-mcrypt'' php5enmod mcrypt
Alias /passwd /usr/share/self-service-password/
/etc/init.d/apache2 stop /etc/init.d/apache2 start
Simply change attribute olcLogLevel of the object cn=config by phpLDAPAdmin or ldapmodify using the credentials for the OLC6) access, by default cn=config and value of attribute olcRootPW of object olcDatabase={0}config,cn=config, e.g.
ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif
with
dn: cn=config changeType: modify replace: olcLogLevel olcLogLevel: stats stats2 shell
or
dn: cn=config changeType: modify replace: olcLogLevel olcLogLevel: none
Find out what is the right suffix for your tree by either of the following lines7):
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" '(olcSuffix=*)' olcDbIndex olcSuffix
ldapsearch -D cn=config -W -b "cn=config" '(olcSuffix=*)' olcDbIndex olcSuffix
This will also show you the indices already existing. Now create a file in LDIF format, using the database found out in the previous step for the dn:
dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: uid eq - add: olcDbIndex olcDbIndex: cn eq
Apply it with either of the following commands8):
ldapmodify -Y EXTERNAL -H ldapi:/// -f add_indices.ldif
ldapmodify -D cn=config -W -f add_indices.ldif
-W
instead