/usr/local.org

User Tools

Site Tools

You are here: Home » Documents » Tips 'n tricks (IT) » LDAP
docs:tips_n_tricks:ldap.html

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
docs:tips_n_tricks:ldap.html [31.07.2016 13:15 CEST] – [Server] peterdocs:tips_n_tricks:ldap.html [27.02.2024 23:32 CET] (current) – [Write olcAccess.ldif in "human readable" format from actual config] peter
Line 5: Line 5:
   ldapsearch [-h hostname] -D "cn=root" -w '?' -b "o=/usr/local,c=de" -s sub 'objectclass=person' dn | grep -c =   ldapsearch [-h hostname] -D "cn=root" -w '?' -b "o=/usr/local,c=de" -s sub 'objectclass=person' dn | grep -c =
  
-  * ''-w '?' '' will prompt for a password (without echo)+  * ''-w '?' '' will prompt for a password (without echo)((true for IBM LDAP installations, when using OpenLDAP utilities, use ''-W'' instead)
   * ''-s scope'' search scope (base, one, or sub)   * ''-s scope'' search scope (base, one, or sub)
   * ''dn'' is a dummy output attribute (distinguished name is printed in any case)   * ''dn'' is a dummy output attribute (distinguished name is printed in any case)
Line 11: Line 11:
  --- //Courtesy of Oliver D. 2010/05/04 15:04//  --- //Courtesy of Oliver D. 2010/05/04 15:04//
  
 +===== Read cn=config =====
 +
 +  ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no '(objectclass=*)' \
 +  | sed -e '/^olcAccess: /s/ by /\n  by /gi' -e '/olcSyncrepl/s/ \([a-zA-Z0-9_-]\+\)=/\n  \1=/gi' \
 +  | less -S
 +
 +===== Get DIT =====
 +
 +  ldapsearch -Y EXTERNAL -H ldapi:/// (objectclass=*) dn \
 +  | sed -ne 's/^dn: [a-zA-Z0-9_]\+=[^,]\+,\(.*\)$/\1/gp'\
 +  | sort -u
 ===== Use OpenLDAP and phpldapadmin on Ubuntu 14.04 ===== ===== Use OpenLDAP and phpldapadmin on Ubuntu 14.04 =====
 ==== Server ==== ==== Server ====
Line 31: Line 42:
 === Configure OpenLDAP Logging === === Configure OpenLDAP Logging ===
  
-It should be done by //ldapmodify//, but as //ldapsearch// did not work, I modified ''/etc/ldap/slapd.d/cn=config.ldif''+It should be done by //ldapmodify//, but as //ldapsearch// did not work((see [[#set_password_for_cn_config|"Set password for cn=config" below]] for how to get it working)), I modified ''/etc/ldap/slapd.d/cn=config.ldif''
  
   olcLogLevel: ACL stats stats2 shell   olcLogLevel: ACL stats stats2 shell
  
-to confirm that //libpam_ldap.so// did use the right accounts, DNs and credentials.+to confirm that //libpam_ldap.so// did use the right accounts, DNs and credentials.((See [[#change_loglevel_of_openldap|Change Loglevel of OpenLDAP]] for a more elaborate explanation on how to change log levels))
  
 === Enable ldapi access with apparmor === === Enable ldapi access with apparmor ===
Line 60: Line 71:
 === Set password for cn=config === === Set password for cn=config ===
  
-To configure OpenLDAP you need to access it by //ldapmodify// and Bind DN cn=root, which does not have a known password by default. To set it, create an ldif file+To configure OpenLDAP you need to access it by //ldapmodify// and Bind DN ''cn=config''((unless //olcRootDN// was modified in //olcDatabase={0}config,cn=config//)) , which does not have a known password by default. To set it, create an ldif file
  
-  dn: olcDatabase={0}config,cn=config +<code ldif> 
-  changetype: modify +dn: olcDatabase={0}config,cn=config 
-  replace: olcRootPW +changetype: modify 
-  olcRootPW: <PW in Clear>+replace: olcRootPW 
 +olcRootPW: <PW in Clear
 +</code>
  
-and load it with(())+and load it as //root// with((In case of errors, see above))
  
   ldapmodify -Y EXTERNAL -H ldapi:/// -f <file>   ldapmodify -Y EXTERNAL -H ldapi:/// -f <file>
 +
 +__NOTE__: :!: This will leave the password in cleartext in the config files. To avoid this, use the cli-tool //slappasswd// to create a SSHA hash of the password. The output of the tool can be pasted directly into the ldif file. Create the hash:
 +
 +   ~ $ slappasswd
 +  New password: 
 +  Re-enter new password: 
 +  {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx
 +   ~ $ 
 +   
 +and paste it into the ldif file:
 +
 +<code ldif>
 +dn: olcDatabase={0}config,cn=config
 +changetype: modify
 +replace: olcRootPW
 +olcRootPW: {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx
 +</code>
  
 Afterwards you cann access the config by  Afterwards you cann access the config by 
Line 77: Line 107:
 (Finally found [[https://help.ubuntu.com/community/OpenLDAPServer|here]]) (Finally found [[https://help.ubuntu.com/community/OpenLDAPServer|here]])
  
 +Of course you can skip setting the password and using external SASL authorization for ''ldapsearh'' by running:
 +
 +  ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=*)'
 +  
 +as //root//.
 +=== Enable "memberOf" ===
 +
 +1)
 +  su - 
 +  ldapadd -Y EXTERNAL -H ldapi:/// -f enableMemberOf.ldif
 +
 +''enableMemberOf.ldif'':
 +<code ldif enableMemberOf.ldif>
 +dn: cn=module,cn=config
 +objectClass: olcModuleList
 +cn: module
 +olcModuleLoad: memberof
 +</code>
 +2) 
 +  su - 
 +  ldapadd -Y EXTERNAL -H ldapi:/// -f configureMemberOf.ldif
 +
 +''configureMemberOf.ldif'':
 +<code ldif configureMemberOf.ldif>
 +dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
 +objectClass: olcConfig
 +objectClass: olcMemberOf
 +objectClass: olcOverlayConfig
 +objectClass: top
 +olcOverlay: memberof
 +olcMemberOfDangling: ignore
 +olcMemberOfRefInt: TRUE
 +olcMemberOfGroupOC: groupOfNames
 +olcMemberOfMemberAD: member
 +olcMemberOfMemberOfAD: memberOf
 +</code>
 +
 +:!: I assume this depends on where your LDAP tree data is stored - this example assumes it to be in //olcDatabase={1}hdb,cn=config//. You can list all database objects with their respective suffix by calling
 +
 +  ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" '(olcSuffix=*)' dn olcSuffix
 +
 +as //root//.
 +
 +__References__:
 +
 +  * https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/
 +=== Write olcAccess.ldif in "human readable" format from actual config  ===
 +
 +  ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L '(objectclass=*)' \
 +  | sed -e '/^dn: /{s/^\(.*\)$/\n\1\nchangetype: modify\nreplace: olcAccess/;h;d};/^olcAccess/{s/ by /\n  by /gi;H;s/^.*$//;x;s/^\nolcAccess/olcAccess/g;p;d};d'
 +
 +or
 +
 +  ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L '(objectclass=*)' | ./olcAcces.sed
 +
 +<file sed olcAccess.sed>
 +#!/bin/sed -f
 +/^dn: /{
 +s/^\(.*\)$/\n\1\nchangetype: modify\nreplace: olcAccess/
 +h
 +d
 +}
 +/^olcAccess/{
 +s/ by /\n  by /gi
 +H
 +s/^.*$//
 +x
 +s/^\nolcAccess/olcAccess/g
 +p
 +d
 +}
 +d
 +</file>
 +
 +[[docs:tips_n_tricks:ldap.html?rev=1709050872#read_olcaccess_anc_convert_it_into_human_readable_format|Read olcAccess and convert it into "human readable" format]]
 ==== Client ==== ==== Client ====
 === Configure nsswitch === === Configure nsswitch ===
Line 105: Line 210:
 (Found [[http://ubuntuforums.org/showthread.php?t=1766427|here]]) (Found [[http://ubuntuforums.org/showthread.php?t=1766427|here]])
  
-===== Password Self Service on Ubuntu 14.10 =====+
 ===== Self Service Password on Ubuntu 14.10 ===== ===== Self Service Password on Ubuntu 14.10 =====
  
Line 116: Line 221:
   * Edit //Apache// configuration:   * Edit //Apache// configuration:
    
-  Alias /passwd /usr/share/self-service-password/+  <code>Alias /passwd /usr/share/self-service-password/</code>
  
   * Edit /usr/share/self-service-password/conf/config.ini.php   * Edit /usr/share/self-service-password/conf/config.ini.php
Line 130: Line 235:
   /etc/init.d/apache2 stop   /etc/init.d/apache2 stop
   /etc/init.d/apache2 start   /etc/init.d/apache2 start
-====== ======+   
 +===== Change Loglevel of OpenLDAP ===== 
 + 
 +Simply change attribute //olcLogLevel// of the object //cn=config// by //phpLDAPAdmin// or //ldapmodify// using the credentials for the OLC((on-line configuration)) access, by default //cn=config// and value of attribute olcRootPW of object //olcDatabase={0}config,cn=config//, e.g. 
 + 
 +  ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif 
 + 
 +with 
 +<code ldif config.ldif> 
 +dn: cn=config 
 +changeType: modify 
 +replace: olcLogLevel 
 +olcLogLevel: stats stats2 shell 
 +</code> 
 + 
 +or 
 + 
 +<code ldif config.ldif> 
 +dn: cn=config 
 +changeType: modify 
 +replace: olcLogLevel 
 +olcLogLevel: none 
 +</code> 
 + 
 + 
 +===== Adding indexes ===== 
 + 
 +Find out what is the right suffix for your tree by either of the following lines((The first one works only by the local root account, the second one will require a password)): 
 + 
 +  ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" '(olcSuffix=*)' olcDbIndex olcSuffix 
 + 
 +  ldapsearch -D cn=config -W          -b "cn=config" '(olcSuffix=*)' olcDbIndex olcSuffix 
 + 
 +This will also show you the indices already existing. Now create a file in //LDIF// format, using the database found out in the previous step for the dn: 
 + 
 +<code ldif add_indices.ldif> 
 +dn: olcDatabase={1}hdb,cn=config 
 +changetype: modify 
 +add: olcDbIndex 
 +olcDbIndex: uid eq 
 +
 +add: olcDbIndex 
 +olcDbIndex: cn eq 
 +</code> 
 + 
 +Apply it with either of the following commands((The first one works only by the local root account, the second one will require a password)): 
 + 
 +  ldapmodify -Y EXTERNAL -H ldapi:/// -f add_indices.ldif 
 + 
 +  ldapmodify -D cn=config -W          -f add_indices.ldif 
 + 
 +===== References & Credits ===== 
 +  * http://www.zytrax.com/books/ldap/ch6/slapd-config.html 
 +  * https://www.openldap.org/doc/admin24/slapdconf2.html#cn=config 
 +  * https://www.digitalocean.com/community/tutorials/how-to-change-account-passwords-on-an-openldap-server 
 + 
 +======  ======
  
 {{tag>LDAP Ubuntu OpenLDAP PAM}} {{tag>LDAP Ubuntu OpenLDAP PAM}}
docs/tips_n_tricks/ldap.html.1469963720.txt.gz · Last modified: 31.07.2016 13:15 CEST by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki