Differences

This shows you the differences between two versions of the page.

--- docs:tips_n_tricks:ldap.html [10.07.2018 17:16 CEST] – [Self Service Password on Ubuntu 14.10] peter
+++ docs:tips_n_tricks:ldap.html [27.02.2024 23:32 CET] (current) – [Write olcAccess.ldif in "human readable" format from actual config] peter
@@ Line 5: / Line 5: @@
   ldapsearch [-h hostname] -D "cn=root" -w '?' -b "o=/usr/local,c=de" -s sub 'objectclass=person' dn | grep -c =
-  * ''-w '?' '' will prompt for a password (without echo)
+  * ''-w '?' '' will prompt for a password (without echo)((true for IBM LDAP installations, when using OpenLDAP utilities, use ''-W'' instead))
   * ''-s scope'' search scope (base, one, or sub)
   * ''dn'' is a dummy output attribute (distinguished name is printed in any case)
@@ Line 11: / Line 11: @@
  --- //Courtesy of Oliver D. 2010/05/04 15:04//
+===== Read cn=config =====
+  ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no '(objectclass=*)' \
+  | sed -e '/^olcAccess: /s/ by /\n  by /gi' -e '/olcSyncrepl/s/ \([a-zA-Z0-9_-]\+\)=/\n  \1=/gi' \
+  | less -S
+===== Get DIT =====
+  ldapsearch -Y EXTERNAL -H ldapi:/// (objectclass=*) dn \
+  | sed -ne 's/^dn: [a-zA-Z0-9_]\+=[^,]\+,\(.*\)$/\1/gp'\
+  | sort -u
 ===== Use OpenLDAP and phpldapadmin on Ubuntu 14.04 =====
 ==== Server ====
@@ Line 31: / Line 42: @@
 === Configure OpenLDAP Logging ===
-It should be done by //ldapmodify//, but as //ldapsearch// did not work, I modified ''/etc/ldap/slapd.d/cn=config.ldif''
+It should be done by //ldapmodify//, but as //ldapsearch// did not work((see [[#set_password_for_cn_config|"Set password for cn=config" below]] for how to get it working)), I modified ''/etc/ldap/slapd.d/cn=config.ldif''
   olcLogLevel: ACL stats stats2 shell
-to confirm that //libpam_ldap.so// did use the right accounts, DNs and credentials.
+to confirm that //libpam_ldap.so// did use the right accounts, DNs and credentials.((See [[#change_loglevel_of_openldap|Change Loglevel of OpenLDAP]] for a more elaborate explanation on how to change log levels))
 === Enable ldapi access with apparmor ===
@@ Line 60: / Line 71: @@
 === Set password for cn=config ===
-To configure OpenLDAP you need to access it by //ldapmodify// and Bind DN cn=root, which does not have a known password by default. To set it, create an ldif file
+To configure OpenLDAP you need to access it by //ldapmodify// and Bind DN ''cn=config''((unless //olcRootDN// was modified in //olcDatabase={0}config,cn=config//)) , which does not have a known password by default. To set it, create an ldif file
-  dn: olcDatabase={0}config,cn=config
+<code ldif>
-  changetype: modify
+dn: olcDatabase={0}config,cn=config
-  replace: olcRootPW
+changetype: modify
-  olcRootPW: <PW in Clear>
+replace: olcRootPW
+olcRootPW: <PW in Clear>
+</code>
 and load it as //root// with((In case of errors, see above))
@@ Line 71: / Line 84: @@
   ldapmodify -Y EXTERNAL -H ldapi:/// -f <file>
-__NOTE__: :!: This will propably leave the password in cleartext in the config files. To avoid this, use the cli-tool //slappasswd// to create a SSHA hash of the password. The output of the tool can be pasted directly into the ldif file. Create the hash:
+__NOTE__: :!: This will leave the password in cleartext in the config files. To avoid this, use the cli-tool //slappasswd// to create a SSHA hash of the password. The output of the tool can be pasted directly into the ldif file. Create the hash:
    ~ $ slappasswd
@@ Line 81: / Line 94: @@
 and paste it into the ldif file:
-  dn: olcDatabase={0}config,cn=config
+<code ldif>
-  changetype: modify
+dn: olcDatabase={0}config,cn=config
-  replace: olcRootPW
+changetype: modify
-  olcRootPW: {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx
+replace: olcRootPW
+olcRootPW: {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx
+</code>
 Afterwards you cann access the config by
@@ Line 92: / Line 107: @@
 (Finally found [[https://help.ubuntu.com/community/OpenLDAPServer|here]])
-Of course you can skip setting the password and using external SASL authorization for ''ldapsearh'' by runnint:
+Of course you can skip setting the password and using external SASL authorization for ''ldapsearh'' by running:
   ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=*)'
@@ Line 104: / Line 119: @@
 ''enableMemberOf.ldif'':
+<code ldif enableMemberOf.ldif>
-  dn: cn=module,cn=config
+dn: cn=module,cn=config
-  objectClass: olcModuleList
+objectClass: olcModuleList
-  cn: module
+cn: module
-  olcModuleLoad: memberof
+olcModuleLoad: memberof
+</code>
 )
   su -
@@ Line 115: / Line 130: @@
 ''configureMemberOf.ldif'':
-  dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
+<code ldif configureMemberOf.ldif>
-  objectClass: olcConfig
+dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
-  objectClass: olcMemberOf
+objectClass: olcConfig
-  objectClass: olcOverlayConfig
+objectClass: olcMemberOf
-  objectClass: top
+objectClass: olcOverlayConfig
-  olcOverlay: memberof
+objectClass: top
-  olcMemberOfDangling: ignore
+olcOverlay: memberof
-  olcMemberOfRefInt: TRUE
+olcMemberOfDangling: ignore
-  olcMemberOfGroupOC: groupOfNames
+olcMemberOfRefInt: TRUE
-  olcMemberOfMemberAD: member
+olcMemberOfGroupOC: groupOfNames
-  olcMemberOfMemberOfAD: memberOf
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf
+</code>
-:!: I assume this depends on where your LDAP tree data is stored - this example assumes it to be in //lcDatabase={1}hdb,cn=config//. You check it with
+:!: I assume this depends on where your LDAP tree data is stored - this example assumes it to be in //olcDatabase={1}hdb,cn=config//. You can list all database objects with their respective suffix by calling
-  ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" '(olcSuffix=*)' dn
+  ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" '(olcSuffix=*)' dn olcSuffix
 as //root//.
@@ Line 136: / Line 153: @@
   * https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/
+=== Write olcAccess.ldif in "human readable" format from actual config  ===
+  ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L '(objectclass=*)' \
+  | sed -e '/^dn: /{s/^\(.*\)$/\n\1\nchangetype: modify\nreplace: olcAccess/;h;d};/^olcAccess/{s/ by /\n  by /gi;H;s/^.*$//;x;s/^\nolcAccess/olcAccess/g;p;d};d'
+or
+  ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L '(objectclass=*)' | ./olcAcces.sed
+<file sed olcAccess.sed>
+#!/bin/sed -f
+/^dn: /{
+s/^\(.*\)$/\n\1\nchangetype: modify\nreplace: olcAccess/
+h
+d
+}
+/^olcAccess/{
+s/ by /\n  by /gi
+H
+s/^.*$//
+x
+s/^\nolcAccess/olcAccess/g
+p
+d
+}
+d
+</file>
+[[docs:tips_n_tricks:ldap.html?rev=1709050872#read_olcaccess_anc_convert_it_into_human_readable_format|Read olcAccess and convert it into "human readable" format]]
 ==== Client ====
 === Configure nsswitch ===
@@ Line 164: / Line 210: @@
 (Found [[http://ubuntuforums.org/showthread.php?t=1766427|here]])
-===== Password Self Service on Ubuntu 14.10 =====
 ===== Self Service Password on Ubuntu 14.10 =====
@@ Line 175: / Line 221: @@
   * Edit //Apache// configuration:
-  Alias /passwd /usr/share/self-service-password/
+  <code>Alias /passwd /usr/share/self-service-password/</code>
   * Edit /usr/share/self-service-password/conf/config.ini.php
@@ Line 214: / Line 260: @@
-==== References & Credits ====
+===== Adding indexes =====
+Find out what is the right suffix for your tree by either of the following lines((The first one works only by the local root account, the second one will require a password)):
+  ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" '(olcSuffix=*)' olcDbIndex olcSuffix
+  ldapsearch -D cn=config -W          -b "cn=config" '(olcSuffix=*)' olcDbIndex olcSuffix
+This will also show you the indices already existing. Now create a file in //LDIF// format, using the database found out in the previous step for the dn:
+<code ldif add_indices.ldif>
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+add: olcDbIndex
+olcDbIndex: uid eq
+-
+add: olcDbIndex
+olcDbIndex: cn eq
+</code>
+Apply it with either of the following commands((The first one works only by the local root account, the second one will require a password)):
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f add_indices.ldif
+  ldapmodify -D cn=config -W          -f add_indices.ldif
+===== References & Credits =====
   * http://www.zytrax.com/books/ldap/ch6/slapd-config.html
+  * https://www.openldap.org/doc/admin24/slapdconf2.html#cn=config
+  * https://www.digitalocean.com/community/tutorials/how-to-change-account-passwords-on-an-openldap-server
 ======  ======