Openldap: Unterschied zwischen den Versionen

Aus xinux.net
Zur Navigation springen Zur Suche springen
 
(18 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt)
Zeile 7: Zeile 7:
  
 
==grundkonfiguration==
 
==grundkonfiguration==
dpkg-reconfigure  -p low slapd
+
*[[Openldap Basic Config common]]
==kontrolle==
+
*[[Openldap Basic Config ubuntu]]
===kontrolle der konfig files===
+
 
 +
== Kontrolle ==
 +
=== Kontrolle der Konfigurationsdateien ===
 
<pre>
 
<pre>
 
root@maria:/etc/ldap# find /etc/ldap/slapd.d/ -type f  
 
root@maria:/etc/ldap# find /etc/ldap/slapd.d/ -type f  
Zeile 28: Zeile 30:
 
*ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
 
*ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
 
===konfiguration===
 
===konfiguration===
*ldapsearch -Y EXTERNAL -LLL -H ldapi:/// -b cn=config      "(|(cn=config)(olcDatabase={1}hdb))"
+
*ldapsearch -Y EXTERNAL -LLL -H ldapi:/// -b cn=config      "(|(cn=config)(olcDatabase={1}mdb))"
 
<pre>
 
<pre>
 
SASL/EXTERNAL authentication started
 
SASL/EXTERNAL authentication started
Zeile 62: Zeile 64:
 
olcDbIndex: objectClass eq
 
olcDbIndex: objectClass eq
 
</pre>
 
</pre>
 +
 
===struktur===
 
===struktur===
 
*ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
 
*ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
Zeile 97: Zeile 100:
  
 
==Starten des slapd==
 
==Starten des slapd==
  serivce slapd start
+
  systemctl start slapd
Starting OpenLDAP: slapd.
+
 
 
==Stoppen des slapd==
 
==Stoppen des slapd==
  serivce slapd stop
+
  systemctl stop slapd
Stopping OpenLDAP: slapd.
+
 
 
==Neustarten des slapd==
 
==Neustarten des slapd==
  service slapd restart
+
  systemctl restart slapd
Stopping OpenLDAP: slapd.
+
 
Starting OpenLDAP: slapd.Starten des slapd
 
 
==Auf welchem Port lauscht der slapd==  
 
==Auf welchem Port lauscht der slapd==  
 
  netstat -lntp | grep slapd
 
  netstat -lntp | grep slapd
Zeile 123: Zeile 125:
  
 
=Defaultclientkonfiguration von LDAP=
 
=Defaultclientkonfiguration von LDAP=
cat /etc/ldap/ldap.conf
+
*[[ldap.conf]]
base            dc=linuggs, dc=de
 
uri            ldap://127.0.0.1
 
ldap_version    3
 
rootbinddn      cn=admin, dc=linuggs, dc=de
 
pam_password    md5
 
=Passwort für den Adminzugang eintragen=
 
echo sysadm > /etc/ldap.secret
 
  
 
=füllen der datenbank=
 
=füllen der datenbank=
Zeile 151: Zeile 146:
 
  ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f struktur.ldif
 
  ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f struktur.ldif
 
=gruppe ldif anlegen=
 
=gruppe ldif anlegen=
 +
*cat group.ldif
 
<pre>
 
<pre>
cat group.ldif
 
 
dn: cn=it,ou=groups,dc=linuggs,dc=de
 
dn: cn=it,ou=groups,dc=linuggs,dc=de
 
objectClass: posixGroup
 
objectClass: posixGroup
objectClass: top
 
 
cn: it
 
cn: it
 
gidNumber:  3001
 
gidNumber:  3001
 
</pre>
 
</pre>
 +
 
=gruppe hinzufügen=
 
=gruppe hinzufügen=
 
  ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f group.ldif  
 
  ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f group.ldif  
Zeile 170: Zeile 165:
 
objectClass: posixAccount
 
objectClass: posixAccount
 
objectClass: shadowAccount
 
objectClass: shadowAccount
objectClass: top
 
 
uid: leroy
 
uid: leroy
 
uidNumber: 2001
 
uidNumber: 2001
Zeile 184: Zeile 178:
 
*[[ldapscripts handling]]
 
*[[ldapscripts handling]]
  
=nsswitch anbinden=
+
=Openldap posix accounts=
apt-get install libnss-ldap
+
*[[openldap posix accounts]]
==Wir benutzen nur eine Konfigurationdatei==
 
ln -sf /etc/ldap/ldap.conf /etc/ldap.conf
 
 
 
==ergänzen /etc/nsswitch.conf==
 
passwd:        compat ldap
 
group:          compat ldap
 
==nsswitch tests==
 
===passwd test===
 
getent passwd | grep 3001
 
leroy:x:2001:3001:leroy:/home/leroy:/bin/bash
 
===group test===
 
getent group | grep 3001
 
it:*:3001:
 
===id test===
 
id leroy
 
uid=2001(leroy) gid=3001(it) Gruppen=3001(it)
 
 
 
 
 
=ldap pam installieren=
 
apt-get install libpam-ldap
 
=Anpassen der Pam=
 
==Die Authentifizierung(installation nimmt einstellung schon vor)==
 
gawron:/etc/pam.d# cat common-auth
 
auth    sufficient  pam_ldap.so
 
auth    required    pam_unix.so nullok_secure use_first_pass
 
==Das Accounting(installation nimmt einstellung schon vor)==
 
gawron:/etc/pam.d# cat common-account
 
account sufficient      pam_ldap.so
 
account required        pam_unix.so
 
==Passwort änderungen==
 
gawron:/etc/pam.d# cat common-password
 
password    sufficient    pam_ldap.so
 
password    sufficient    pam_unix.so
 
password    required      pam_deny.so
 
==Die Session==
 
gawron:/etc/pam.d# cat common-session
 
session required pam_mkhomedir.so  skel=/etc/skel umask=0022
 
session required        pam_unix.so
 
==Passwort für den User setzen==
 
gawron:/etc/pam.d# passwd leroy
 
New password:
 
Re-enter new password:
 
LDAP password information changed for leroy
 
passwd: password updated successfully
 
 
==ldapsearch==
 
==ldapsearch==
 
  root@maria:~# ldapsearch -x -LLL -b dc=linuggs,dc=de 'uid=thomas' cn gidNumber
 
  root@maria:~# ldapsearch -x -LLL -b dc=linuggs,dc=de 'uid=thomas' cn gidNumber
Zeile 237: Zeile 187:
  
 
=apache2 ldap=
 
=apache2 ldap=
==verlinken der module==
+
*[[apache2 ldap]]
a2enmod authnz_ldap
 
==ldap anbinden==
 
<Directory /var/www/html>
 
    #SetHandler ldap-status
 
    AuthType Basic
 
    AuthBasicProvider ldap
 
    AuthName LDAP-AUTHENTIFIKATION
 
    AuthLDAPURL ldap://192.168.244.154/dc=linuggs,dc=de?uid?sub
 
    Require valid-user
 
</Directory>
 
 
 
  
 
=ssl=
 
=ssl=
Zeile 256: Zeile 195:
 
<pre>
 
<pre>
 
dn: cn=config
 
dn: cn=config
 +
 
add: olcTLSCACertificateFile
 
add: olcTLSCACertificateFile
 
olcTLSCACertificateFile: /etc/ldap/ssl/xin-ca.crt
 
olcTLSCACertificateFile: /etc/ldap/ssl/xin-ca.crt
Zeile 274: Zeile 214:
 
modifying entry "cn=config
 
modifying entry "cn=config
 
</pre>
 
</pre>
 +
==ldaps freischalten==
 +
*/etc/default/slapd
 +
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
 +
==slapd restart==
 +
systemctl restart slapd
 +
==slapd ssl check==
 +
*netstat -lntp | grep 636
 +
tcp        0      0 0.0.0.0:636            0.0.0.0:*              LISTEN      2204/slapd     
 +
tcp6      0      0 :::636                  :::*                    LISTEN      2204/slapd
  
 +
=Links=
 
*https://help.ubuntu.com/lts/serverguide/openldap-server.html
 
*https://help.ubuntu.com/lts/serverguide/openldap-server.html
 
*https://help.ubuntu.com/community/OpenLDAPServer
 
*https://help.ubuntu.com/community/OpenLDAPServer

Aktuelle Version vom 3. Mai 2023, 07:35 Uhr

installation

apt-get

passwort nach wahl festlegen 

apt-get install  slapd ldap-utils libldap2-dev  db-util sasl2-bin
  • slapd: OpenLDAP Standalone Server
  • ldap-utils: Utilities zum Zugriff auf den LDAP Server

grundkonfiguration

Kontrolle

Kontrolle der Konfigurationsdateien

root@maria:/etc/ldap# find /etc/ldap/slapd.d/ -type f 
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
/etc/ldap/slapd.d/cn=config/olcBackend={0}hdb.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
/etc/ldap/slapd.d/cn=config/cn=schema.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif
/etc/ldap/slapd.d/cn=config/cn=schema/cn={3}inetorgperson.ldif
/etc/ldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif
/etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif
/etc/ldap/slapd.d/cn=config/cn=schema/cn={2}nis.ldif
/etc/ldap/slapd.d/cn=config/cn=module{0}.ldif
/etc/ldap/slapd.d/cn=config.ldif

kontrolle der konfig files

alles

  • ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config

konfiguration

  • ldapsearch -Y EXTERNAL -LLL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}mdb))"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1

dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=linuggs,dc=de
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
 s auth by dn="cn=admin,dc=linuggs,dc=de" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=linuggs,dc=de" write by *
 read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=linuggs,dc=de
olcRootPW: {SSHA}2Iric7Ph1nLUNfoDm8FzOgyTW63kz2gr
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq

struktur

  • ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
dn: cn=config

dn: cn=module{0},cn=config

dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

dn: olcBackend={0}hdb,cn=config

dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config

dn: olcDatabase={1}hdb,cn=config

stimmt der base dn?

ldapsearch -x -LLL -H ldap:/// -b dc=linuggs,dc=de dn
dn: dc=linuggs,dc=de 

dn: cn=admin,dc=linuggs,dc=de

Starten des slapd

systemctl start slapd

Stoppen des slapd

systemctl stop slapd

Neustarten des slapd

systemctl restart slapd

Auf welchem Port lauscht der slapd

netstat -lntp | grep slapd
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN     499/slapd

Welche PID hat der slapd

pgrep slapd
499
500
501

Abfragen

anonym

 ldapsearch -x -LLL -H  ldap://127.0.0.1 -b  dc=linuggs,dc=de

gebunden interaktiv

ldapsearch -x -LLL -D "cn=admin, dc=linuggs, dc=de" -W -H  ldap://127.0.0.1 -b  dc=linuggs,dc=de

gebunden automatisch

ldapsearch -x -LLL -D "cn=admin, dc=linuggs, dc=de" -w sysadm  -H  ldap://127.0.0.1 -b  dc=linuggs,dc=de

Defaultclientkonfiguration von LDAP

füllen der datenbank

struktur.ldif 

dn: ou=users,dc=linuggs,dc=de
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=linuggs,dc=de
objectClass: organizationalUnit
ou: groups

dn: ou=hosts,dc=linuggs,dc=de
objectClass: organizationalUnit
ou: hosts

struktur hinzufügen

ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f struktur.ldif

gruppe ldif anlegen

  • cat group.ldif
dn: cn=it,ou=groups,dc=linuggs,dc=de
objectClass: posixGroup
cn: it
gidNumber:  3001

gruppe hinzufügen

ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f group.ldif 
adding new entry "cn=it,ou=groups,dc=linuggs,dc=de"

user ldif anlegen

dn: uid=leroy,ou=users,dc=linuggs,dc=de
cn: leroy
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: leroy
uidNumber: 2001
gidNumber: 3001
homeDirectory: /home/leroy
loginShell: /bin/bash

user hinzufügen

ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f user.ldif 
adding new entry "uid=leroy,ou=user,dc=linuggs,dc=de"

ldapscripts

Openldap posix accounts

ldapsearch

root@maria:~# ldapsearch -x -LLL -b dc=linuggs,dc=de 'uid=thomas' cn gidNumber
dn: uid=thomas,ou=People,dc=linuggs,dc=de
cn: thomas will
gidNumber: 5000

apache2 ldap

ssl

certifikate generieren

ssl.ldif erstellen

dn: cn=config

add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/xin-ca.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/xin-ca-maria.xinux.org.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/xin-ca-maria.xinux.org.key

konfig hinzufügen

ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config

ldaps freischalten

  • /etc/default/slapd

SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"

slapd restart

systemctl restart slapd

slapd ssl check

  • netstat -lntp | grep 636
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      2204/slapd      
tcp6       0      0 :::636                  :::*                    LISTEN      2204/slapd

Links

Servertools

slapdadd

User zur SLAPD Datenbank hinzufügen 

slapadd -b dc=linuggs,dc=de -l muster.ldif
  • -b: Baseroot
  • -l: Informationen werden aus der angegebenen Datei gelsen. Nicht vom Standard-Input
slapadd -b dc=linuggs,dc=de -f slapd.conf
  • -f: eine alternative slapd.conf benutzen

slapcat

Der Befehl slapcat ermöglicht die Speicherung der aktuellen LDAP-Daten in einer Textdatei im LDIF-Format 

slapcat > ldapdaten.txt
Abgerufen von „https://xinux.net/index.php?title=Openldap&oldid=44429