Openldap: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
David (Diskussion | Beiträge) |
|||
(18 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt) | |||
Zeile 7: | Zeile 7: | ||
==grundkonfiguration== | ==grundkonfiguration== | ||
− | + | *[[Openldap Basic Config common]] | |
− | == | + | *[[Openldap Basic Config ubuntu]] |
− | === | + | |
+ | == Kontrolle == | ||
+ | === Kontrolle der Konfigurationsdateien === | ||
<pre> | <pre> | ||
root@maria:/etc/ldap# find /etc/ldap/slapd.d/ -type f | root@maria:/etc/ldap# find /etc/ldap/slapd.d/ -type f | ||
Zeile 28: | Zeile 30: | ||
*ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config | *ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config | ||
===konfiguration=== | ===konfiguration=== | ||
− | *ldapsearch -Y EXTERNAL -LLL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1} | + | *ldapsearch -Y EXTERNAL -LLL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}mdb))" |
<pre> | <pre> | ||
SASL/EXTERNAL authentication started | SASL/EXTERNAL authentication started | ||
Zeile 62: | Zeile 64: | ||
olcDbIndex: objectClass eq | olcDbIndex: objectClass eq | ||
</pre> | </pre> | ||
+ | |||
===struktur=== | ===struktur=== | ||
*ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn | *ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn | ||
Zeile 97: | Zeile 100: | ||
==Starten des slapd== | ==Starten des slapd== | ||
− | + | systemctl start slapd | |
− | + | ||
==Stoppen des slapd== | ==Stoppen des slapd== | ||
− | + | systemctl stop slapd | |
− | + | ||
==Neustarten des slapd== | ==Neustarten des slapd== | ||
− | + | systemctl restart slapd | |
− | + | ||
− | |||
==Auf welchem Port lauscht der slapd== | ==Auf welchem Port lauscht der slapd== | ||
netstat -lntp | grep slapd | netstat -lntp | grep slapd | ||
Zeile 123: | Zeile 125: | ||
=Defaultclientkonfiguration von LDAP= | =Defaultclientkonfiguration von LDAP= | ||
− | + | *[[ldap.conf]] | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=füllen der datenbank= | =füllen der datenbank= | ||
Zeile 151: | Zeile 146: | ||
ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f struktur.ldif | ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f struktur.ldif | ||
=gruppe ldif anlegen= | =gruppe ldif anlegen= | ||
+ | *cat group.ldif | ||
<pre> | <pre> | ||
− | |||
dn: cn=it,ou=groups,dc=linuggs,dc=de | dn: cn=it,ou=groups,dc=linuggs,dc=de | ||
objectClass: posixGroup | objectClass: posixGroup | ||
− | |||
cn: it | cn: it | ||
gidNumber: 3001 | gidNumber: 3001 | ||
</pre> | </pre> | ||
+ | |||
=gruppe hinzufügen= | =gruppe hinzufügen= | ||
ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f group.ldif | ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f group.ldif | ||
Zeile 170: | Zeile 165: | ||
objectClass: posixAccount | objectClass: posixAccount | ||
objectClass: shadowAccount | objectClass: shadowAccount | ||
− | |||
uid: leroy | uid: leroy | ||
uidNumber: 2001 | uidNumber: 2001 | ||
Zeile 184: | Zeile 178: | ||
*[[ldapscripts handling]] | *[[ldapscripts handling]] | ||
− | = | + | =Openldap posix accounts= |
− | + | *[[openldap posix accounts]] | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
==ldapsearch== | ==ldapsearch== | ||
root@maria:~# ldapsearch -x -LLL -b dc=linuggs,dc=de 'uid=thomas' cn gidNumber | root@maria:~# ldapsearch -x -LLL -b dc=linuggs,dc=de 'uid=thomas' cn gidNumber | ||
Zeile 237: | Zeile 187: | ||
=apache2 ldap= | =apache2 ldap= | ||
− | + | *[[apache2 ldap]] | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=ssl= | =ssl= | ||
Zeile 256: | Zeile 195: | ||
<pre> | <pre> | ||
dn: cn=config | dn: cn=config | ||
+ | |||
add: olcTLSCACertificateFile | add: olcTLSCACertificateFile | ||
olcTLSCACertificateFile: /etc/ldap/ssl/xin-ca.crt | olcTLSCACertificateFile: /etc/ldap/ssl/xin-ca.crt | ||
Zeile 274: | Zeile 214: | ||
modifying entry "cn=config | modifying entry "cn=config | ||
</pre> | </pre> | ||
+ | ==ldaps freischalten== | ||
+ | */etc/default/slapd | ||
+ | SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///" | ||
+ | ==slapd restart== | ||
+ | systemctl restart slapd | ||
+ | ==slapd ssl check== | ||
+ | *netstat -lntp | grep 636 | ||
+ | tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 2204/slapd | ||
+ | tcp6 0 0 :::636 :::* LISTEN 2204/slapd | ||
+ | =Links= | ||
*https://help.ubuntu.com/lts/serverguide/openldap-server.html | *https://help.ubuntu.com/lts/serverguide/openldap-server.html | ||
*https://help.ubuntu.com/community/OpenLDAPServer | *https://help.ubuntu.com/community/OpenLDAPServer |
Aktuelle Version vom 3. Mai 2023, 07:35 Uhr
installation
apt-get
passwort nach wahl festlegen
apt-get install slapd ldap-utils libldap2-dev db-util sasl2-bin
- slapd: OpenLDAP Standalone Server
- ldap-utils: Utilities zum Zugriff auf den LDAP Server
grundkonfiguration
Kontrolle
Kontrolle der Konfigurationsdateien
root@maria:/etc/ldap# find /etc/ldap/slapd.d/ -type f /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif /etc/ldap/slapd.d/cn=config/olcBackend={0}hdb.ldif /etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif /etc/ldap/slapd.d/cn=config/cn=schema.ldif /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif /etc/ldap/slapd.d/cn=config/cn=schema/cn={3}inetorgperson.ldif /etc/ldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif /etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif /etc/ldap/slapd.d/cn=config/cn=schema/cn={2}nis.ldif /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif /etc/ldap/slapd.d/cn=config.ldif
kontrolle der konfig files
alles
- ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
konfiguration
- ldapsearch -Y EXTERNAL -LLL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}mdb))"
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=linuggs,dc=de olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=linuggs,dc=de" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=linuggs,dc=de" write by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=linuggs,dc=de olcRootPW: {SSHA}2Iric7Ph1nLUNfoDm8FzOgyTW63kz2gr olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq
struktur
- ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
dn: cn=config dn: cn=module{0},cn=config dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config dn: olcBackend={0}hdb,cn=config dn: olcDatabase={-1}frontend,cn=config dn: olcDatabase={0}config,cn=config dn: olcDatabase={1}hdb,cn=config
stimmt der base dn?
ldapsearch -x -LLL -H ldap:/// -b dc=linuggs,dc=de dn dn: dc=linuggs,dc=de dn: cn=admin,dc=linuggs,dc=de
Starten des slapd
systemctl start slapd
Stoppen des slapd
systemctl stop slapd
Neustarten des slapd
systemctl restart slapd
Auf welchem Port lauscht der slapd
netstat -lntp | grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 499/slapd
Welche PID hat der slapd
pgrep slapd 499 500 501
Abfragen
anonym
ldapsearch -x -LLL -H ldap://127.0.0.1 -b dc=linuggs,dc=de
gebunden interaktiv
ldapsearch -x -LLL -D "cn=admin, dc=linuggs, dc=de" -W -H ldap://127.0.0.1 -b dc=linuggs,dc=de
gebunden automatisch
ldapsearch -x -LLL -D "cn=admin, dc=linuggs, dc=de" -w sysadm -H ldap://127.0.0.1 -b dc=linuggs,dc=de
Defaultclientkonfiguration von LDAP
füllen der datenbank
struktur.ldif
dn: ou=users,dc=linuggs,dc=de objectClass: organizationalUnit ou: users dn: ou=groups,dc=linuggs,dc=de objectClass: organizationalUnit ou: groups dn: ou=hosts,dc=linuggs,dc=de objectClass: organizationalUnit ou: hosts
struktur hinzufügen
ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f struktur.ldif
gruppe ldif anlegen
- cat group.ldif
dn: cn=it,ou=groups,dc=linuggs,dc=de objectClass: posixGroup cn: it gidNumber: 3001
gruppe hinzufügen
ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f group.ldif adding new entry "cn=it,ou=groups,dc=linuggs,dc=de"
user ldif anlegen
dn: uid=leroy,ou=users,dc=linuggs,dc=de cn: leroy objectClass: account objectClass: posixAccount objectClass: shadowAccount uid: leroy uidNumber: 2001 gidNumber: 3001 homeDirectory: /home/leroy loginShell: /bin/bash
user hinzufügen
ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f user.ldif adding new entry "uid=leroy,ou=user,dc=linuggs,dc=de"
ldapscripts
Openldap posix accounts
ldapsearch
root@maria:~# ldapsearch -x -LLL -b dc=linuggs,dc=de 'uid=thomas' cn gidNumber dn: uid=thomas,ou=People,dc=linuggs,dc=de cn: thomas will gidNumber: 5000
apache2 ldap
ssl
certifikate generieren
ssl.ldif erstellen
dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ldap/ssl/xin-ca.crt - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/ssl/xin-ca-maria.xinux.org.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/ssl/xin-ca-maria.xinux.org.key
konfig hinzufügen
ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config
ldaps freischalten
- /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
slapd restart
systemctl restart slapd
slapd ssl check
- netstat -lntp | grep 636
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 2204/slapd tcp6 0 0 :::636 :::* LISTEN 2204/slapd
Links
- https://help.ubuntu.com/lts/serverguide/openldap-server.html
- https://help.ubuntu.com/community/OpenLDAPServer
- http://www.plone-entwicklerhandbuch.de/plone-entwicklerhandbuch/authentifizierung/ldap
- http://www.zytrax.com/books/ldap/
- https://wiki.debian.org/LDAP/OpenLDAPSetup
- https://darkstar.gernox.de/2012/10/28/openldap/
- http://www.openldap.org/doc/admin24/
- https://wiki.debian.org/LDAP/OpenLDAPSetup
- http://askubuntu.com/questions/481917/apache2-4-7-ldap-url-authentication-on-ubuntu-14-04
Servertools
slapdadd
User zur SLAPD Datenbank hinzufügen
slapadd -b dc=linuggs,dc=de -l muster.ldif
- -b: Baseroot
- -l: Informationen werden aus der angegebenen Datei gelsen. Nicht vom Standard-Input
slapadd -b dc=linuggs,dc=de -f slapd.conf
- -f: eine alternative slapd.conf benutzen
slapcat
Der Befehl slapcat ermöglicht die Speicherung der aktuellen LDAP-Daten in einer Textdatei im LDIF-Format
slapcat > ldapdaten.txt