Openldap: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) |
|||
(40 dazwischenliegende Versionen von 4 Benutzern werden nicht angezeigt) | |||
Zeile 2: | Zeile 2: | ||
==apt-get== | ==apt-get== | ||
passwort nach wahl festlegen | passwort nach wahl festlegen | ||
− | apt-get install slapd ldap-utils | + | apt-get install slapd ldap-utils libldap2-dev db-util sasl2-bin |
*slapd: OpenLDAP Standalone Server | *slapd: OpenLDAP Standalone Server | ||
− | *ldap-utils: Utilities zum Zugriff auf den LDAP Server | + | *ldap-utils: Utilities zum Zugriff auf den LDAP Server |
+ | |||
==grundkonfiguration== | ==grundkonfiguration== | ||
− | + | *[[Openldap Basic Config common]] | |
− | == | + | *[[Openldap Basic Config ubuntu]] |
− | === | + | |
+ | == Kontrolle == | ||
+ | === Kontrolle der Konfigurationsdateien === | ||
<pre> | <pre> | ||
root@maria:/etc/ldap# find /etc/ldap/slapd.d/ -type f | root@maria:/etc/ldap# find /etc/ldap/slapd.d/ -type f | ||
Zeile 24: | Zeile 27: | ||
</pre> | </pre> | ||
===kontrolle der konfig files=== | ===kontrolle der konfig files=== | ||
− | + | ===alles=== | |
+ | *ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config | ||
+ | ===konfiguration=== | ||
+ | *ldapsearch -Y EXTERNAL -LLL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}mdb))" | ||
+ | <pre> | ||
+ | SASL/EXTERNAL authentication started | ||
+ | SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth | ||
+ | SASL SSF: 0 | ||
+ | dn: cn=config | ||
+ | objectClass: olcGlobal | ||
+ | cn: config | ||
+ | olcArgsFile: /var/run/slapd/slapd.args | ||
+ | olcLogLevel: none | ||
+ | olcPidFile: /var/run/slapd/slapd.pid | ||
+ | olcToolThreads: 1 | ||
+ | dn: olcDatabase={1}hdb,cn=config | ||
+ | objectClass: olcDatabaseConfig | ||
+ | objectClass: olcHdbConfig | ||
+ | olcDatabase: {1}hdb | ||
+ | olcDbDirectory: /var/lib/ldap | ||
+ | olcSuffix: dc=linuggs,dc=de | ||
+ | olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou | ||
+ | s auth by dn="cn=admin,dc=linuggs,dc=de" write by * none | ||
+ | olcAccess: {1}to dn.base="" by * read | ||
+ | olcAccess: {2}to * by self write by dn="cn=admin,dc=linuggs,dc=de" write by * | ||
+ | read | ||
+ | olcLastMod: TRUE | ||
+ | olcRootDN: cn=admin,dc=linuggs,dc=de | ||
+ | olcRootPW: {SSHA}2Iric7Ph1nLUNfoDm8FzOgyTW63kz2gr | ||
+ | olcDbCheckpoint: 512 30 | ||
+ | olcDbConfig: {0}set_cachesize 0 2097152 0 | ||
+ | olcDbConfig: {1}set_lk_max_objects 1500 | ||
+ | olcDbConfig: {2}set_lk_max_locks 1500 | ||
+ | olcDbConfig: {3}set_lk_max_lockers 1500 | ||
+ | olcDbIndex: objectClass eq | ||
+ | </pre> | ||
− | + | ===struktur=== | |
+ | *ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn | ||
<pre> | <pre> | ||
dn: cn=config | dn: cn=config | ||
Zeile 51: | Zeile 90: | ||
dn: olcDatabase={1}hdb,cn=config | dn: olcDatabase={1}hdb,cn=config | ||
</pre> | </pre> | ||
+ | |||
+ | *[[show openldap config]] | ||
==stimmt der base dn?== | ==stimmt der base dn?== | ||
Zeile 59: | Zeile 100: | ||
==Starten des slapd== | ==Starten des slapd== | ||
− | + | systemctl start slapd | |
− | + | ||
==Stoppen des slapd== | ==Stoppen des slapd== | ||
− | + | systemctl stop slapd | |
− | + | ||
==Neustarten des slapd== | ==Neustarten des slapd== | ||
− | + | systemctl restart slapd | |
− | + | ||
− | |||
==Auf welchem Port lauscht der slapd== | ==Auf welchem Port lauscht der slapd== | ||
netstat -lntp | grep slapd | netstat -lntp | grep slapd | ||
Zeile 85: | Zeile 125: | ||
=Defaultclientkonfiguration von LDAP= | =Defaultclientkonfiguration von LDAP= | ||
− | + | *[[ldap.conf]] | |
− | |||
− | |||
− | |||
− | |||
− | |||
=füllen der datenbank= | =füllen der datenbank= | ||
struktur.ldif | struktur.ldif | ||
<pre> | <pre> | ||
− | dn: ou= | + | dn: ou=users,dc=linuggs,dc=de |
objectClass: organizationalUnit | objectClass: organizationalUnit | ||
− | ou: | + | ou: users |
dn: ou=groups,dc=linuggs,dc=de | dn: ou=groups,dc=linuggs,dc=de | ||
Zeile 107: | Zeile 142: | ||
ou: hosts | ou: hosts | ||
</pre> | </pre> | ||
+ | |||
=struktur hinzufügen= | =struktur hinzufügen= | ||
ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f struktur.ldif | ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f struktur.ldif | ||
=gruppe ldif anlegen= | =gruppe ldif anlegen= | ||
+ | *cat group.ldif | ||
<pre> | <pre> | ||
− | |||
dn: cn=it,ou=groups,dc=linuggs,dc=de | dn: cn=it,ou=groups,dc=linuggs,dc=de | ||
objectClass: posixGroup | objectClass: posixGroup | ||
− | |||
cn: it | cn: it | ||
gidNumber: 3001 | gidNumber: 3001 | ||
</pre> | </pre> | ||
+ | |||
=gruppe hinzufügen= | =gruppe hinzufügen= | ||
ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f group.ldif | ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f group.ldif | ||
Zeile 124: | Zeile 160: | ||
=user ldif anlegen= | =user ldif anlegen= | ||
<pre> | <pre> | ||
− | dn: uid=leroy,ou= | + | dn: uid=leroy,ou=users,dc=linuggs,dc=de |
cn: leroy | cn: leroy | ||
objectClass: account | objectClass: account | ||
objectClass: posixAccount | objectClass: posixAccount | ||
objectClass: shadowAccount | objectClass: shadowAccount | ||
− | |||
uid: leroy | uid: leroy | ||
uidNumber: 2001 | uidNumber: 2001 | ||
Zeile 136: | Zeile 171: | ||
loginShell: /bin/bash | loginShell: /bin/bash | ||
</pre> | </pre> | ||
+ | |||
=user hinzufügen= | =user hinzufügen= | ||
ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f user.ldif | ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f user.ldif | ||
adding new entry "uid=leroy,ou=user,dc=linuggs,dc=de" | adding new entry "uid=leroy,ou=user,dc=linuggs,dc=de" | ||
− | = | + | =ldapscripts= |
− | + | *[[ldapscripts handling]] | |
− | |||
− | |||
− | |||
− | |||
− | |||
+ | =Openldap posix accounts= | ||
+ | *[[openldap posix accounts]] | ||
==ldapsearch== | ==ldapsearch== | ||
root@maria:~# ldapsearch -x -LLL -b dc=linuggs,dc=de 'uid=thomas' cn gidNumber | root@maria:~# ldapsearch -x -LLL -b dc=linuggs,dc=de 'uid=thomas' cn gidNumber | ||
Zeile 153: | Zeile 186: | ||
gidNumber: 5000 | gidNumber: 5000 | ||
+ | =apache2 ldap= | ||
+ | *[[apache2 ldap]] | ||
+ | |||
+ | =ssl= | ||
+ | ==certifikate generieren== | ||
+ | |||
+ | ==ssl.ldif erstellen== | ||
+ | <pre> | ||
+ | dn: cn=config | ||
+ | |||
+ | add: olcTLSCACertificateFile | ||
+ | olcTLSCACertificateFile: /etc/ldap/ssl/xin-ca.crt | ||
+ | - | ||
+ | add: olcTLSCertificateFile | ||
+ | olcTLSCertificateFile: /etc/ldap/ssl/xin-ca-maria.xinux.org.crt | ||
+ | - | ||
+ | add: olcTLSCertificateKeyFile | ||
+ | olcTLSCertificateKeyFile: /etc/ldap/ssl/xin-ca-maria.xinux.org.key | ||
+ | </pre> | ||
+ | |||
+ | ==konfig hinzufügen== | ||
+ | <pre> | ||
+ | ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif | ||
+ | SASL/EXTERNAL authentication started | ||
+ | SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth | ||
+ | SASL SSF: 0 | ||
+ | modifying entry "cn=config | ||
+ | </pre> | ||
+ | ==ldaps freischalten== | ||
+ | */etc/default/slapd | ||
+ | SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///" | ||
+ | ==slapd restart== | ||
+ | systemctl restart slapd | ||
+ | ==slapd ssl check== | ||
+ | *netstat -lntp | grep 636 | ||
+ | tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 2204/slapd | ||
+ | tcp6 0 0 :::636 :::* LISTEN 2204/slapd | ||
+ | |||
+ | =Links= | ||
*https://help.ubuntu.com/lts/serverguide/openldap-server.html | *https://help.ubuntu.com/lts/serverguide/openldap-server.html | ||
*https://help.ubuntu.com/community/OpenLDAPServer | *https://help.ubuntu.com/community/OpenLDAPServer | ||
Zeile 161: | Zeile 233: | ||
*http://www.openldap.org/doc/admin24/ | *http://www.openldap.org/doc/admin24/ | ||
*https://wiki.debian.org/LDAP/OpenLDAPSetup | *https://wiki.debian.org/LDAP/OpenLDAPSetup | ||
+ | *http://askubuntu.com/questions/481917/apache2-4-7-ldap-url-authentication-on-ubuntu-14-04 | ||
+ | |||
+ | =Servertools= | ||
+ | ==slapdadd== | ||
+ | User zur SLAPD Datenbank hinzufügen | ||
+ | |||
+ | slapadd -b dc=linuggs,dc=de -l muster.ldif | ||
+ | |||
+ | *-b: Baseroot | ||
+ | *-l: Informationen werden aus der angegebenen Datei gelsen. Nicht vom Standard-Input | ||
+ | |||
+ | slapadd -b dc=linuggs,dc=de -f slapd.conf | ||
+ | |||
+ | *-f: eine alternative slapd.conf benutzen | ||
+ | |||
+ | ==slapcat== | ||
+ | Der Befehl slapcat ermöglicht die Speicherung der aktuellen LDAP-Daten in einer Textdatei im LDIF-Format | ||
+ | |||
+ | slapcat > ldapdaten.txt |
Aktuelle Version vom 3. Mai 2023, 07:35 Uhr
installation
apt-get
passwort nach wahl festlegen
apt-get install slapd ldap-utils libldap2-dev db-util sasl2-bin
- slapd: OpenLDAP Standalone Server
- ldap-utils: Utilities zum Zugriff auf den LDAP Server
grundkonfiguration
Kontrolle
Kontrolle der Konfigurationsdateien
root@maria:/etc/ldap# find /etc/ldap/slapd.d/ -type f /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif /etc/ldap/slapd.d/cn=config/olcBackend={0}hdb.ldif /etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif /etc/ldap/slapd.d/cn=config/cn=schema.ldif /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif /etc/ldap/slapd.d/cn=config/cn=schema/cn={3}inetorgperson.ldif /etc/ldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif /etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif /etc/ldap/slapd.d/cn=config/cn=schema/cn={2}nis.ldif /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif /etc/ldap/slapd.d/cn=config.ldif
kontrolle der konfig files
alles
- ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
konfiguration
- ldapsearch -Y EXTERNAL -LLL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}mdb))"
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=linuggs,dc=de olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=linuggs,dc=de" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=linuggs,dc=de" write by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=linuggs,dc=de olcRootPW: {SSHA}2Iric7Ph1nLUNfoDm8FzOgyTW63kz2gr olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq
struktur
- ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
dn: cn=config dn: cn=module{0},cn=config dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config dn: olcBackend={0}hdb,cn=config dn: olcDatabase={-1}frontend,cn=config dn: olcDatabase={0}config,cn=config dn: olcDatabase={1}hdb,cn=config
stimmt der base dn?
ldapsearch -x -LLL -H ldap:/// -b dc=linuggs,dc=de dn dn: dc=linuggs,dc=de dn: cn=admin,dc=linuggs,dc=de
Starten des slapd
systemctl start slapd
Stoppen des slapd
systemctl stop slapd
Neustarten des slapd
systemctl restart slapd
Auf welchem Port lauscht der slapd
netstat -lntp | grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 499/slapd
Welche PID hat der slapd
pgrep slapd 499 500 501
Abfragen
anonym
ldapsearch -x -LLL -H ldap://127.0.0.1 -b dc=linuggs,dc=de
gebunden interaktiv
ldapsearch -x -LLL -D "cn=admin, dc=linuggs, dc=de" -W -H ldap://127.0.0.1 -b dc=linuggs,dc=de
gebunden automatisch
ldapsearch -x -LLL -D "cn=admin, dc=linuggs, dc=de" -w sysadm -H ldap://127.0.0.1 -b dc=linuggs,dc=de
Defaultclientkonfiguration von LDAP
füllen der datenbank
struktur.ldif
dn: ou=users,dc=linuggs,dc=de objectClass: organizationalUnit ou: users dn: ou=groups,dc=linuggs,dc=de objectClass: organizationalUnit ou: groups dn: ou=hosts,dc=linuggs,dc=de objectClass: organizationalUnit ou: hosts
struktur hinzufügen
ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f struktur.ldif
gruppe ldif anlegen
- cat group.ldif
dn: cn=it,ou=groups,dc=linuggs,dc=de objectClass: posixGroup cn: it gidNumber: 3001
gruppe hinzufügen
ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f group.ldif adding new entry "cn=it,ou=groups,dc=linuggs,dc=de"
user ldif anlegen
dn: uid=leroy,ou=users,dc=linuggs,dc=de cn: leroy objectClass: account objectClass: posixAccount objectClass: shadowAccount uid: leroy uidNumber: 2001 gidNumber: 3001 homeDirectory: /home/leroy loginShell: /bin/bash
user hinzufügen
ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f user.ldif adding new entry "uid=leroy,ou=user,dc=linuggs,dc=de"
ldapscripts
Openldap posix accounts
ldapsearch
root@maria:~# ldapsearch -x -LLL -b dc=linuggs,dc=de 'uid=thomas' cn gidNumber dn: uid=thomas,ou=People,dc=linuggs,dc=de cn: thomas will gidNumber: 5000
apache2 ldap
ssl
certifikate generieren
ssl.ldif erstellen
dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ldap/ssl/xin-ca.crt - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/ssl/xin-ca-maria.xinux.org.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/ssl/xin-ca-maria.xinux.org.key
konfig hinzufügen
ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config
ldaps freischalten
- /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
slapd restart
systemctl restart slapd
slapd ssl check
- netstat -lntp | grep 636
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 2204/slapd tcp6 0 0 :::636 :::* LISTEN 2204/slapd
Links
- https://help.ubuntu.com/lts/serverguide/openldap-server.html
- https://help.ubuntu.com/community/OpenLDAPServer
- http://www.plone-entwicklerhandbuch.de/plone-entwicklerhandbuch/authentifizierung/ldap
- http://www.zytrax.com/books/ldap/
- https://wiki.debian.org/LDAP/OpenLDAPSetup
- https://darkstar.gernox.de/2012/10/28/openldap/
- http://www.openldap.org/doc/admin24/
- https://wiki.debian.org/LDAP/OpenLDAPSetup
- http://askubuntu.com/questions/481917/apache2-4-7-ldap-url-authentication-on-ubuntu-14-04
Servertools
slapdadd
User zur SLAPD Datenbank hinzufügen
slapadd -b dc=linuggs,dc=de -l muster.ldif
- -b: Baseroot
- -l: Informationen werden aus der angegebenen Datei gelsen. Nicht vom Standard-Input
slapadd -b dc=linuggs,dc=de -f slapd.conf
- -f: eine alternative slapd.conf benutzen
slapcat
Der Befehl slapcat ermöglicht die Speicherung der aktuellen LDAP-Daten in einer Textdatei im LDIF-Format
slapcat > ldapdaten.txt