informatica:linux:openldap
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
informatica:linux:openldap [2013/05/23 14:30] – javi | informatica:linux:openldap [2017/11/16 10:22] – jose | ||
---|---|---|---|
Line 125: | Line 125: | ||
</ | </ | ||
- | NOTA: la contrasenya de los usuarios luego la cambiamos con phpldapmyadmin | + | NOTA: la contrasenya de los usuarios luego la cambiamos con [[phpldapadmin]] |
2. Ejecutar: | 2. Ejecutar: | ||
Line 323: | Line 323: | ||
5. Verificar: | 5. Verificar: | ||
- | ldapsearch -xLLL -b " | + | ldapsearch -x -LLL -b " |
Salida: | Salida: | ||
Line 359: | Line 359: | ||
</ | </ | ||
- | 6. A partir de aqui ya podriamos probar con PhpLdapAdmin: | + | 6. A partir de aqui ya podriamos probar con [[phpldapadmin]]: |
Login DN: cn=admin, | Login DN: cn=admin, | ||
Line 389: | Line 389: | ||
1. (Apache) Habilitar el modulo ldap | 1. (Apache) Habilitar el modulo ldap | ||
- | sudo a2enmod | + | sudo a2enmod |
- | 2. (Apache) Ejemplo de virtualhost: | + | ==== HTTP plano ==== |
+ | |||
+ | 1. (Apache) Ejemplo de virtualhost: | ||
< | < | ||
Line 405: | Line 407: | ||
< | < | ||
+ | | ||
order allow,deny | order allow,deny | ||
allow from all | allow from all | ||
+ | |||
AuthName " | AuthName " | ||
AuthType Basic | AuthType Basic | ||
AuthBasicProvider ldap | AuthBasicProvider ldap | ||
- | | + | |
+ | AuthLDAPBindDN cn=readonly, | ||
+ | AuthLDAPBindPassword clearpassword | ||
+ | | ||
require valid-user | require valid-user | ||
- | | + | </ |
ErrorLog ${APACHE_LOG_DIR}/ | ErrorLog ${APACHE_LOG_DIR}/ | ||
- | |||
# Possible values include: debug, info, notice, warn, error, crit, | # Possible values include: debug, info, notice, warn, error, crit, | ||
# alert, emerg. | # alert, emerg. | ||
LogLevel warn | LogLevel warn | ||
- | |||
CustomLog ${APACHE_LOG_DIR}/ | CustomLog ${APACHE_LOG_DIR}/ | ||
</ | </ | ||
Line 429: | Line 434: | ||
Ver [[http:// | Ver [[http:// | ||
- | 3. (Apache) Reiniciar Apache: | + | ==== TLS ==== |
- | sudo /etc/init.d/apache2 restart | + | 1. Configuracion del virtual host: |
- | 4. En un navegador teclear: | + | < |
+ | < | ||
+ | ServerName testldap.example.com | ||
+ | ServerAdmin webmaster@localhost | ||
+ | DocumentRoot / | ||
+ | |||
+ | < | ||
+ | Options FollowSymLinks | ||
+ | AllowOverride None | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | | ||
+ | order allow, | ||
+ | allow from all | ||
+ | |||
+ | AuthName " | ||
+ | AuthType Basic | ||
+ | AuthBasicProvider ldap | ||
+ | |||
+ | AuthLDAPBindDN cn=readonly, | ||
+ | AuthLDAPBindPassword clearpassword | ||
+ | AuthLDAPURL " | ||
+ | |||
+ | require valid-user | ||
+ | </ | ||
+ | |||
+ | ErrorLog ${APACHE_LOG_DIR}/ | ||
+ | # Possible values include: debug, info, notice, warn, error, crit, | ||
+ | # alert, emerg. | ||
+ | LogLevel warn | ||
+ | CustomLog ${APACHE_LOG_DIR}/ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | 2. Crear el siguiente archivo: | ||
+ | |||
+ | sudo vim / | ||
+ | |||
+ | Con el siguiente contenido: | ||
+ | |||
+ | LDAPVerifyServerCert Off | ||
+ | |||
+ | 3. (TODO) Comprobar si es necesario reiniciar apache o con el reload de mas adelante es suficiente | ||
+ | |||
+ | ==== Comprobacion ==== | ||
+ | |||
+ | 1. (Apache) Reiniciar Apache: | ||
+ | |||
+ | sudo service apache2 reload | ||
+ | |||
+ | 2. En un navegador teclear: | ||
http:// | http:// | ||
Line 601: | Line 657: | ||
Mas info: | Mas info: | ||
- | LDAP over TLS/SSL (ldaps://) is deprecated in favour of StartTLS. The latter refers to an existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct encrypted-from-the-start protocol that operates over TCP port 636. | + | |
+ | LDAP over TLS/SSL (ldaps: / / ) is deprecated in favour of StartTLS. The latter refers to an existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct encrypted-from-the-start protocol that operates over TCP port 636. | ||
10. Tighten up ownership and permissions: | 10. Tighten up ownership and permissions: | ||
Line 624: | Line 682: | ||
tcp 0 0 0.0.0.0: | tcp 0 0 0.0.0.0: | ||
</ | </ | ||
+ | |||
+ | ===== Modificar un registro en LDAP ===== | ||
+ | Para añadir un campo, por ejemplo loginshell al usuario jur. Creeamos el fichero anyadir.ldif: | ||
+ | < | ||
+ | dn: cn=jur, | ||
+ | add: loginshell | ||
+ | loginshell: /bin/bash | ||
+ | </ | ||
+ | |||
+ | Lo añadimos con el comando: | ||
+ | ldapmodify -x -w ******** -D " | ||
+ | | ||
+ | Para modificarlo, | ||
+ | < | ||
+ | dn: cn=jur, | ||
+ | changetype: modify | ||
+ | replace: loginshell | ||
+ | loginshell: /bin/sh | ||
+ | </ | ||
+ | |||
+ | ldapmodify -x -w ******** -D " | ||
+ | |||
+ | |||
+ | ===== Consulta sin corte de línea ===== | ||
+ | ldapsearch -D " | ||
+ | Con linux si tienes perl: | ||
+ | ldapsearch -D " | ||
+ | ===== Consulta de todos los atributos ===== | ||
+ | ldapsearch -D " | ||
+ | < | ||
+ | objectClasses: | ||
+ | objectClasses: | ||
+ | objectClasses: | ||
+ | objectClasses: | ||
+ | objectClasses: | ||
+ | objectClasses: | ||
+ | </ | ||
+ | | ||
+ |
informatica/linux/openldap.txt · Last modified: 2018/07/24 09:37 by javi