Differences

This shows you the differences between two versions of the page.

--- informatica:linux:openldap [2013/07/03 09:02] – external edit 127.0.0.1
+++ informatica:linux:openldap [2017/11/16 10:22] – jose
@@ Line 323: / Line 323: @@
 . Verificar:
-  ldapsearch -xLLL -b "dc=example,dc=com" uid=perico
+  ldapsearch -x -LLL -b "dc=example,dc=com" uid=perico
 Salida:
@@ Line 389: / Line 389: @@
 . (Apache) Habilitar el modulo ldap
-  sudo a2enmod ldap
+  sudo a2enmod authnz_ldap
-. (Apache) Ejemplo de virtualhost:
+==== HTTP plano ====
+. (Apache) Ejemplo de virtualhost:
 <code>
@@ Line 405: / Line 407: @@
         <Directory /srv/www/testldap>
+         Options Indexes ExecCGI FollowSymLinks
         order allow,deny
         allow from all
         AuthName "AuthRequired"
         AuthType Basic
         AuthBasicProvider ldap
-        AuthLDAPURL "ldap://ldap.example.com:389/ou=people,dc=example,dc=com"
+        AuthLDAPBindDN cn=readonly,dc=example,dc=com
+        AuthLDAPBindPassword clearpassword
+        AuthLDAPURL "ldap://ldap.example.com:389/ou=people,dc=example,dc=com" STARTTLS
         require valid-user
-        </Directory>
+       </Directory>
         ErrorLog ${APACHE_LOG_DIR}/testldap.error.log
         # Possible values include: debug, info, notice, warn, error, crit,
         # alert, emerg.
         LogLevel warn
         CustomLog ${APACHE_LOG_DIR}/testldap.access.log combined
 </VirtualHost>
@@ Line 429: / Line 434: @@
 Ver [[http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html#authldapurl|authldapurl]]
-. (Apache) Reiniciar Apache:
+==== TLS ====
-  sudo /etc/init.d/apache2 restart
+. Configuracion del virtual host:
-. En un navegador teclear:
+<code>
+<VirtualHost *:443>
+        ServerName testldap.example.com
+        ServerAdmin webmaster@localhost
+        DocumentRoot /srv/www/testldap
+        <Directory />
+                Options FollowSymLinks
+                AllowOverride None
+        </Directory>
+        <Directory /srv/www/testldap>
+         Options Indexes ExecCGI FollowSymLinks
+        order allow,deny
+        allow from all
+        AuthName "AuthRequired"
+        AuthType Basic
+        AuthBasicProvider ldap
+        AuthLDAPBindDN cn=readonly,dc=example,dc=com
+        AuthLDAPBindPassword clearpassword
+        AuthLDAPURL "ldaps://ldap.local.jamgo.org:636/ou=people,dc=jamgo,dc=org"
+        require valid-user
+       </Directory>
+        ErrorLog ${APACHE_LOG_DIR}/testldap.error.log
+        # Possible values include: debug, info, notice, warn, error, crit,
+        # alert, emerg.
+        LogLevel warn
+        CustomLog ${APACHE_LOG_DIR}/testldap.access.log combined
+</VirtualHost>
+</code>
+. Crear el siguiente archivo:
+  sudo vim /etc/apache2/conf.d/ldap-tls
+Con el siguiente contenido:
+  LDAPVerifyServerCert Off
+. (TODO) Comprobar si es necesario reiniciar apache o con el reload de mas adelante es suficiente
+==== Comprobacion ====
+. (Apache) Reiniciar Apache:
+  sudo service apache2 reload
+. En un navegador teclear:
   http://testldap.example.com
@@ Line 601: / Line 657: @@
 Mas info:
-LDAP over TLS/SSL (ldaps://) is deprecated in favour of StartTLS. The latter refers to an existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct encrypted-from-the-start protocol that operates over TCP port 636.
+LDAP over TLS/SSL (ldaps: / / ) is deprecated in favour of StartTLS. The latter refers to an existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct encrypted-from-the-start protocol that operates over TCP port 636.
 . Tighten up ownership and permissions:
@@ Line 624: / Line 682: @@
 tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      15275/slapd
 </code>
+===== Modificar un registro en LDAP =====
+Para añadir un campo, por ejemplo loginshell al usuario jur. Creeamos el fichero anyadir.ldif:
+<code>
+dn: cn=jur,dc=lobo99,dc=info
+add: loginshell
+loginshell: /bin/bash
+</code>
+Lo añadimos con el comando:
+  ldapmodify -x -w ******** -D "cn=admin,dc=lobo99,dc=info" -f anyadir.ldif
+Para modificarlo, creamos el fichero modificar.ldif
+<code>
+dn: cn=jur,dc=lobo99,dc=info
+changetype: modify
+replace: loginshell
+loginshell: /bin/sh
+</code>
+  ldapmodify -x -w ******** -D "cn=admin,dc=lobo99,dc=info" -f modificar.ldif
+===== Consulta sin corte de línea =====
+  ldapsearch -D "cn=admin,dc=nodomain" -h 172.17.0.2 -p 389 -w **** -s base -b "CN=Subschema" objectclasses -v -o ldif-wrap=no
+Con linux si tienes perl:
+  ldapsearch -D "cn=admin,dc=nodomain" -h 172.17.0.2 -p 389 -w **** -s base -b "CN=Subschema" objectclasses -v | perl -p00e 's/\r?\n //g'
+===== Consulta de todos los atributos =====
+  ldapsearch -D "cn=admin,dc=nodomain" -h 172.17.0.2 -p 389 -w **** -s base -b "CN=Subschema" objectclasses -v -o ldif-wrap=no
+<code>
+objectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABSTRACT MUST objectClass )
+objectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC 'RFC4512: extensible object' SUP top AUXILIARY )
+objectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC4512: an alias' SUP top STRUCTURAL MUST aliasedObjectName )
+objectClasses: ( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'namedref: named subordinate referral' SUP top STRUCTURAL MUST ref )
+objectClasses: ( 1.3.6.1.4.1.4203.1.4.1 NAME ( 'OpenLDAProotDSE' 'LDAProotDSE' ) DESC 'OpenLDAP Root DSE object' SUP top STRUCTURAL MAY cn )
+objectClasses: ( 2.5.17.0 NAME 'subentry' DESC 'RFC3672: subentry' SUP top STRUCTURAL MUST ( cn $ subtreeSpecification ) )
+</code>