Differences

This shows you the differences between two versions of the page.

--- informatica:linux:openldap [2013/10/03 09:28] – [HTTP plano] javi
+++ informatica:linux:openldap [2017/11/16 10:22] – jose
@@ Line 436: / Line 436: @@
 ==== TLS ====
-TODO
+. Configuracion del virtual host:
+<code>
+<VirtualHost *:443>
+        ServerName testldap.example.com
+        ServerAdmin webmaster@localhost
+        DocumentRoot /srv/www/testldap
+        <Directory />
+                Options FollowSymLinks
+                AllowOverride None
+        </Directory>
+        <Directory /srv/www/testldap>
+         Options Indexes ExecCGI FollowSymLinks
+        order allow,deny
+        allow from all
+        AuthName "AuthRequired"
+        AuthType Basic
+        AuthBasicProvider ldap
+        AuthLDAPBindDN cn=readonly,dc=example,dc=com
+        AuthLDAPBindPassword clearpassword
+        AuthLDAPURL "ldaps://ldap.local.jamgo.org:636/ou=people,dc=jamgo,dc=org"
+        require valid-user
+       </Directory>
+        ErrorLog ${APACHE_LOG_DIR}/testldap.error.log
+        # Possible values include: debug, info, notice, warn, error, crit,
+        # alert, emerg.
+        LogLevel warn
+        CustomLog ${APACHE_LOG_DIR}/testldap.access.log combined
+</VirtualHost>
+</code>
+. Crear el siguiente archivo:
+  sudo vim /etc/apache2/conf.d/ldap-tls
+Con el siguiente contenido:
+  LDAPVerifyServerCert Off
+. (TODO) Comprobar si es necesario reiniciar apache o con el reload de mas adelante es suficiente
 ==== Comprobacion ====
@@ Line 612: / Line 657: @@
 Mas info:
-LDAP over TLS/SSL (ldaps://) is deprecated in favour of StartTLS. The latter refers to an existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct encrypted-from-the-start protocol that operates over TCP port 636.
+LDAP over TLS/SSL (ldaps: / / ) is deprecated in favour of StartTLS. The latter refers to an existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct encrypted-from-the-start protocol that operates over TCP port 636.
 . Tighten up ownership and permissions:
@@ Line 635: / Line 682: @@
 tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      15275/slapd
 </code>
+===== Modificar un registro en LDAP =====
+Para añadir un campo, por ejemplo loginshell al usuario jur. Creeamos el fichero anyadir.ldif:
+<code>
+dn: cn=jur,dc=lobo99,dc=info
+add: loginshell
+loginshell: /bin/bash
+</code>
+Lo añadimos con el comando:
+  ldapmodify -x -w ******** -D "cn=admin,dc=lobo99,dc=info" -f anyadir.ldif
+Para modificarlo, creamos el fichero modificar.ldif
+<code>
+dn: cn=jur,dc=lobo99,dc=info
+changetype: modify
+replace: loginshell
+loginshell: /bin/sh
+</code>
+  ldapmodify -x -w ******** -D "cn=admin,dc=lobo99,dc=info" -f modificar.ldif
+===== Consulta sin corte de línea =====
+  ldapsearch -D "cn=admin,dc=nodomain" -h 172.17.0.2 -p 389 -w **** -s base -b "CN=Subschema" objectclasses -v -o ldif-wrap=no
+Con linux si tienes perl:
+  ldapsearch -D "cn=admin,dc=nodomain" -h 172.17.0.2 -p 389 -w **** -s base -b "CN=Subschema" objectclasses -v | perl -p00e 's/\r?\n //g'
+===== Consulta de todos los atributos =====
+  ldapsearch -D "cn=admin,dc=nodomain" -h 172.17.0.2 -p 389 -w **** -s base -b "CN=Subschema" objectclasses -v -o ldif-wrap=no
+<code>
+objectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABSTRACT MUST objectClass )
+objectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC 'RFC4512: extensible object' SUP top AUXILIARY )
+objectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC4512: an alias' SUP top STRUCTURAL MUST aliasedObjectName )
+objectClasses: ( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'namedref: named subordinate referral' SUP top STRUCTURAL MUST ref )
+objectClasses: ( 1.3.6.1.4.1.4203.1.4.1 NAME ( 'OpenLDAProotDSE' 'LDAProotDSE' ) DESC 'OpenLDAP Root DSE object' SUP top STRUCTURAL MAY cn )
+objectClasses: ( 2.5.17.0 NAME 'subentry' DESC 'RFC3672: subentry' SUP top STRUCTURAL MUST ( cn $ subtreeSpecification ) )
+</code>