informatica:linux:openldap
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
informatica:linux:openldap [2016/04/20 07:35] – jose | informatica:linux:openldap [2018/07/24 09:37] (current) – [openldap (seguir este)] javi | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== openldap ====== | + | ====== openldap |
+ | |||
+ | 1. Create dirs | ||
+ | |||
+ | < | ||
+ | ssh 10.41.0.2 | ||
+ | sudo mkdir -p / | ||
+ | sudo mkdir -p / | ||
+ | sudo mkdir -p / | ||
+ | </ | ||
+ | |||
+ | 2. Create container | ||
+ | |||
+ | < | ||
+ | docker run --name ldap \ | ||
+ | -v / | ||
+ | -v / | ||
+ | -v / | ||
+ | -e LDAP_ORGANISATION=" | ||
+ | -e LDAP_DOMAIN=" | ||
+ | -e LDAP_ADMIN_PASSWORD=secret \ | ||
+ | -e SSL_CRT_FILENAME=ldap01_slapd_cert.pem \ | ||
+ | -e SSL_KEY_FILENAME=ldap01_slapd_key.pem \ | ||
+ | -e SSL_CA_CRT_FILENAME=cacert.pem \ | ||
+ | -d osixia/ | ||
+ | </ | ||
+ | |||
+ | IMPORTANT: LDAP_ADMIN_PASSWORD variable will hold the administrative password of " | ||
+ | |||
+ | 2.1. Test it: | ||
+ | |||
+ | **Note**: this step can be performed from phpldapadmin or similar with " | ||
+ | |||
+ | < | ||
+ | docker exec -ti ldap bash | ||
+ | ldapsearch -x -H ldap:// | ||
+ | </ | ||
+ | |||
+ | Expected output: | ||
+ | |||
+ | < | ||
+ | # extended LDIF | ||
+ | # | ||
+ | # LDAPv3 | ||
+ | # base < | ||
+ | # filter: (objectclass=*) | ||
+ | # requesting: ALL | ||
+ | # | ||
+ | |||
+ | # kedu.cat | ||
+ | dn: dc=example, | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | o: Kedu SCCL | ||
+ | dc: kedu | ||
+ | |||
+ | # admin, example.com | ||
+ | dn: cn=admin, | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | cn: admin | ||
+ | description: | ||
+ | userPassword:: | ||
+ | |||
+ | # search result | ||
+ | search: 2 | ||
+ | result: 0 Success | ||
+ | |||
+ | # numResponses: | ||
+ | # numEntries: 2 | ||
+ | </ | ||
+ | |||
+ | 3. Fix permisions to allow a readonly user. | ||
+ | |||
+ | With this step: | ||
+ | |||
+ | * You will be able to create a " | ||
+ | * Can be used as bind user by 3rd party applications such as zabbix, redmine, etc. | ||
+ | |||
+ | 3.1. Fix permisions: | ||
+ | |||
+ | < | ||
+ | ldapmodify -Q -Y EXTERNAL -H ldapi:/// -W << | ||
+ | dn: olcDatabase={1}mdb, | ||
+ | changetype: modify | ||
+ | delete: olcAccess | ||
+ | - | ||
+ | add: olcAccess | ||
+ | olcAccess: {0}to attrs=userPassword, | ||
+ | olcAccess: {1}to * by self write by dn=" | ||
+ | - | ||
+ | EOF | ||
+ | </ | ||
+ | |||
+ | Enter LDAP Password: | ||
+ | < | ||
+ | secret | ||
+ | </ | ||
+ | |||
+ | Output: | ||
+ | |||
+ | < | ||
+ | modifying entry " | ||
+ | </ | ||
+ | |||
+ | 3.2. Create " | ||
+ | |||
+ | **Note**: this step can be performed from phpldapadmin or similar with " | ||
+ | |||
+ | < | ||
+ | ldapadd -x -D ' | ||
+ | dn: cn=readonly, | ||
+ | cn: readonly | ||
+ | description: | ||
+ | objectclass: | ||
+ | objectclass: | ||
+ | objectclass: | ||
+ | userpassword: | ||
+ | EOF | ||
+ | </ | ||
+ | |||
+ | Expected output: | ||
+ | |||
+ | < | ||
+ | adding new entry " | ||
+ | </ | ||
+ | |||
+ | 3.3. Test it: | ||
+ | |||
+ | | " | ||
+ | | Password | secret | | ||
+ | |||
+ | Now you should be able to: | ||
+ | |||
+ | * Configure 3rd party applications (such as Zabbix) using those credentials as a bin acccount (not yet able to use groups yect) | ||
+ | * Login to phpldapadmin avoiding the "This base cannot be created with PLA." error. You should be able to see the entire tree, and once populated, DON'T see credentials such as password for posixAccount objects | ||
+ | |||
+ | 4. Add groupOfNames module/ | ||
+ | |||
+ | This module/ | ||
+ | |||
+ | 4.1. Add module | ||
+ | |||
+ | < | ||
+ | ldapadd -Q -Y EXTERNAL -H ldapi:/// -W << | ||
+ | dn: cn=module, | ||
+ | cn: module | ||
+ | objectClass: | ||
+ | olcModuleLoad: | ||
+ | olcModulePath: | ||
+ | |||
+ | dn: olcOverlay={0}memberof, | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | olcOverlay: memberof | ||
+ | olcMemberOfDangling: | ||
+ | olcMemberOfRefInt: | ||
+ | olcMemberOfGroupOC: | ||
+ | olcMemberOfMemberAD: | ||
+ | olcMemberOfMemberOfAD: | ||
+ | EOF | ||
+ | </ | ||
+ | |||
+ | Enter LDAP Password: | ||
+ | < | ||
+ | secret | ||
+ | </ | ||
+ | |||
+ | Expected output: | ||
+ | |||
+ | < | ||
+ | adding new entry " | ||
+ | |||
+ | adding new entry " | ||
+ | </ | ||
+ | |||
+ | 4.2. Configure it | ||
+ | |||
+ | < | ||
+ | ldapmodify -Q -Y EXTERNAL -H ldapi:/// -W << | ||
+ | dn: cn=module{1}, | ||
+ | add: olcmoduleload | ||
+ | olcmoduleload: | ||
+ | EOF | ||
+ | </ | ||
+ | |||
+ | Enter LDAP Password: | ||
+ | < | ||
+ | secret | ||
+ | </ | ||
+ | |||
+ | Expected output: | ||
+ | |||
+ | < | ||
+ | modifying entry " | ||
+ | </ | ||
+ | |||
+ | 4.3. Add overlay: | ||
+ | |||
+ | < | ||
+ | ldapadd -Q -Y EXTERNAL -H ldapi:/// -W << | ||
+ | dn: olcOverlay={1}refint, | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | olcOverlay: {1}refint | ||
+ | olcRefintAttribute: | ||
+ | EOF | ||
+ | </ | ||
+ | |||
+ | Enter LDAP Password: | ||
+ | < | ||
+ | secret | ||
+ | </ | ||
+ | |||
+ | Expected output: | ||
+ | |||
+ | < | ||
+ | adding new entry " | ||
+ | </ | ||
+ | |||
+ | 5. Load test data: | ||
+ | |||
+ | **Note**: this step can be performed from phpldapadmin or similar with " | ||
+ | |||
+ | < | ||
+ | ldapadd -x -D ' | ||
+ | dn: ou=groups, | ||
+ | objectclass: | ||
+ | objectclass: | ||
+ | ou: groups | ||
+ | |||
+ | dn: cn=testgroup, | ||
+ | cn: testgroup | ||
+ | member: cn=user1, | ||
+ | member: cn=user2, | ||
+ | objectclass: | ||
+ | objectclass: | ||
+ | |||
+ | dn: ou=people, | ||
+ | objectclass: | ||
+ | objectclass: | ||
+ | ou: people | ||
+ | |||
+ | dn: cn=user1, | ||
+ | cn: user1 | ||
+ | gidnumber: 10001 | ||
+ | givenname: User | ||
+ | homedirectory: | ||
+ | loginshell: /bin/bash | ||
+ | mail: user1@example.com | ||
+ | objectclass: | ||
+ | objectclass: | ||
+ | objectclass: | ||
+ | sn: One | ||
+ | uid: user1 | ||
+ | uidnumber: 10001 | ||
+ | userpassword: | ||
+ | |||
+ | dn: cn=user2, | ||
+ | cn: user2 | ||
+ | gidnumber: 10001 | ||
+ | givenname: User | ||
+ | homedirectory: | ||
+ | loginshell: /bin/bash | ||
+ | mail: user2@example.com | ||
+ | objectclass: | ||
+ | objectclass: | ||
+ | objectclass: | ||
+ | sn: Two | ||
+ | uid: user2 | ||
+ | uidnumber: 10002 | ||
+ | userpassword: | ||
+ | EOF | ||
+ | </ | ||
+ | |||
+ | Expected output: | ||
+ | |||
+ | < | ||
+ | adding new entry " | ||
+ | |||
+ | adding new entry " | ||
+ | |||
+ | adding new entry " | ||
+ | |||
+ | adding new entry " | ||
+ | |||
+ | adding new entry " | ||
+ | </ | ||
+ | |||
+ | 5.1. Test it: | ||
+ | |||
+ | < | ||
+ | ldapsearch -LL -Y EXTERNAL -H ldapi:/// " | ||
+ | </ | ||
+ | |||
+ | Expected output: | ||
+ | |||
+ | < | ||
+ | SASL/ | ||
+ | SASL username: gidNumber=0+uidNumber=0, | ||
+ | SASL SSF: 0 | ||
+ | version: 1 | ||
+ | |||
+ | dn: uid=test1, | ||
+ | </ | ||
+ | |||
+ | This has FAILED. The reason is that we need to perform a write operation in memberof object " | ||
+ | |||
+ | 5.2. Trigger a write operation in memberof object | ||
+ | |||
+ | TODO: document how to do it via CLI | ||
+ | |||
+ | 5.2.1. Create a phpldapadmin container in the same docker host that is running LDAP container: | ||
+ | |||
+ | < | ||
+ | docker run --name phpldapadmin \ | ||
+ | | ||
+ | -e PHPLDAPADMIN_LDAP_HOSTS=ldap \ | ||
+ | -d osixia/ | ||
+ | </ | ||
+ | |||
+ | 5.2.2. Login to phpldapadmin: | ||
+ | |||
+ | | URL | it will depend on your infraestructure, | ||
+ | | login | cn=admin, | ||
+ | | password | secret | | ||
+ | |||
+ | 5.2.3. Click on " | ||
+ | |||
+ | 5.2.4. Click on " | ||
+ | |||
+ | 5.2.5. Click on " | ||
+ | |||
+ | 5.2.6. Click on " | ||
+ | |||
+ | 5.2.7. Click on " | ||
+ | |||
+ | 5.2.8. Click on " | ||
+ | |||
+ | TODO: this command will remove the object " | ||
+ | |||
+ | < | ||
+ | ldapmodify -x -D " | ||
+ | dn: cn=testgroup, | ||
+ | changetype: modify | ||
+ | delete: member | ||
+ | member: cn=user2, | ||
+ | EOF | ||
+ | </ | ||
+ | |||
+ | Enter LDAP Password: | ||
+ | < | ||
+ | secret | ||
+ | </ | ||
+ | |||
+ | Expected output: | ||
+ | |||
+ | < | ||
+ | modifying entry " | ||
+ | </ | ||
+ | |||
+ | 5.3. Let's repeat step 5.1. again: | ||
+ | |||
+ | < | ||
+ | ldapsearch -LL -Y EXTERNAL -H ldapi:/// " | ||
+ | </ | ||
+ | |||
+ | Expected output: | ||
+ | |||
+ | < | ||
+ | SASL/ | ||
+ | SASL username: gidNumber=0+uidNumber=0, | ||
+ | SASL SSF: 0 | ||
+ | version: 1 | ||
+ | |||
+ | dn: cn=user1, | ||
+ | memberOf: cn=testgroup, | ||
+ | </ | ||
+ | |||
+ | 5.4. Test it using a filter re-usable later on by 3rd party applications, | ||
+ | |||
+ | < | ||
+ | ldapsearch -D " | ||
+ | </ | ||
+ | |||
+ | Enter LDAP Password: | ||
+ | < | ||
+ | secret | ||
+ | </ | ||
+ | |||
+ | Expected output: | ||
+ | |||
+ | < | ||
+ | # extended LDIF | ||
+ | # | ||
+ | # LDAPv3 | ||
+ | # base < | ||
+ | # filter: (& | ||
+ | # requesting: ALL | ||
+ | # | ||
+ | |||
+ | # user1, people, kedu.cat | ||
+ | dn: cn=user1, | ||
+ | cn: user1 | ||
+ | gidNumber: 10001 | ||
+ | givenName: User | ||
+ | homeDirectory: | ||
+ | loginShell: /bin/bash | ||
+ | mail: user1@example.com | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | sn: One | ||
+ | uid: user1 | ||
+ | uidNumber: 10001 | ||
+ | userPassword:: | ||
+ | |||
+ | # search result | ||
+ | search: 2 | ||
+ | result: 0 Success | ||
+ | |||
+ | # numResponses: | ||
+ | # numEntries: 1 | ||
+ | </ | ||
+ | |||
+ | 5.5. Test it with a 3rd party application, | ||
+ | |||
+ | < | ||
+ | (& | ||
+ | </ | ||
+ | |||
+ | ====== openldap (viejo, ignorar, solo se deja por referencia) | ||
open-ldap slapd ldap | open-ldap slapd ldap | ||
Line 682: | Line 1118: | ||
tcp 0 0 0.0.0.0: | tcp 0 0 0.0.0.0: | ||
</ | </ | ||
+ | |||
+ | ===== Modificar un registro en LDAP ===== | ||
+ | Para añadir un campo, por ejemplo loginshell al usuario jur. Creeamos el fichero anyadir.ldif: | ||
+ | < | ||
+ | dn: cn=jur, | ||
+ | add: loginshell | ||
+ | loginshell: /bin/bash | ||
+ | </ | ||
+ | |||
+ | Lo añadimos con el comando: | ||
+ | ldapmodify -x -w ******** -D " | ||
+ | | ||
+ | Para modificarlo, | ||
+ | < | ||
+ | dn: cn=jur, | ||
+ | changetype: modify | ||
+ | replace: loginshell | ||
+ | loginshell: /bin/sh | ||
+ | </ | ||
+ | |||
+ | ldapmodify -x -w ******** -D " | ||
+ | |||
+ | |||
+ | ===== Consulta sin corte de línea ===== | ||
+ | ldapsearch -D " | ||
+ | Con linux si tienes perl: | ||
+ | ldapsearch -D " | ||
+ | ===== Consulta de todos los atributos ===== | ||
+ | ldapsearch -D " | ||
+ | < | ||
+ | objectClasses: | ||
+ | objectClasses: | ||
+ | objectClasses: | ||
+ | objectClasses: | ||
+ | objectClasses: | ||
+ | objectClasses: | ||
+ | </ | ||
+ |
informatica/linux/openldap.txt · Last modified: 2018/07/24 09:37 by javi