Legido Wiki

User Tools

Site Tools

Trace:
informatica:linux:openldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Last revisionBoth sides next revision
informatica:linux:openldap [2017/11/16 10:22] joseinformatica:linux:openldap [2018/07/24 09:35] javi
Line 1: Line 1:
-====== openldap ======+====== openldap (seguir este) ====== 
 + 
 +1. Create dirs 
 + 
 +<code> 
 +ssh 10.41.0.2 
 +sudo mkdir -p /srv/data/computer/docker/ldap/database 
 +sudo mkdir -p /srv/data/computer/docker/ldap/config 
 +sudo mkdir -p /srv/data/computer/docker/ldap/ssl 
 +</code> 
 + 
 +2. Create container 
 + 
 +<code> 
 +docker run --name ldap \ 
 +  -v /srv/data/computer/docker/ldap/database:/var/lib/ldap \ 
 +  -v /srv/data/computer/docker/ldap/config:/etc/ldap/slapd.d \ 
 +  -v /srv/data/computer/docker/ldap/ssl:/osixia/slapd/assets/ssl \ 
 +  -e LDAP_ORGANISATION="Kedu SCCL" \ 
 +  -e LDAP_DOMAIN="kedu.cat"
 +  -e LDAP_ADMIN_PASSWORD=secret \ 
 +  -e SSL_CRT_FILENAME=ldap01_slapd_cert.pem \ 
 +  -e SSL_KEY_FILENAME=ldap01_slapd_key.pem \ 
 +  -e SSL_CA_CRT_FILENAME=cacert.pem \ 
 +  -d osixia/openldap 
 +</code> 
 + 
 +IMPORTANT: LDAP_ADMIN_PASSWORD variable will hold the administrative password of "cn=admin,dc=example,dc=com" account, and it will be used later on 
 + 
 +2.1. Test  it: 
 + 
 +<code> 
 +docker exec -ti ldap bash 
 +ldapsearch -x -H ldap://localhost -b dc=example,dc=com -D "cn=admin,dc=example,dc=com" -w secret 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +# extended LDIF 
 +
 +# LDAPv3 
 +# base <dc=example,dc=com> with scope subtree 
 +# filter: (objectclass=*) 
 +# requesting: ALL 
 +
 + 
 +# kedu.cat 
 +dn: dc=example,dc=com 
 +objectClass: top 
 +objectClass: dcObject 
 +objectClass: organization 
 +o: Kedu SCCL 
 +dc: kedu 
 + 
 +# admin, example.com 
 +dn: cn=admin,dc=example,dc=com 
 +objectClass: simpleSecurityObject 
 +objectClass: organizationalRole 
 +cn: admin 
 +description: LDAP administrator 
 +userPassword:: e1NTSEF9RzJ2d0w2N05GOUhsdlplbXJpajZNaWdvU0Rub3Urelk= 
 + 
 +# search result 
 +search: 2 
 +result: 0 Success 
 + 
 +# numResponses:
 +# numEntries: 2 
 +</code> 
 + 
 +3. Fix permisions to allow a readonly user. 
 + 
 +With this step: 
 + 
 +  * You will be able to create a "cn=readonly,dc=example,dc=com" user that can read but not modify LDAP entries 
 +  * Can be used as bind user by 3rd party applications such as zabbix, redmine, etc. 
 + 
 +3.1. Fix permisions: 
 + 
 +<code> 
 +ldapmodify -Q -Y EXTERNAL -H ldapi:/// -W <<EOF 
 +dn: olcDatabase={1}mdb,cn=config 
 +changetype: modify 
 +delete: olcAccess 
 +
 +add: olcAccess 
 +olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=example,dc=com" write by anonymous auth by * none 
 +olcAccess: {1}to * by self write by dn="cn=admin,dc=example,dc=com" write by * read 
 +
 +EOF 
 +</code> 
 + 
 +Enter LDAP Password:  
 +<code> 
 +secret 
 +</code> 
 + 
 +Output: 
 + 
 +<code> 
 +modifying entry "olcDatabase={1}hdb,cn=config" 
 +</code> 
 + 
 +3.2. Create "readonly" user: 
 + 
 +<code> 
 +ldapadd -x -D 'cn=admin,dc=example,dc=com' -w secret -H ldapi:/// <<EOF 
 +dn: cn=readonly,dc=example,dc=com 
 +cn: readonly 
 +description: LDAP readonly to be used by 3rd party applications 
 +objectclass: simpleSecurityObject 
 +objectclass: organizationalRole 
 +objectclass: top 
 +userpassword: {SSHA}hHJACqn9+rMO3a6Vvc+fjwfr7WKzOkKN 
 +EOF 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +adding new entry "cn=readonly,dc=example,dc=com" 
 +</code> 
 + 
 +3.3. Test it: 
 + 
 +| "Username" | cn=readonly,dc=example,dc=com | 
 +| Password | secret | 
 + 
 +Now you should be able to: 
 + 
 +  * Configure 3rd party applications (such as Zabbix) using those credentials as a bin acccount (not yet able to use groups yect) 
 +  * Login to phpldapadmin avoiding the "This base cannot be created with PLA." error. You should be able to see the entire tree, and once populated, DON'T see credentials such as password for posixAccount objects 
 + 
 +4. Add groupOfNames module/overlay 
 + 
 +This module/overlay is needed in order to use LDAP groups in 3rd party applications, such as redmine 
 + 
 +4.1. Add module 
 + 
 +<code> 
 +ldapadd -Q -Y EXTERNAL -H ldapi:/// -W <<EOF 
 +dn: cn=module,cn=config 
 +cn: module 
 +objectClass: olcModuleList 
 +olcModuleLoad: memberof.la 
 +olcModulePath: /usr/lib/ldap 
 +  
 +dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config 
 +objectClass: olcConfig 
 +objectClass: olcMemberOf 
 +objectClass: olcOverlayConfig 
 +objectClass: top 
 +olcOverlay: memberof 
 +olcMemberOfDangling: ignore 
 +olcMemberOfRefInt: TRUE 
 +olcMemberOfGroupOC: groupOfNames 
 +olcMemberOfMemberAD: member 
 +olcMemberOfMemberOfAD: memberOf 
 +EOF 
 +</code> 
 + 
 +Enter LDAP Password:  
 +<code> 
 +secret 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +adding new entry "cn=module,cn=config" 
 + 
 +adding new entry "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config" 
 +</code> 
 + 
 +4.2. Configure it 
 + 
 +<code> 
 +ldapmodify -Q -Y EXTERNAL -H ldapi:/// -W <<EOF 
 +dn: cn=module{1},cn=config 
 +add: olcmoduleload 
 +olcmoduleload: refint.la 
 +EOF 
 +</code> 
 + 
 +Enter LDAP Password:  
 +<code> 
 +secret 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +modifying entry "cn=module{1},cn=config" 
 +</code> 
 + 
 +4.3. Add overlay: 
 + 
 +<code> 
 +ldapadd -Q -Y EXTERNAL -H ldapi:/// -W <<EOF 
 +dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config 
 +objectClass: olcConfig 
 +objectClass: olcOverlayConfig 
 +objectClass: olcRefintConfig 
 +objectClass: top 
 +olcOverlay: {1}refint 
 +olcRefintAttribute: memberof member manager owner 
 +EOF 
 +</code> 
 + 
 +Enter LDAP Password:  
 +<code> 
 +secret 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +adding new entry "olcOverlay={1}refint,olcDatabase={1}mdb,cn=config" 
 +</code> 
 + 
 +5. Load test data: 
 + 
 +<code> 
 +ldapadd -x -D 'cn=admin,dc=example,dc=com' -w secret -H ldapi:/// <<EOF 
 +dn: ou=groups,dc=example,dc=com 
 +objectclass: organizationalUnit 
 +objectclass: top 
 +ou: groups 
 + 
 +dn: cn=testgroup,ou=groups,dc=example,dc=com 
 +cn: testgroup 
 +member: cn=user1,ou=people,dc=example,dc=com 
 +member: cn=user2,ou=people,dc=example,dc=com 
 +objectclass: groupOfNames 
 +objectclass: top 
 + 
 +dn: ou=people,dc=example,dc=com 
 +objectclass: organizationalUnit 
 +objectclass: top 
 +ou: people 
 + 
 +dn: cn=user1,ou=people,dc=example,dc=com 
 +cn: user1 
 +gidnumber: 10001 
 +givenname: User 
 +homedirectory: /home/user1 
 +loginshell: /bin/bash 
 +mail: user1@example.com 
 +objectclass: inetOrgPerson 
 +objectclass: posixAccount 
 +objectclass: top 
 +sn: One 
 +uid: user1 
 +uidnumber: 10001 
 +userpassword: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ== 
 + 
 +dn: cn=user2,ou=people,dc=example,dc=com 
 +cn: user2 
 +gidnumber: 10001 
 +givenname: User 
 +homedirectory: /home/user2 
 +loginshell: /bin/bash 
 +mail: user2@example.com 
 +objectclass: inetOrgPerson 
 +objectclass: posixAccount 
 +objectclass: top 
 +sn: Two 
 +uid: user2 
 +uidnumber: 10002 
 +userpassword: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ== 
 +EOF 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +adding new entry "ou=groups,dc=example,dc=com" 
 + 
 +adding new entry "cn=testgroup,ou=groups,dc=example,dc=com" 
 + 
 +adding new entry "ou=people,dc=example,dc=com" 
 + 
 +adding new entry "cn=user1,ou=people,dc=example,dc=com" 
 + 
 +adding new entry "cn=user2,ou=people,dc=example,dc=com" 
 +</code> 
 + 
 +5.1. Test  it: 
 + 
 +<code> 
 +ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=user1)" -b dc=example,dc=com memberOf 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +SASL/EXTERNAL authentication started 
 +SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 
 +SASL SSF: 0 
 +version: 1 
 + 
 +dn: uid=test1,ou=people,dc=example,dc=com 
 +</code> 
 + 
 +This has FAILED. The reason is that we need to perform a write operation in memberof object "testgroup" in order to trigger the overlay and then see the appropiate information: 
 + 
 +5.2. Trigger a write operation in memberof object 
 + 
 +TODO: document how to do it via CLI 
 + 
 +5.2.1. Create a phpldapadmin container in the same docker host that is running LDAP container: 
 + 
 +<code> 
 +docker run --name phpldapadmin \ 
 + --link ldap:ldap \ 
 + -e PHPLDAPADMIN_LDAP_HOSTS=ldap \ 
 + -d osixia/phpldapadmim 
 +</code> 
 + 
 +5.2.2. Login to phpldapadmin: 
 + 
 +| URL | it will depend on your infraestructure, the simplest way is https://private_ip_phpldapadmin_container | 
 +| login | cn=admin,dc=example,dc=com | 
 +| password | secret | 
 + 
 +5.2.3. Click on "+" to expand the tree 
 + 
 +5.2.4. Click on "+" at the left of "groups" to expand the tree 
 + 
 +5.2.5. Click on "testgroup" 
 + 
 +5.2.6. Click on "modify group members" 
 + 
 +5.2.7. Click on "test2", click on "Remove selected" and click on "Save changes" 
 + 
 +5.2.8. Click on "Update Object" 
 + 
 +TODO: this command will remove the object "uid=test2,ou=people,dc=example,dc=com" and will not trigger memberof overlay, so pending write a command 
 + 
 +<code> 
 +ldapmodify -x -D "cn=admin,dc=example,dc=com" -W <<EOF 
 +dn: cn=testgroup,ou=groups,dc=example,dc=com 
 +changetype: modify 
 +delete: member 
 +member: cn=user2,ou=people,dc=example,dc=com 
 +EOF 
 +</code> 
 + 
 +Enter LDAP Password:  
 +<code> 
 +secret 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +modifying entry "cn=testgroup,ou=groups,dc=example,dc=com" 
 +</code> 
 + 
 +5.3. Let's repeat step 5.1. again: 
 + 
 +<code> 
 +ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=user1)" -b dc=example,dc=com memberOf 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +SASL/EXTERNAL authentication started 
 +SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 
 +SASL SSF: 0 
 +version: 1 
 + 
 +dn: cn=user1,ou=people,dc=example,dc=com 
 +memberOf: cn=testgroup,ou=groups,dc=example,dc=com 
 +</code> 
 + 
 +5.4. Test it using a filter re-usable later on by 3rd party applications, such as redmine: 
 + 
 +<code> 
 +ldapsearch -D "cn=admin,dc=example,dc=com" -x -W -b 'dc=example,dc=com' -H 'ldap://127.0.0.1:389/' "(&(objectClass=posixAccount)(memberOf=cn=testgroup,ou=groups,dc=example,dc=com)(uid=user1))" 
 +</code> 
 + 
 +Enter LDAP Password:  
 +<code> 
 +secret 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +# extended LDIF 
 +
 +# LDAPv3 
 +# base <dc=example,dc=com> with scope subtree 
 +# filter: (&(objectClass=posixAccount)(memberOf=cn=testgroup,ou=groups,dc=example,dc=com)(uid=user1)) 
 +# requesting: ALL 
 +
 + 
 +# user1, people, kedu.cat 
 +dn: cn=user1,ou=people,dc=example,dc=com 
 +cn: user1 
 +gidNumber: 10001 
 +givenName: User 
 +homeDirectory: /home/user1 
 +loginShell: /bin/bash 
 +mail: user1@example.com 
 +objectClass: inetOrgPerson 
 +objectClass: posixAccount 
 +objectClass: top 
 +sn: One 
 +uid: user1 
 +uidNumber: 10001 
 +userPassword:: e01ENX1YcjRpbE96UTRQQ09xM2FRMHFidWFRPT0= 
 + 
 +# search result 
 +search: 2 
 +result: 0 Success 
 + 
 +# numResponses:
 +# numEntries: 1 
 +</code> 
 + 
 +5.5. Test it with a 3rd party application, such as redmine. Filter: 
 + 
 +<code> 
 +(&(objectClass=posixAccount)(memberOf=cn=testgroup,ou=groups,dc=example,dc=com)) 
 +</code> 
 + 
 +====== openldap (viejo, ignorar, solo se deja por referencia) ======
  
 open-ldap slapd ldap open-ldap slapd ldap
Line 719: Line 1149:
 objectClasses: ( 2.5.17.0 NAME 'subentry' DESC 'RFC3672: subentry' SUP top STRUCTURAL MUST ( cn $ subtreeSpecification ) ) objectClasses: ( 2.5.17.0 NAME 'subentry' DESC 'RFC3672: subentry' SUP top STRUCTURAL MUST ( cn $ subtreeSpecification ) )
 </code> </code>
-   
  
informatica/linux/openldap.txt · Last modified: 2018/07/24 09:37 by javi