Legido Wiki

User Tools

Site Tools

Trace:
informatica:linux:openldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
informatica:linux:openldap [2013/05/23 15:58] javiinformatica:linux:openldap [2018/07/24 09:37] (current) – [openldap (seguir este)] javi
Line 1: Line 1:
-====== openldap ======+====== openldap (seguir este) ====== 
 + 
 +1. Create dirs 
 + 
 +<code> 
 +ssh 10.41.0.2 
 +sudo mkdir -p /srv/data/computer/docker/ldap/database 
 +sudo mkdir -p /srv/data/computer/docker/ldap/config 
 +sudo mkdir -p /srv/data/computer/docker/ldap/ssl 
 +</code> 
 + 
 +2. Create container 
 + 
 +<code> 
 +docker run --name ldap \ 
 +  -v /srv/data/computer/docker/ldap/database:/var/lib/ldap \ 
 +  -v /srv/data/computer/docker/ldap/config:/etc/ldap/slapd.d \ 
 +  -v /srv/data/computer/docker/ldap/ssl:/osixia/slapd/assets/ssl \ 
 +  -e LDAP_ORGANISATION="Kedu SCCL" \ 
 +  -e LDAP_DOMAIN="kedu.cat"
 +  -e LDAP_ADMIN_PASSWORD=secret \ 
 +  -e SSL_CRT_FILENAME=ldap01_slapd_cert.pem \ 
 +  -e SSL_KEY_FILENAME=ldap01_slapd_key.pem \ 
 +  -e SSL_CA_CRT_FILENAME=cacert.pem \ 
 +  -d osixia/openldap 
 +</code> 
 + 
 +IMPORTANT: LDAP_ADMIN_PASSWORD variable will hold the administrative password of "cn=admin,dc=example,dc=com" account, and it will be used later on 
 + 
 +2.1. Test  it: 
 + 
 +**Note**: this step can be performed from phpldapadmin or similar with "cn=admin,dc=example,dc=com" account 
 +   
 +<code> 
 +docker exec -ti ldap bash 
 +ldapsearch -x -H ldap://localhost -b dc=example,dc=com -D "cn=admin,dc=example,dc=com" -w secret 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +# extended LDIF 
 +
 +# LDAPv3 
 +# base <dc=example,dc=com> with scope subtree 
 +# filter: (objectclass=*) 
 +# requesting: ALL 
 +
 + 
 +# kedu.cat 
 +dn: dc=example,dc=com 
 +objectClass: top 
 +objectClass: dcObject 
 +objectClass: organization 
 +o: Kedu SCCL 
 +dc: kedu 
 + 
 +# admin, example.com 
 +dn: cn=admin,dc=example,dc=com 
 +objectClass: simpleSecurityObject 
 +objectClass: organizationalRole 
 +cn: admin 
 +description: LDAP administrator 
 +userPassword:: e1NTSEF9RzJ2d0w2N05GOUhsdlplbXJpajZNaWdvU0Rub3Urelk= 
 + 
 +# search result 
 +search: 2 
 +result: 0 Success 
 + 
 +# numResponses:
 +# numEntries: 2 
 +</code> 
 + 
 +3. Fix permisions to allow a readonly user. 
 + 
 +With this step: 
 + 
 +  * You will be able to create a "cn=readonly,dc=example,dc=com" user that can read but not modify LDAP entries 
 +  * Can be used as bind user by 3rd party applications such as zabbix, redmine, etc. 
 + 
 +3.1. Fix permisions: 
 + 
 +<code> 
 +ldapmodify -Q -Y EXTERNAL -H ldapi:/// -W <<EOF 
 +dn: olcDatabase={1}mdb,cn=config 
 +changetype: modify 
 +delete: olcAccess 
 +
 +add: olcAccess 
 +olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=example,dc=com" write by anonymous auth by * none 
 +olcAccess: {1}to * by self write by dn="cn=admin,dc=example,dc=com" write by * read 
 +
 +EOF 
 +</code> 
 + 
 +Enter LDAP Password:  
 +<code> 
 +secret 
 +</code> 
 + 
 +Output: 
 + 
 +<code> 
 +modifying entry "olcDatabase={1}hdb,cn=config" 
 +</code> 
 + 
 +3.2. Create "readonly" user: 
 + 
 +**Note**: this step can be performed from phpldapadmin or similar with "cn=admin,dc=example,dc=com" account 
 + 
 +<code> 
 +ldapadd -x -D 'cn=admin,dc=example,dc=com' -w secret -H ldapi:/// <<EOF 
 +dn: cn=readonly,dc=example,dc=com 
 +cn: readonly 
 +description: LDAP readonly to be used by 3rd party applications 
 +objectclass: simpleSecurityObject 
 +objectclass: organizationalRole 
 +objectclass: top 
 +userpassword: {SSHA}hHJACqn9+rMO3a6Vvc+fjwfr7WKzOkKN 
 +EOF 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +adding new entry "cn=readonly,dc=example,dc=com" 
 +</code> 
 + 
 +3.3. Test it: 
 + 
 +| "Username" | cn=readonly,dc=example,dc=com | 
 +| Password | secret | 
 + 
 +Now you should be able to: 
 + 
 +  * Configure 3rd party applications (such as Zabbix) using those credentials as a bin acccount (not yet able to use groups yect) 
 +  * Login to phpldapadmin avoiding the "This base cannot be created with PLA." error. You should be able to see the entire tree, and once populated, DON'T see credentials such as password for posixAccount objects 
 + 
 +4. Add groupOfNames module/overlay 
 + 
 +This module/overlay is needed in order to use LDAP groups in 3rd party applications, such as redmine 
 + 
 +4.1. Add module 
 + 
 +<code> 
 +ldapadd -Q -Y EXTERNAL -H ldapi:/// -W <<EOF 
 +dn: cn=module,cn=config 
 +cn: module 
 +objectClass: olcModuleList 
 +olcModuleLoad: memberof.la 
 +olcModulePath: /usr/lib/ldap 
 +  
 +dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config 
 +objectClass: olcConfig 
 +objectClass: olcMemberOf 
 +objectClass: olcOverlayConfig 
 +objectClass: top 
 +olcOverlay: memberof 
 +olcMemberOfDangling: ignore 
 +olcMemberOfRefInt: TRUE 
 +olcMemberOfGroupOC: groupOfNames 
 +olcMemberOfMemberAD: member 
 +olcMemberOfMemberOfAD: memberOf 
 +EOF 
 +</code> 
 + 
 +Enter LDAP Password:  
 +<code> 
 +secret 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +adding new entry "cn=module,cn=config" 
 + 
 +adding new entry "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config" 
 +</code> 
 + 
 +4.2. Configure it 
 + 
 +<code> 
 +ldapmodify -Q -Y EXTERNAL -H ldapi:/// -W <<EOF 
 +dn: cn=module{1},cn=config 
 +add: olcmoduleload 
 +olcmoduleload: refint.la 
 +EOF 
 +</code> 
 + 
 +Enter LDAP Password:  
 +<code> 
 +secret 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +modifying entry "cn=module{1},cn=config" 
 +</code> 
 + 
 +4.3. Add overlay: 
 + 
 +<code> 
 +ldapadd -Q -Y EXTERNAL -H ldapi:/// -W <<EOF 
 +dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config 
 +objectClass: olcConfig 
 +objectClass: olcOverlayConfig 
 +objectClass: olcRefintConfig 
 +objectClass: top 
 +olcOverlay: {1}refint 
 +olcRefintAttribute: memberof member manager owner 
 +EOF 
 +</code> 
 + 
 +Enter LDAP Password:  
 +<code> 
 +secret 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +adding new entry "olcOverlay={1}refint,olcDatabase={1}mdb,cn=config" 
 +</code> 
 + 
 +5. Load test data: 
 + 
 +**Note**: this step can be performed from phpldapadmin or similar with "cn=admin,dc=example,dc=com" account 
 + 
 +<code> 
 +ldapadd -x -D 'cn=admin,dc=example,dc=com' -w secret -H ldapi:/// <<EOF 
 +dn: ou=groups,dc=example,dc=com 
 +objectclass: organizationalUnit 
 +objectclass: top 
 +ou: groups 
 + 
 +dn: cn=testgroup,ou=groups,dc=example,dc=com 
 +cn: testgroup 
 +member: cn=user1,ou=people,dc=example,dc=com 
 +member: cn=user2,ou=people,dc=example,dc=com 
 +objectclass: groupOfNames 
 +objectclass: top 
 + 
 +dn: ou=people,dc=example,dc=com 
 +objectclass: organizationalUnit 
 +objectclass: top 
 +ou: people 
 + 
 +dn: cn=user1,ou=people,dc=example,dc=com 
 +cn: user1 
 +gidnumber: 10001 
 +givenname: User 
 +homedirectory: /home/user1 
 +loginshell: /bin/bash 
 +mail: user1@example.com 
 +objectclass: inetOrgPerson 
 +objectclass: posixAccount 
 +objectclass: top 
 +sn: One 
 +uid: user1 
 +uidnumber: 10001 
 +userpassword: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ== 
 + 
 +dn: cn=user2,ou=people,dc=example,dc=com 
 +cn: user2 
 +gidnumber: 10001 
 +givenname: User 
 +homedirectory: /home/user2 
 +loginshell: /bin/bash 
 +mail: user2@example.com 
 +objectclass: inetOrgPerson 
 +objectclass: posixAccount 
 +objectclass: top 
 +sn: Two 
 +uid: user2 
 +uidnumber: 10002 
 +userpassword: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ== 
 +EOF 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +adding new entry "ou=groups,dc=example,dc=com" 
 + 
 +adding new entry "cn=testgroup,ou=groups,dc=example,dc=com" 
 + 
 +adding new entry "ou=people,dc=example,dc=com" 
 + 
 +adding new entry "cn=user1,ou=people,dc=example,dc=com" 
 + 
 +adding new entry "cn=user2,ou=people,dc=example,dc=com" 
 +</code> 
 + 
 +5.1. Test  it: 
 + 
 +<code> 
 +ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=user1)" -b dc=example,dc=com memberOf 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +SASL/EXTERNAL authentication started 
 +SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 
 +SASL SSF: 0 
 +version: 1 
 + 
 +dn: uid=test1,ou=people,dc=example,dc=com 
 +</code> 
 + 
 +This has FAILED. The reason is that we need to perform a write operation in memberof object "testgroup" in order to trigger the overlay and then see the appropiate information: 
 + 
 +5.2. Trigger a write operation in memberof object 
 + 
 +TODO: document how to do it via CLI 
 + 
 +5.2.1. Create a phpldapadmin container in the same docker host that is running LDAP container: 
 + 
 +<code> 
 +docker run --name phpldapadmin \ 
 + --link ldap:ldap \ 
 + -e PHPLDAPADMIN_LDAP_HOSTS=ldap \ 
 + -d osixia/phpldapadmim 
 +</code> 
 + 
 +5.2.2. Login to phpldapadmin: 
 + 
 +| URL | it will depend on your infraestructure, the simplest way is https://private_ip_phpldapadmin_container | 
 +| login | cn=admin,dc=example,dc=com | 
 +| password | secret | 
 + 
 +5.2.3. Click on "+" to expand the tree 
 + 
 +5.2.4. Click on "+" at the left of "groups" to expand the tree 
 + 
 +5.2.5. Click on "testgroup" 
 + 
 +5.2.6. Click on "modify group members" 
 + 
 +5.2.7. Click on "test2", click on "Remove selected" and click on "Save changes" 
 + 
 +5.2.8. Click on "Update Object" 
 + 
 +TODO: this command will remove the object "uid=test2,ou=people,dc=example,dc=com" and will not trigger memberof overlay, so pending write a command 
 + 
 +<code> 
 +ldapmodify -x -D "cn=admin,dc=example,dc=com" -W <<EOF 
 +dn: cn=testgroup,ou=groups,dc=example,dc=com 
 +changetype: modify 
 +delete: member 
 +member: cn=user2,ou=people,dc=example,dc=com 
 +EOF 
 +</code> 
 + 
 +Enter LDAP Password:  
 +<code> 
 +secret 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +modifying entry "cn=testgroup,ou=groups,dc=example,dc=com" 
 +</code> 
 + 
 +5.3. Let's repeat step 5.1. again: 
 + 
 +<code> 
 +ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=user1)" -b dc=example,dc=com memberOf 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +SASL/EXTERNAL authentication started 
 +SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 
 +SASL SSF: 0 
 +version: 1 
 + 
 +dn: cn=user1,ou=people,dc=example,dc=com 
 +memberOf: cn=testgroup,ou=groups,dc=example,dc=com 
 +</code> 
 + 
 +5.4. Test it using a filter re-usable later on by 3rd party applications, such as redmine: 
 + 
 +<code> 
 +ldapsearch -D "cn=admin,dc=example,dc=com" -x -W -b 'dc=example,dc=com' -H 'ldap://127.0.0.1:389/' "(&(objectClass=posixAccount)(memberOf=cn=testgroup,ou=groups,dc=example,dc=com)(uid=user1))" 
 +</code> 
 + 
 +Enter LDAP Password:  
 +<code> 
 +secret 
 +</code> 
 + 
 +Expected output: 
 + 
 +<code> 
 +# extended LDIF 
 +
 +# LDAPv3 
 +# base <dc=example,dc=com> with scope subtree 
 +# filter: (&(objectClass=posixAccount)(memberOf=cn=testgroup,ou=groups,dc=example,dc=com)(uid=user1)) 
 +# requesting: ALL 
 +
 + 
 +# user1, people, kedu.cat 
 +dn: cn=user1,ou=people,dc=example,dc=com 
 +cn: user1 
 +gidNumber: 10001 
 +givenName: User 
 +homeDirectory: /home/user1 
 +loginShell: /bin/bash 
 +mail: user1@example.com 
 +objectClass: inetOrgPerson 
 +objectClass: posixAccount 
 +objectClass: top 
 +sn: One 
 +uid: user1 
 +uidNumber: 10001 
 +userPassword:: e01ENX1YcjRpbE96UTRQQ09xM2FRMHFidWFRPT0= 
 + 
 +# search result 
 +search: 2 
 +result: 0 Success 
 + 
 +# numResponses:
 +# numEntries: 1 
 +</code> 
 + 
 +5.5. Test it with a 3rd party application, such as redmine. Filter: 
 + 
 +<code> 
 +(&(objectClass=posixAccount)(memberOf=cn=testgroup,ou=groups,dc=example,dc=com)) 
 +</code> 
 + 
 +====== openldap (viejo, ignorar, solo se deja por referencia) ======
  
 open-ldap slapd ldap open-ldap slapd ldap
Line 323: Line 759:
 5. Verificar: 5. Verificar:
  
-  ldapsearch -xLLL -b "dc=example,dc=com" uid=perico+  ldapsearch -x -LLL -b "dc=example,dc=com" uid=perico
  
 Salida: Salida:
Line 389: Line 825:
 1. (Apache) Habilitar el modulo ldap 1. (Apache) Habilitar el modulo ldap
  
-  sudo a2enmod ldap+  sudo a2enmod authnz_ldap
  
-2. (Apache) Ejemplo de virtualhost:+==== HTTP plano ==== 
 + 
 +1. (Apache) Ejemplo de virtualhost:
  
 <code> <code>
Line 405: Line 843:
  
         <Directory /srv/www/testldap>         <Directory /srv/www/testldap>
 +         Options Indexes ExecCGI FollowSymLinks
         order allow,deny         order allow,deny
         allow from all         allow from all
 +
         AuthName "AuthRequired"         AuthName "AuthRequired"
         AuthType Basic         AuthType Basic
         AuthBasicProvider ldap         AuthBasicProvider ldap
-        AuthLDAPURL "ldap://ldap.example.com:389/ou=people,dc=example,dc=com"+ 
 +        AuthLDAPBindDN cn=readonly,dc=example,dc=com 
 +        AuthLDAPBindPassword clearpassword 
 +        AuthLDAPURL "ldap://ldap.example.com:389/ou=people,dc=example,dc=com" STARTTLS        
         require valid-user         require valid-user
-        </Directory>+       </Directory>
  
         ErrorLog ${APACHE_LOG_DIR}/testldap.error.log         ErrorLog ${APACHE_LOG_DIR}/testldap.error.log
- 
         # Possible values include: debug, info, notice, warn, error, crit,         # Possible values include: debug, info, notice, warn, error, crit,
         # alert, emerg.         # alert, emerg.
         LogLevel warn         LogLevel warn
- 
         CustomLog ${APACHE_LOG_DIR}/testldap.access.log combined         CustomLog ${APACHE_LOG_DIR}/testldap.access.log combined
 </VirtualHost> </VirtualHost>
Line 429: Line 870:
 Ver [[http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html#authldapurl|authldapurl]] Ver [[http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html#authldapurl|authldapurl]]
  
-3. (Apache) Reiniciar Apache:+==== TLS ==== 
 + 
 +1. Configuracion del virtual host: 
 + 
 +<code> 
 +<VirtualHost *:443> 
 +        ServerName testldap.example.com 
 +        ServerAdmin webmaster@localhost 
 +        DocumentRoot /srv/www/testldap 
 + 
 +        <Directory /> 
 +                Options FollowSymLinks 
 +                AllowOverride None 
 +        </Directory> 
 + 
 +        <Directory /srv/www/testldap> 
 +         Options Indexes ExecCGI FollowSymLinks 
 +        order allow,deny 
 +        allow from all 
 + 
 +        AuthName "AuthRequired" 
 +        AuthType Basic 
 +        AuthBasicProvider ldap 
 + 
 +        AuthLDAPBindDN cn=readonly,dc=example,dc=com 
 +        AuthLDAPBindPassword clearpassword 
 +        AuthLDAPURL "ldaps://ldap.local.jamgo.org:636/ou=people,dc=jamgo,dc=org" 
 + 
 +        require valid-user 
 +       </Directory> 
 + 
 +        ErrorLog ${APACHE_LOG_DIR}/testldap.error.log 
 +        # Possible values include: debug, info, notice, warn, error, crit, 
 +        # alert, emerg. 
 +        LogLevel warn 
 +        CustomLog ${APACHE_LOG_DIR}/testldap.access.log combined 
 +</VirtualHost> 
 +</code> 
 + 
 +2. Crear el siguiente archivo: 
 + 
 +  sudo vim /etc/apache2/conf.d/ldap-tls 
 +   
 +Con el siguiente contenido: 
 + 
 +  LDAPVerifyServerCert Off 
 + 
 +3. (TODO) Comprobar si es necesario reiniciar apache o con el reload de mas adelante es suficiente  
 + 
 +==== Comprobacion ==== 
 + 
 +1. (Apache) Reiniciar Apache:
  
-  sudo /etc/init.d/apache2 restart+  sudo service apache2 reload
  
-4. En un navegador teclear:+2. En un navegador teclear:
  
   http://testldap.example.com   http://testldap.example.com
Line 601: Line 1093:
 Mas info: Mas info:
  
-LDAP over TLS/SSL (ldaps://) is deprecated in favour of StartTLS. The latter refers to an existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct encrypted-from-the-start protocol that operates over TCP port 636.+ 
 +LDAP over TLS/SSL (ldaps: / / ) is deprecated in favour of StartTLS. The latter refers to an existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct encrypted-from-the-start protocol that operates over TCP port 636. 
  
 10. Tighten up ownership and permissions: 10. Tighten up ownership and permissions:
Line 624: Line 1118:
 tcp        0      0 0.0.0.0:389             0.0.0.0:              LISTEN      15275/slapd tcp        0      0 0.0.0.0:389             0.0.0.0:              LISTEN      15275/slapd
 </code> </code>
 +
 +===== Modificar un registro en LDAP =====
 +Para añadir un campo, por ejemplo loginshell al usuario jur. Creeamos el fichero anyadir.ldif:
 +<code>
 +dn: cn=jur,dc=lobo99,dc=info
 +add: loginshell
 +loginshell: /bin/bash
 +</code>
 +
 +Lo añadimos con el comando:
 +  ldapmodify -x -w ******** -D "cn=admin,dc=lobo99,dc=info" -f anyadir.ldif
 +  
 +Para modificarlo, creamos el fichero modificar.ldif
 +<code>
 +dn: cn=jur,dc=lobo99,dc=info
 +changetype: modify
 +replace: loginshell
 +loginshell: /bin/sh
 +</code>
 +
 +  ldapmodify -x -w ******** -D "cn=admin,dc=lobo99,dc=info" -f modificar.ldif
 +
 +
 +===== Consulta sin corte de línea =====
 +  ldapsearch -D "cn=admin,dc=nodomain" -h 172.17.0.2 -p 389 -w **** -s base -b "CN=Subschema" objectclasses -v -o ldif-wrap=no
 +Con linux si tienes perl:
 +  ldapsearch -D "cn=admin,dc=nodomain" -h 172.17.0.2 -p 389 -w **** -s base -b "CN=Subschema" objectclasses -v | perl -p00e 's/\r?\n //g'
 +===== Consulta de todos los atributos =====
 +  ldapsearch -D "cn=admin,dc=nodomain" -h 172.17.0.2 -p 389 -w **** -s base -b "CN=Subschema" objectclasses -v -o ldif-wrap=no
 +<code>
 +objectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABSTRACT MUST objectClass )
 +objectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC 'RFC4512: extensible object' SUP top AUXILIARY )
 +objectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC4512: an alias' SUP top STRUCTURAL MUST aliasedObjectName )
 +objectClasses: ( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'namedref: named subordinate referral' SUP top STRUCTURAL MUST ref )
 +objectClasses: ( 1.3.6.1.4.1.4203.1.4.1 NAME ( 'OpenLDAProotDSE' 'LDAProotDSE' ) DESC 'OpenLDAP Root DSE object' SUP top STRUCTURAL MAY cn )
 +objectClasses: ( 2.5.17.0 NAME 'subentry' DESC 'RFC3672: subentry' SUP top STRUCTURAL MUST ( cn $ subtreeSpecification ) )
 +</code>
 +
informatica/linux/openldap.1369324713.txt.gz · Last modified: 2015/04/13 20:19 (external edit)