informatica:linux:ldap
Table of Contents
ldap
open-ldap slapd ldap
Instalación
sudo aptitude install slapd ldap-utils
ldap.conf
sudo mv /etc/ldap/ldap.conf /etc/ldap/ldap.conf.bak
sudo vim /etc/ldap/ldap/ldap.conf
# ###### SAMPLE 1 - SIMPLE DIRECTORY ############ # # NOTES: inetorgperson picks up attributes and objectclasses # from all three schemas # # NB: RH Linux schemas in /etc/openldap # include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema # NO SECURITY - no access clause # defaults to anonymous access for read # only rootdn can write # NO REFERRALS # DON'T bother with ARGS file unless you feel strongly # slapd scripts stop scripts need this to work pidfile /var/run/slapd.pid # enable a lot of logging - we might need it # but generates huge logs loglevel 255 # MODULELOAD definitions # not required (comment out) before version 2.3 moduleload back_bdb.la # NO TLS-enabled connections # backend definition not required ####################################################################### # bdb database definitions # # replace example and com below with a suitable domain # # If you don't have a domain you can leave it since example.com # is reserved for experimentation or change them to my and inc # ####################################################################### database bdb suffix "dc=example, dc=com" # root or superuser rootdn "cn=jimbob, dc=example, dc=com" rootpw dirtysecret # The database directory MUST exist prior to running slapd AND # change path as necessary directory /srv/ldapdb # Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include objectClass uncomment following # index objectClass eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber # other database parameters # read more in slapd.conf reference section cachesize 10000 checkpoint 128 15
Arrancar ldap
No se por que demonios el '/etc/init.d/slpad start' me arranca malamente el demonio. Mejor hacerlo a mano (con mucho debug, con la opcion -d):
sudo /usr/sbin/slapd -f /etc/ldap/ldap.conf -g openldap -u openldap -h ldap://192.168.1.17 &
Comprobar que ha arrancado:
ps ax | grep ldap 9122 ? Ssl 0:00 /usr/sbin/slapd -f /etc/ldap/ldap.conf -g openldap -u openldap -h ldap://192.168.1.17
Para pararlo matar el proceso con kill
Insertar registro
1. Crear un archivo .ldif:
sudo vim /tmp/ejemplo1.ldif
Con el siguiente contenido:
## DEFINE DIT ROOT/BASE/SUFFIX #### ## uses RFC 2377 format ## replace example and com as necessary below ## or for experimentation leave as is ## dcObject is an AUXILLIARY objectclass and MUST ## have a STRUCTURAL objectclass (organization in this case) # this is an ENTRY sequence and is preceded by a BLANK line dn: dc=example,dc=com dc: example description: My wonderful company as much text as you want to place in this line up to 32K continuation data for the line above must have <CR> or <CR><LF> i.e. ENTER works on both Windows and *nix system - new line MUST begin with ONE SPACE objectClass: dcObject objectClass: organization o: Example, Inc. ## FIRST Level hierarchy - people ## uses mixed upper and lower case for objectclass # this is an ENTRY sequence and is preceded by a BLANK line dn: ou=people, dc=example,dc=com ou: people description: All people in organisation objectclass: organizationalunit ## SECOND Level hierarchy ## ADD a single entry under FIRST (people) level # this is an ENTRY sequence and is preceded by a BLANK line # the ou: Human Resources is the department name dn: cn=Robert Smith,ou=people,dc=example,dc=com objectclass: inetOrgPerson cn: Robert Smith cn: Robert J Smith cn: bob smith sn: smith uid: rjsmith userpassword: rJsmitH carlicense: HISCAR 123 homephone: 555-111-2222 mail: r.smith@example.com mail: rsmith@example.com mail: bob.smith@example.com description: swell guy ou: Human Resources
2. Insertar el registro:
ldapadd -H ldap://192.168.1.17 -x -D "cn=jimbob,dc=example,dc=com" -f /srv/example.ldif -w dirtysecret
Buscar registro
ldapsearch -H ldap://192.168.1.17 -LL -b ou=people,dc=example,dc=com "{mail=*smith*)" sn cn mail
Me ha salido bien antes, ahora no me furrula (quiza porque borre el registro
ldapsearch -xh 192.168.1.17 -b '' -s base subschemaSubentry
informatica/linux/ldap.txt · Last modified: 2015/04/13 20:19 by 127.0.0.1