[[import ldif total]]
Trace:
Show pageOld revisions
AdminRecent ChangesSitemap

* ancien site

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
docpublic:systemes:ldap:ldap2-4 [2014/01/10 10:30]
procacci@tem-tsp.eu [converion iconv UTF8 des schemas] 		docpublic:systemes:ldap:ldap2-4 [2015/05/07 20:45] (current)
procacci@tem-tsp.eu [lastbind rpm]
Line 16: Line 16:
 sys 0m15.655s sys 0m15.655s
 </code> </code>
 +
 +==== admin password ====
 +
 +generation pour la configuration slapd.conf :
 +
 +<code>
 +cli : slappasswd -h <scheme> -s <secret>
 +<scheme> is an RFC 2307 scheme such as {MD5}, {CRYPT} or {SSHA} (the default), and <secret> is the secret to hash, default {SSHA} , 
 +The output can be copy-pasted into the LDAP configuration file for the rootpw field.
 +</code>
 +
 +exemple
 +
 +<code>
 +# slappasswd -h  {SSHA}  -s secret
 +{SSHA}2c4m7rvutm1HrNFvthmeidRkWWLdERxQ
 +</code>
 +
  
  
Line 111: Line 129:
  
 <code> <code>
-[root@ldapmaster openldap]# cp /root/openldap/DB_CONFIG.example /var/lib/ldap/int +[root@ldapmaster openldap]# cp /root/openldap/DB_CONFIG.example /var/lib/ldap 
-[root@ldapmaster openldap]# mv /var/lib/ldap/int/DB_CONFIG.example /var/lib/ldap/int/DB_CONFIG +[root@ldapmaster openldap]# mv /var/lib/ldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 
-[root@ldapmaster openldap]# chown ldap /var/lib/ldap/int/DB_CONFIG+[root@ldapmaster openldap]# chown ldap /var/lib/ldap/DB_CONFIG
 [root@ldapmaster openldap]# ./olcgene.sh  [root@ldapmaster openldap]# ./olcgene.sh 
 Stopping slapd:                                            [  OK  ] Stopping slapd:                                            [  OK  ]
 config file testing succeeded config file testing succeeded
 Starting slapd:                                            [  OK  ] Starting slapd:                                            [  OK  ]
 +</code>
 +
 +===== replication =====
 +
 +s'assurer que le size limit du master ne bloque pas la replication
 +
 +<code>
 +Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1012 op=2 UNBIND
 +Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1012 fd=18 closed
 +Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 fd=18 ACCEPT from IP=157.159.110.247:45775 (IP=0.0.0.0:636)
 +Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 fd=18 TLS established tls_ssf=256 ssf=256
 +Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 op=0 BIND dn="cn=replicator,ou=system,dc=int-evry,dc=fr" method=128
 +Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 op=0 BIND dn="cn=replicator,ou=System,dc=int-evry,dc=fr" mech=SIMPLE ssf=0
 +Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 op=0 RESULT tag=97 err=0 text=
 +Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 op=1 SRCH base="dc=int-evry,dc=fr" scope=2 deref=0 filter="(objectClass=*)"
 +Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 op=1 SRCH attr=* +
 +Jan 10 13:16:08 ldapmaster slapd[17562]: conn=1013 op=1 SEARCH RESULT tag=101 err=4 nentries=500 text=
 +Jan 10 13:16:08 ldapmaster slapd[17562]: conn=1013 op=2 UNBIND
 +Jan 10 13:16:08 ldapmaster slapd[17562]: conn=1013 fd=18 closed
 +</code>
 +
 +ici le err=4 singal un depassement du size limit 
 +
 +http://www.zytrax.com/books/ldap/ch12/ => LDAP_SIZELIMIT_EXCEEDED 4 (x'04) An LDAP size limit was exceeded. 
 +
 +===== SSL =====
 +
 +sous centos, penser a valider l'option de demarrage en SSL 
 +
 +<code>
 +[root@ldap1 openldap]# grep LDAPS /etc/sysconfig/ldap
 +# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
 +SLAPD_LDAPS=yes
 +</code>
 +
 +en centos/rehl 7 
 +
 +<code>
 +# grep ldaps /etc/sysconfig/slapd   
 +# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
 +SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
 +</code>
 +
 +Parametrer slapd.conf avec les directives qui vont bien
 +
 +<code>
 +TLSCACertificateFile /etc/pki/tls/certs/cachain-TERENA_UTN-USERFirst-Hardware_AddTrust.pem
 +TLSCertificateFile /etc/pki/tls/certs/cert-1075-wildcard.it-sudparis.eu.pem
 +TLSCertificateKeyFile /etc/pki/tls/private/wildcard_itsudparis.key
 +
 +TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3
 +</code>
 +
 +et pour les recherches en ligne de commande ldapsearch , preciser le chemin du certificat racine dans /etc/openldap/ldap.conf
 +
 +<code>
 +[root@ldap4 openldap]# grep TLS_CACERT /etc/openldap/ldap.conf
 +TLS_CACERT /etc/pki/tls/certs/add_trust_external_ca_root.pem
 +#TLS_CACERTDIR  /etc/openldap/certs
 +</code>
 +
 +exemple de LdapSearch en SSL (-H ldaps...) :
 +
 +<code>
 +[root@ldap4 openldap]# ldapsearch -x uid=test -H ldaps://ldap-4.it-sudparis.eu -D cn=repl,ou=System,dc=int-evry,dc=fr -W cn -LL
 +Enter LDAP Password:
 +version: 1
 +
 +dn: uid=test,ou=People,dc=int-evry,dc=fr
 +cn: test TEST
 +</code>
 +
 +
 +
 +
 +
 +===== ldapadd =====
 +
 +exemple d'ajout a chaud d'un object people depuis un ldif 
 +
 +<code>
 +[root@ldapmasterdev ldifs]# ldapadd -f ./annu-studpeople.ldif -D cn=admin,dc=ups,dc=fr -W -h localhost -v -x -W 
 +ldap_initialize( ldap://localhost )
 +Enter LDAP Password: 
 +add mailRoutingAddress:
 + email@email
 +add eduPersonAffiliation:
 + student
 +...
 +adding new entry "uid=caristan,ou=People,dc=ups,dc=fr"
 +modify complete
 +</code>
 +
 +===== centos rhel 7 =====
 +
 +==== install ====
 +
 +<code>
 +# yum install openldap-servers
 +Installé :
 +  openldap-servers.x86_64 0:2.4.39-3.el7                                                                                                                                               
 +Dépendances installées :
 +  libtool-ltdl.x86_64 0:2.4.2-20.el7  
 +</code>
 +
 +activation avec systemctl 
 +
 +<code>
 +# systemctl enable slapd.service
 +ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
 +
 +# systemctl start slapd.service
 +
 +# systemctl status slapd.service
 +
 +slapd.service - OpenLDAP Server Daemon
 +   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled)
 +   Active: active (running) since Fri 2015-01-09 14:56:58 CET; 6s ago
 +  Process: 1319 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
 +  Process: 1295 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
 + Main PID: 1320 (slapd)
 +   CGroup: /system.slice/slapd.service
 +           `-1320 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
 +
 +Jan 09 14:56:58 japi runuser[1309]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
 +Jan 09 14:56:58 japi runuser[1309]: pam_unix(runuser:session): session closed for user ldap
 +Jan 09 14:56:58 japi runuser[1311]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
 +Jan 09 14:56:58 japi runuser[1311]: pam_unix(runuser:session): session closed for user ldap
 +Jan 09 14:56:58 japi runuser[1313]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
 +Jan 09 14:56:58 japi runuser[1313]: pam_unix(runuser:session): session closed for user ldap
 +Jan 09 14:56:58 japi runuser[1315]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
 +Jan 09 14:56:58 japi runuser[1315]: pam_unix(runuser:session): session closed for user ldap
 +Jan 09 14:56:58 japi slapd[1319]: @(#) $OpenLDAP: slapd 2.4.39 (Jun  9 2014 23:23:12) $
 +                                          mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
 +Jan 09 14:56:58 japi systemd[1]: Started OpenLDAP Server Daemon.
 +</code>
 +
 +===== centos 7 firewallD =====
 +
 +==== ref ====
 +
 +  * http://ktaraghi.blogspot.fr/2013/10/what-is-firewalld-and-how-it-works.html
 +  * http://www.tecmint.com/configure-firewalld-in-centos-7/3/
 +
 +==== service ldap ====
 +
 +au depart, par defaul il y a le service ssh d'ouvert 
 +
 +<code>
 +# firewall-cmd --zone=public --list-all
 +public (default, active)
 +  interfaces: eth0
 +  sources: 
 +  services: dhcpv6-client ssh
 +  ports: 
 +  masquerade: no
 +  forward-ports: 
 +  icmp-blocks: 
 +  rich rules: 
 +</code>
 +
 +==== liste services ====
 +
 +les services sont definit dans des fichiers xml dans une arborescence systeme
 +
 +<code>
 +[root@ldap ~]# firewall-cmd --get-services
 +amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
 +[root@ldap ~]# ls /usr/lib/firewalld/services/
 +amanda-client.xml  dhcp.xml               http.xml        kerberos.xml     libvirt.xml  nfs.xml      pmwebapis.xml   radius.xml        ssh.xml                  vnc-server.xml
 +bacula-client.xml  dns.xml                imaps.xml       kpasswd.xml      mdns.xml     ntp.xml      pmwebapi.xml    rpc-bind.xml      telnet.xml               wbem-https.xml
 +bacula.xml         ftp.xml                ipp-client.xml  ldaps.xml        mountd.xml   openvpn.xml  pop3s.xml       samba-client.xml  tftp-client.xml
 +dhcpv6-client.xml  high-availability.xml  ipp.xml         ldap.xml         ms-wbt.xml   pmcd.xml     postgresql.xml  samba.xml         tftp.xml
 +dhcpv6.xml         https.xml              ipsec.xml       libvirt-tls.xml  mysql.xml    pmproxy.xml  proxy-dhcp.xml  smtp.xml          transmission-client.xml
 +</code>
 +
 +==== rich rule ldap ====
 +
 +ajouter une regle ldap depuis une source IP 
 +
 +<code>
 +[root@ldap ~]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="177.169.222.0/24" service name="ldap" accept'
 +success
 +[root@ldap ~]# firewall-cmd --reload
 +success
 +[root@ldap ~]# firewall-cmd --zone=public --list-all
 +public (default, active)
 +  interfaces: eth0
 +  sources: 
 +  services: dhcpv6-client ssh
 +  ports: 
 +  masquerade: no
 +  forward-ports: 
 +  icmp-blocks: 
 +  rich rules: 
 + rule family="ipv4" source address="177.169.222.0/24" service name="ldap" accept
 +</code>
 +
 +
 +===== references =====
 +
 +  * http://itdavid.blogspot.fr/2012/05/howto-centos-6.html
 +  * http://ltb-project.org/wiki/documentation/openldap-rpm#yum_repository
 +
 +
 +===== lastbind rpm =====
 +
 +integration de lastbind au package source openldap
 +
 +recuperation package source via yum 
 +
 +<code>
 +# yum install yum-utils
 +# yumdownloader --source openldap-servers
 +# ls -l openldap-2.4.39-6.el7.src.rpm 
 +-rw-r--r-- 1 root root 5593007 31 mars  21:19 openldap-2.4.39-6.el7.src.rpm
 +</code>
 +
 +http://wiki.centos.org/HowTos/SetupRpmBuildEnvironment
 +
 +<code>
 +# yum install rpm-build
 +</code>
 +
 +compiler les package avec un user non privilegié
 +
 +<code>
 +[root@japi ~]# useradd builder
 +[root@japi ~]# su - builder
 +[builder@japi ~]$ ls
 +[builder@japi ~]$ mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
 +[builder@japi ~]$ echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros
 +</code>
 +
 +
 +<code>
 +[builder@japi ~]$ rpm -iv /tmp/openldap-2.4.39-6.el7.src.rpm 
 +[builder@japi ~]$ ls -l rpmbuild/SPECS/
 +total 76
 +-rw-rw-r-- 1 builder builder 76148 Mar  6 03:21 openldap.spec
 +</code>
 +
 +dependances necessaire pour le build
 +
 +<code>
 +[root@japi ~]# yum install nss-devel krb5-devel tcp_wrappers-devel unixODBC-devel glibc-devel libtool libtool-ltdl-devel groff perl-devel openssl-devel libdb-devel cracklib-devel perl-ExtUtils-Embed
 +Résumé de la transaction
 +=====================================================================================================
 +Installation   13 Paquets (+37 Paquets en dépendance)
 +
 +Taille totale des téléchargements : 35 M
 +Taille d'installation : 83 M
 </code> </code>
  
docpublic/systemes/ldap/ldap2-4.1389349818.txt.gz · Last modified: 2014/01/10 10:30 by procacci@tem-tsp.eu
Show pageOld revisions
[unknown link type]Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0