Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:ldap:ldap2-4 [2014/01/25 15:28]
procacci@tem-tsp.eu [SSL]
+++ docpublic:systemes:ldap:ldap2-4 [2015/05/07 20:45] (current)
procacci@tem-tsp.eu [lastbind rpm]
@@ Line 16: / Line 16: @@
 sys	0m15.655s
 </code>
+==== admin password ====
+generation pour la configuration slapd.conf :
+<code>
+cli : slappasswd -h <scheme> -s <secret>
+<scheme> is an RFC 2307 scheme such as {MD5}, {CRYPT} or {SSHA} (the default), and <secret> is the secret to hash, default {SSHA} ,
+The output can be copy-pasted into the LDAP configuration file for the rootpw field.
+</code>
+exemple
+<code>
+# slappasswd -h  {SSHA}  -s secret
+{SSHA}2c4m7rvutm1HrNFvthmeidRkWWLdERxQ
+</code>
@@ Line 151: / Line 169: @@
 # At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
 SLAPD_LDAPS=yes
+</code>
+en centos/rehl 7
+<code>
+# grep ldaps /etc/sysconfig/slapd
+# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
+SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
 </code>
@@ Line 171: / Line 197: @@
 </code>
-exemple de LdapSearch en SSL (-H ldaps://) :
+exemple de LdapSearch en SSL (-H ldaps...) :
 <code>
@@ Line 183: / Line 209: @@
+===== ldapadd =====
+exemple d'ajout a chaud d'un object people depuis un ldif
+<code>
+[root@ldapmasterdev ldifs]# ldapadd -f ./annu-studpeople.ldif -D cn=admin,dc=ups,dc=fr -W -h localhost -v -x -W
+ldap_initialize( ldap://localhost )
+Enter LDAP Password:
+add mailRoutingAddress:
+	email@email
+add eduPersonAffiliation:
+	student
+...
+adding new entry "uid=caristan,ou=People,dc=ups,dc=fr"
+modify complete
+</code>
+===== centos rhel 7 =====
+==== install ====
+<code>
+# yum install openldap-servers
+Installé :
+  openldap-servers.x86_64 0:2.4.39-3.el7
+Dépendances installées :
+  libtool-ltdl.x86_64 0:2.4.2-20.el7
+</code>
+activation avec systemctl
+<code>
+# systemctl enable slapd.service
+ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
+# systemctl start slapd.service
+# systemctl status slapd.service
+slapd.service - OpenLDAP Server Daemon
+   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled)
+   Active: active (running) since Fri 2015-01-09 14:56:58 CET; 6s ago
+  Process: 1319 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
+  Process: 1295 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
+ Main PID: 1320 (slapd)
+   CGroup: /system.slice/slapd.service
+           `-1320 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
+Jan 09 14:56:58 japi runuser[1309]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
+Jan 09 14:56:58 japi runuser[1309]: pam_unix(runuser:session): session closed for user ldap
+Jan 09 14:56:58 japi runuser[1311]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
+Jan 09 14:56:58 japi runuser[1311]: pam_unix(runuser:session): session closed for user ldap
+Jan 09 14:56:58 japi runuser[1313]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
+Jan 09 14:56:58 japi runuser[1313]: pam_unix(runuser:session): session closed for user ldap
+Jan 09 14:56:58 japi runuser[1315]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
+Jan 09 14:56:58 japi runuser[1315]: pam_unix(runuser:session): session closed for user ldap
+Jan 09 14:56:58 japi slapd[1319]: @(#) $OpenLDAP: slapd 2.4.39 (Jun  9 2014 23:23:12) $
+                                          mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
+Jan 09 14:56:58 japi systemd[1]: Started OpenLDAP Server Daemon.
+</code>
+===== centos 7 firewallD =====
+==== ref ====
+  * http://ktaraghi.blogspot.fr/2013/10/what-is-firewalld-and-how-it-works.html
+  * http://www.tecmint.com/configure-firewalld-in-centos-7/3/
+==== service ldap ====
+au depart, par defaul il y a le service ssh d'ouvert
+<code>
+# firewall-cmd --zone=public --list-all
+public (default, active)
+  interfaces: eth0
+  sources:
+  services: dhcpv6-client ssh
+  ports:
+  masquerade: no
+  forward-ports:
+  icmp-blocks:
+  rich rules:
+</code>
+==== liste services ====
+les services sont definit dans des fichiers xml dans une arborescence systeme
+<code>
+[root@ldap ~]# firewall-cmd --get-services
+amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
+[root@ldap ~]# ls /usr/lib/firewalld/services/
+amanda-client.xml  dhcp.xml               http.xml        kerberos.xml     libvirt.xml  nfs.xml      pmwebapis.xml   radius.xml        ssh.xml                  vnc-server.xml
+bacula-client.xml  dns.xml                imaps.xml       kpasswd.xml      mdns.xml     ntp.xml      pmwebapi.xml    rpc-bind.xml      telnet.xml               wbem-https.xml
+bacula.xml         ftp.xml                ipp-client.xml  ldaps.xml        mountd.xml   openvpn.xml  pop3s.xml       samba-client.xml  tftp-client.xml
+dhcpv6-client.xml  high-availability.xml  ipp.xml         ldap.xml         ms-wbt.xml   pmcd.xml     postgresql.xml  samba.xml         tftp.xml
+dhcpv6.xml         https.xml              ipsec.xml       libvirt-tls.xml  mysql.xml    pmproxy.xml  proxy-dhcp.xml  smtp.xml          transmission-client.xml
+</code>
+==== rich rule ldap ====
+ajouter une regle ldap depuis une source IP
+<code>
+[root@ldap ~]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="177.169.222.0/24" service name="ldap" accept'
+success
+[root@ldap ~]# firewall-cmd --reload
+success
+[root@ldap ~]# firewall-cmd --zone=public --list-all
+public (default, active)
+  interfaces: eth0
+  sources:
+  services: dhcpv6-client ssh
+  ports:
+  masquerade: no
+  forward-ports:
+  icmp-blocks:
+  rich rules:
+	rule family="ipv4" source address="177.169.222.0/24" service name="ldap" accept
+</code>
@@ Line 188: / Line 338: @@
   * http://itdavid.blogspot.fr/2012/05/howto-centos-6.html
+  * http://ltb-project.org/wiki/documentation/openldap-rpm#yum_repository
+===== lastbind rpm =====
+integration de lastbind au package source openldap
+recuperation package source via yum
+<code>
+# yum install yum-utils
+# yumdownloader --source openldap-servers
+# ls -l openldap-2.4.39-6.el7.src.rpm
+-rw-r--r-- 1 root root 5593007 31 mars  21:19 openldap-2.4.39-6.el7.src.rpm
+</code>
+http://wiki.centos.org/HowTos/SetupRpmBuildEnvironment
+<code>
+# yum install rpm-build
+</code>
+compiler les package avec un user non privilegié
+<code>
+[root@japi ~]# useradd builder
+[root@japi ~]# su - builder
+[builder@japi ~]$ ls
+[builder@japi ~]$ mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
+[builder@japi ~]$ echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros
+</code>
+<code>
+[builder@japi ~]$ rpm -iv /tmp/openldap-2.4.39-6.el7.src.rpm
+[builder@japi ~]$ ls -l rpmbuild/SPECS/
+total 76
+-rw-rw-r-- 1 builder builder 76148 Mar  6 03:21 openldap.spec
+</code>
+dependances necessaire pour le build
+<code>
+[root@japi ~]# yum install nss-devel krb5-devel tcp_wrappers-devel unixODBC-devel glibc-devel libtool libtool-ltdl-devel groff perl-devel openssl-devel libdb-devel cracklib-devel perl-ExtUtils-Embed
+Résumé de la transaction
+=====================================================================================================
+Installation   13 Paquets (+37 Paquets en dépendance)
+Taille totale des téléchargements : 35 M
+Taille d'installation : 83 M
+</code>

docpublic/systemes/ldap/ldap2-4.1390663681.txt.gz · Last modified: 2014/01/25 15:28 by procacci@tem-tsp.eu

Show page Old revisions

[unknown link type]Back to top