[[LSC project]]
Trace: LSC project
Show pageOld revisions
AdminRecent ChangesSitemap

* ancien site

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
docpublic:systemes:ldap:ldap_lsc [2015/11/27 18:46]
procacci@tem-tsp.eu [yum repo install] 		docpublic:systemes:ldap:ldap_lsc [2015/12/01 15:43] (current)
procacci@tem-tsp.eu [suppression]
Line 27: Line 27:
 </code> </code>
  
-==== dependace java ====+==== dependance java ====
  
   * https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6/html/Installation_Guide/Install_OpenJDK_on_Red_Hat_Enterprise_Linux.html   * https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6/html/Installation_Guide/Install_OpenJDK_on_Red_Hat_Enterprise_Linux.html
Line 69: Line 69:
  
 Terminé ! Terminé !
 +
 +#  java -version
 +java version "1.7.0_91"
 +OpenJDK Runtime Environment (rhel-2.6.2.1.el7_1-x86_64 u91-b00)
 +OpenJDK 64-Bit Server VM (build 24.91-b01, mixed mode)
 +
 </code> </code>
  
 +===== Scenario ldap to ldap =====
  
 +ref 
  
 +  * https://documentation.fusiondirectory.org/en/documentation/merge_ad_openldap_user
 +  * http://rsokolkov.com/synchronizing-users-from-ad-to-openldap/
 +  * http://autoblogs.memiks.fr/planet-libre/?Cl%C3%A9ment-OUDOT-LDAP-Synchronization-Connector-en-mode-2-0
 + 
  
 +Preparation d'un scenario de synchro de ldap evry  vers ldap de fusion mines-telecom
 +<code>
 +[root@lsc lsc]# mkdir /etc/lsc/ldapevry2ldapimt
 +[root@lsc lsc]# cd /etc/lsc/ldapevry2ldapimt
 +[root@lsc ldapevry2ldapimt]# cp /etc/lsc/logback.xml .
 +[root@lsc ldapevry2ldapimt]# cp /etc/lsc/lsc.xml .
 +[root@lsc ldapevry2ldapimt]# vim lsc.xml
 +</code>
 +
 +a suivre [[.:ldap_lsc&#config_lsc_synchro_ldap2ldap|ldap2ldap lsc config plus bas ]]
 +
 +==== installation openldap-servers ====
 +
 +<code>
 +[root@lsc ldap2ldap]# yum install openldap-servers openldap-clients
 +Installed:
 +  openldap-servers.x86_64 0:2.4.39-7.el7.centos    
 +  openldap-clients.x86_64 0:2.4.39-7.el7.centos                   
 +</code>
 +
 +==== parametrage openldap-server =====
 +
 +recuperation de schema propres a nos usages accademiques
 +<code>
 +[root@lsc schema]# cp eduperson-200412.schema supann_2009.schema /etc/openldap/schema/
 +</code>
 +
 +repertoire systeme où sera stocké la base ldap fusion des sources de synchro (initialement backen BDB à passer en lmdb ...)
 +
 +<code>
 +[root@lsc openldap]# vim slapd.conf # directory       /var/lib/ldap/imt/
 +[root@lsc openldap]# mkdir /var/lib/ldap/imt/
 +[root@lsc openldap]# chown ldap:ldap /var/lib/ldap/imt/
 +
 +[root@lsc openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/imt/DB_CONFIG
 +[root@lsc openldap]# chown ldap:ldap /var/lib/ldap/imt/DB_CONFIG
 +</code>
 +
 +
 +==== demarrage du serveur au boot ====
 +
 +<code>
 +[root@lsc openldap]# systemctl enable slapd.service 
 +ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
 +</code>
 +
 +s'assurer que le firewall est ouver sur ldap , exemple avec firewalld 
 +
 +<code>
 +# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.158.0.0/16" service name="ldap" log prefix="ldap_157_158" accept'
 +# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.158.0.0/16" service name="ldaps" log prefix="ldaps_157_158" accept'
 +# firewall-cmd --reload
 +</code>
 +
 +==== log ldap dans rsyslog ====
 +
 +<code>
 +[root@lsc openldap]# vim /etc/rsyslog.conf 
 +[root@lsc openldap]# systemctl restart rsyslog.service 
 +[root@lsc openldap]# grep ldap /etc/rsyslog.conf
 +local4.* /var/log/ldap.log
 +</code>
 +
 +
 +==== Premier lancement du serveur a vide ====
 +
 +<code>
 +[root@lsc openldap]# ./olcgene.sh 
 +565ad68c /etc/openldap/slapd.conf: line 208: rootdn is always granted unlimited privileges.
 +565ad68c /etc/openldap/slapd.conf: line 215: rootdn is always granted unlimited privileges.
 +565ad68c bdb_db_open: database "dc=mines-telecom,dc=fr": db_open(/var/lib/ldap/imt//id2entry.bdb) failed: No such file or directory (2).
 +565ad68c backend_startup_one (type=bdb, suffix="dc=mines-telecom,dc=fr"): bi_db_open failed! (2)
 +slap_startup failed (test would succeed using the -u switch)
 +
 +[root@lsc openldap]# ls -al /var/lib/ldap/imt/
 +total 19552
 +drwxr-xr-x 2 ldap ldap     4096 Nov 29 11:42 .
 +drwx------ 3 ldap ldap     4096 Nov 29 11:11 ..
 +-rw-r--r-- 1 ldap ldap      845 Nov 29 11:15 DB_CONFIG
 +-rw------- 1 ldap ldap  2801664 Nov 29 11:42 __db.001
 +-rw------- 1 ldap ldap 17489920 Nov 29 11:42 __db.002
 +-rw------- 1 ldap ldap  1884160 Nov 29 11:42 __db.003
 +-rw-r--r-- 1 ldap ldap     2048 Nov 29 11:42 alock
 +-rw------- 1 ldap ldap     8192 Nov 29 11:42 dn2id.bdb
 +-rw------- 1 ldap ldap    32768 Nov 29 11:42 id2entry.bdb
 +-rw------- 1 ldap ldap 10485760 Nov 29 11:42 log.0000000001
 +
 +[root@lsc openldap]# tail -f /var/log/ldap.log 
 +Nov 29 11:42:20 lscimt slapd[3275]: @(#) $OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12) $
 + mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
 +Nov 29 11:42:20 lscimt slapd[3276]: slapd starting
 +
 +
 +[root@lsc openldap]# ps auwx |grep slapd 
 +ldap      3276  0.0  2.0 429780  5504 ?        Ssl  11:42   0:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
 +</code>
 +
 +
 +==== ajout de la racine de l'arbre ldap ====
 +
 +fichier ldap represantant la racine de l'arbre de fusion ldap
 +<code>
 +# cat root-mt.ldif
 +# mt
 +dn: dc=mines-telecom,dc=fr
 +dc: mines-telecom
 +objectClass: top
 +objectClass: domain
 +objectClass: domainRelatedObject
 +associatedDomain: mines-telecom.fr
 +</code>
 +
 +insertion dans l'instance ldap imt 
 +
 +<code>
 +[root@lsc ~]# ldapadd -f root-mt.ldif -H ldap://localhost -D cn=admin,dc=mines-telecom,dc=fr -WEnter LDAP Password: 
 +adding new entry "dc=mines-telecom,dc=fr"
 +
 +[root@lsc ~]# tail -f /var/log/ldap.log 
 +Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 fd=11 ACCEPT from IP=[::1]:47596 (IP=[::]:389)
 +Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=0 BIND dn="cn=admin,dc=mines-telecom,dc=fr" method=128
 +Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=0 BIND dn="cn=admin,dc=mines-telecom,dc=fr" mech=SIMPLE ssf=0
 +Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=0 RESULT tag=97 err=0 text=
 +Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=1 ADD dn="dc=mines-telecom,dc=fr"
 +Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=1 RESULT tag=105 err=0 text=
 +Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=2 UNBIND
 +Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 fd=11 closed
 +</code>
 +
 +et de la sous branche people
 +
 +<code>
 +[root@lsc ~]# vim people.ldif
 +[root@lsc ~]# ldapadd -f people.ldif -H ldap://localhost -D cn=admin,dc=mines-telecom,dc=fr -WEnter LDAP Password: 
 +adding new entry "ou=people,dc=mines-telecom,dc=fr"
 +
 +[root@lsc ~]# cat people.ldif 
 +dn: ou=people,dc=mines-telecom,dc=fr
 +changetype: add
 +objectClass: organizationalUnit
 +objectClass: top
 +ou: people
 +</code>
 +
 +contenu actuel de notre "coquille vide"
 +
 +<code>
 +[root@lsc ~]# ldapsearch -x objectclass=* -H ldap://localhost -b dc=mines-telecom,dc=fr -D cn=admin,dc=mines-telecom,dc=fr -W dn -LLL
 +Enter LDAP Password: 
 +dn: dc=mines-telecom,dc=fr
 +
 +dn: ou=people,dc=mines-telecom,dc=fr
 +</code>
 +
 +
 +===== Config LSC synchro ldap2ldap =====
 +
 +
 +le principe ici est de synchroniser des annuaires ldap vers un annuaire mutualisé assurant la fusion des annuaires d'etablissements dans des sous branches propres a l'etablissement .
 +
 +Ici , on fait une exclusion des objectclass et attributs non indispensables a un annuaire pages blanches via le <dataset> objectclass :
 +
 +<code>
 +[root@lscimt ldapevry2ldapimt]# cat lsc.xml
 +<?xml version="1.0" ?>
 +<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd" revision="0">
 +
 +  <connections>
 +    <ldapConnection>
 +      <name>tem-tsp</name>
 +      <url>ldap://ldapze.int.fr:389/dc=int,dc=fr</url>
 +      <username>cn=adm,dc=int,dc=fr</username>
 +      <password>secret</password>
 +      <authentication>SIMPLE</authentication>
 +      <referral>IGNORE</referral>
 +      <derefAliases>NEVER</derefAliases>
 +      <version>VERSION_3</version>
 +      <pageSize>-1</pageSize>
 +      <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
 +      <tlsActivated>false</tlsActivated>
 +    </ldapConnection>
 +    <ldapConnection>
 +      <name>mines-telecom</name>
 +      <url>ldap://127.0.0.1:389/dc=mines-telecom,dc=fr</url>
 +      <username>cn=adm,dc=mines-telecom,dc=fr</username>
 +      <password>secret</password>
 +      <authentication>SIMPLE</authentication>
 +      <referral>THROW</referral>
 +      <derefAliases>NEVER</derefAliases>
 +      <version>VERSION_3</version>
 +      <pageSize>-1</pageSize>
 +      <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
 +      <tlsActivated>false</tlsActivated>
 +    </ldapConnection>
 +  </connections>
 +
 +  <tasks>
 +
 +    <task>
 +      <name>user</name>
 +      <bean>org.lsc.beans.SimpleBean</bean>
 +       <ldapSourceService>
 +        <name>user-source-service</name>
 +        <connection reference="tem-tsp" />
 +        <baseDn>ou=people,dc=int,dc=fr</baseDn>
 +        <pivotAttributes>
 +          <string>cn</string>
 +        </pivotAttributes>
 +        <fetchedAttributes>
 +          <string>cn</string>
 +          <string>mail</string>
 +          <string>sn</string>
 +          <string>departmentNumber</string>
 +          <string>employeeType</string>
 +          <string>givenName</string>
 +          <string>telephoneNumber</string>
 +        </fetchedAttributes>
 +        <getAllFilter><![CDATA[(&(cn=*)(objectClass=inetOrgPerson)(uid=martin*))]]></getAllFilter>
 +        <getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(cn={cn}))]]></getOneFilter>
 +        <cleanFilter><![CDATA[(&(objectClass=inetOrgPerson)(cn={cn}))]]></cleanFilter>
 +    </ldapSourceService>
 +    <ldapDestinationService>
 +        <name>user-dest-service</name>
 +        <connection reference="mines-telecom" />
 +        <baseDn>ou=evry,ou=people,dc=mines-telecom,dc=fr</baseDn>
 +        <pivotAttributes>
 +          <string>cn</string>
 +        </pivotAttributes>
 +        <fetchedAttributes>
 +          <string>cn</string>
 +          <string>objectClass</string>
 +          <string>mail</string>
 +          <string>sn</string>
 +          <string>departmentNumber</string>
 +          <string>employeeType</string>
 +          <string>givenName</string>
 +          <string>telephoneNumber</string>
 +        </fetchedAttributes>
 +        <getAllFilter><![CDATA[(&(cn=*)(objectClass=inetOrgPerson))]]></getAllFilter>
 +        <getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(cn={cn}))]]></getOneFilter>
 +    </ldapDestinationService>
 +      <propertiesBasedSyncOptions>
 +        <mainIdentifier>js:"cn=" + javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) + ",ou=evry,ou=people,dc=mines-telecom,dc=fr"</mainIdentifier>
 +        <defaultDelimiter>;</defaultDelimiter>
 +        <defaultPolicy>FORCE</defaultPolicy>
 +        <conditions>
 +          <create>true</create>
 +          <update>true</update>
 +          <delete>true</delete>
 +          <changeId>true</changeId>
 +        </conditions>
 +         <dataset>
 +          <name>objectclass</name>
 +          <policy>KEEP</policy>
 +          <createValues>
 +            <string>"inetOrgPerson"</string>
 +            <string>"organizationalPerson"</string>
 +            <string>"person"</string>
 +            <string>"top"</string>
 +          </createValues>
 +        </dataset>
 +      </propertiesBasedSyncOptions>
 +    </task>
 +
 +  </tasks>
 +</lsc>
 +</code>
 +
 +
 +===== synchro =====
 +
 +<code>
 +[root@lsc ldapevry2ldapimt]# lsc -s user --config /etc/lsc/ldapevry2ldapimt/
 +11:41:14,248 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback-test.xml]
 +11:41:14,248 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Found resource [logback.xml] at [file:/etc/lsc/ldapevry2ldapimt/logback.xml]
 +11:41:14,249 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs multiple times on the classpath.
 +11:41:14,249 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs at [file:/etc/lsc/ldapevry2ldapimt/logback.xml]
 +11:41:14,249 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs at [jar:file:/usr/lib/lsc/lsc-core-2.1.3.jar!/logback.xml]
 +
 +nov. 30 11:41:14 - INFO  - Reflections took 105 ms to scan 1 urls, producing 55 keys and 115 values
 +nov. 30 11:41:15 - INFO  - Logging configuration successfully loaded from /etc/lsc/ldapevry2ldapimt/logback.xml
 +nov. 30 11:41:15 - INFO  - LSC configuration successfully loaded from /etc/lsc/ldapevry2ldapimt/
 +nov. 30 11:41:15 - INFO  - Connecting to LDAP server ldap://127.0.0.1:389/dc=mines-telecom,dc=fr as cn=adm,dc=mines-telecom,dc=fr
 +nov. 30 11:41:15 - INFO  - Connecting to LDAP server ldap://ldapze.int.fr:389/dc=int-evry,dc=fr as cn=adm,dc=int,dc=fr
 +nov. 30 11:41:15 - INFO  - Starting sync for user
 +nov. 30 11:41:15 - INFO  - # Adding new object cn=Guy BERNARD,ou=evry,ou=people,dc=mines-telecom,dc=fr for user
 +# Mon Nov 30 11:41:15 CET 2015
 +dn: cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr
 +changetype: add
 +employeeType:: UHJvZmVzc2V1ciBpbnZpdMOp
 +mail: jacques.martin@tem-tsp.eu
 +sn: MARTIN
 +departmentNumber: INFO
 +cn: Jacques MARTIN
 +telephoneNumber: +33161764567
 +objectClass: inetOrgPerson
 +objectClass: organizationalPerson
 +objectClass: person
 +objectClass: top
 +givenName: Jacques
 +
 +nov. 30 11:41:15 - INFO  - All entries: 5, to modify entries: 5, successfully modified entries: 5, errors: 0
 +
 +</code>
 +
 +==== modification d'attributs ====
 +
 +il est possible de modifier à la volée des valeurs d'attribut pour les rendre conforme a une syntaxte et nomenclature commune .
 +
 +Exemple d'ajout d'un dataset qui modifie lors de la synchro la valeur d'attribut departmentNumber , 
 +ici si à la source departmentNumber contient MCI alors le transformer en DSI :
 +
 +<code>
 + <dataset>
 +          <name>departmentNumber</name>
 +          <policy>FORCE</policy>
 +          <forceValues>
 +            <string><![CDATA[js:
 +                var department = srcBean.getDatasetFirstValueById("departmentNumber");
 +                if ( department == "MCI" ) { department = "DSI"; }
 +                department;
 +            ]]></string>
 +          </forceValues>
 +       </dataset>
 +
 +</code>
 +
 +log associés a cette synchro 
 +
 +<code>
 +nov. 30 14:45:17 - INFO  - # Updating object cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr for user
 +nov. 30 14:45:17 - INFO  - # Updating object cn=Albert MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr for user
 +# Mon Nov 30 14:45:17 CET 2015
 +dn: cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr
 +changetype: modify
 +replace: departmentNumber
 +departmentNumber: DSI
 +-
 +
 +# Mon Nov 30 14:45:17 CET 2015
 +dn: cn=Albert MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr
 +changetype: modify
 +replace: departmentNumber
 +departmentNumber: DSI
 +-
 +
 +nov. 30 14:45:17 - INFO  - All entries: 5, to modify entries: 2, successfully modified entries: 2, errors: 0
 +</code>
 +
 +
 +===== suppression =====
 +
 +pour supprimer un compte il faut ajouter l'option
 +
 +<code>
 +-c,--clean <arg>                      Cleaning type (one of the available
 +                                       tasks or 'all')
 +</code>
 +et aussi s'assurer qu'il n'y a pas zero entrée dans la source , autrement lsc par sécurité ne supprime rien .
 +
 +<code>
 +déc. 01 14:29:00 - INFO  - Starting sync for user
 +déc. 01 14:29:00 - ERROR - Empty or non existant source (no IDs found)
 +</code>
 +
 +voici l'exemple de suppression d'une entrée à la source .
 +<code>
 +[root@lsc ldap2ldapmintel]# lsc -s user -c user --config /etc/lsc/ldap2ldapmintel/
 +...
 +déc. 01 15:21:52 - INFO  - Reflections took 104 ms to scan 1 urls, producing 55 keys and 115 values
 +déc. 01 15:21:52 - INFO  - Logging configuration successfully loaded from /etc/lsc/ldap2ldapmintel/logback.xml
 +déc. 01 15:21:52 - INFO  - LSC configuration successfully loaded from /etc/lsc/ldap2ldapmintel/
 +déc. 01 15:21:52 - INFO  - Connecting to LDAP server ldap://127.0.0.1:389/dc=mines-telecom,dc=fr as cn=adm,dc=mines-telecom,dc=fr
 +déc. 01 15:21:52 - INFO  - Connecting to LDAP server ldap://ldap4.tem-tsp.eu:389/dc=int-evry,dc=fr as cn=adm,dc=int,dc=fr
 +déc. 01 15:21:52 - INFO  - Starting sync for user
 +déc. 01 15:21:52 - ERROR - Empty or non existant source (no IDs found)
 +déc. 01 15:21:52 - INFO  - Starting clean for user
 +déc. 01 15:21:52 - INFO  - # Removing object cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr for user
 +# Tue Dec 01 15:21:52 CET 2015
 +dn: cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr
 +changetype: delete
 +
 +déc. 01 15:21:52 - INFO  - All entries: 6, to modify entries: 1, successfully modified entries: 1, errors: 0
 +</code>
docpublic/systemes/ldap/ldap_lsc.1448649994.txt.gz · Last modified: 2015/11/27 18:46 by procacci@tem-tsp.eu
Show pageOld revisions
[unknown link type]Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0