===== LSC project =====
reference
* http://lsc-project.org/wiki/
* http://lsc-project.org/wiki/documentation/latest/start
* http://lsc-project.org/wiki/documentation/latest/installation#yum_repository
==== yum repo install ====
[root@lsc ~]# vi /etc/yum.repos.d/lsc-project.repo
# cat /etc/yum.repos.d/lsc-project.repo
[lsc-project]
name=LSC project packages
baseurl=http://lsc-project.org/rpm/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project
# rpm --import http://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project
# yum install lsc
Installed:
lsc.noarch 0:2.1.3-0.el5
==== dependance java ====
* https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6/html/Installation_Guide/Install_OpenJDK_on_Red_Hat_Enterprise_Linux.html
# yum install java-1.7.0-openjdk-devel
Installation 1 Paquet (+71 Paquets en dépendance)
Taille totale des téléchargements : 52 M
Taille d'installation : 191 M
Is this ok [y/d/N]: y
Installé :
java-1.7.0-openjdk-devel.x86_64 1:1.7.0.91-2.6.2.1.el7_1
Dépendances installées :
GConf2.x86_64 0:3.2.6-8.el7 alsa-lib.x86_64 0:1.0.28-2.el7 atk.x86_64 0:2.8.0-4.el7
cairo.x86_64 0:1.12.14-6.el7 dbus-glib.x86_64 0:0.100-7.el7 flac-libs.x86_64 0:1.3.0-5.el7_1
fontconfig.x86_64 0:2.10.95-7.el7 fontpackages-filesystem.noarch 0:1.44-8.el7 freetype.x86_64 0:2.4.11-10.el7_1.1
gdk-pixbuf2.x86_64 0:2.28.2-5.el7_1 giflib.x86_64 0:4.1.6-9.el7 graphite2.x86_64 0:1.2.2-5.el7
gsm.x86_64 0:1.0.13-11.el7 gtk2.x86_64 0:2.24.22-5.el7_0.1 harfbuzz.x86_64 0:0.9.20-4.el7
hicolor-icon-theme.noarch 0:0.12-7.el7 hwdata.x86_64 0:0.252-7.8.el7_1 jasper-libs.x86_64 0:1.900.1-26.el7_0.3
java-1.7.0-openjdk.x86_64 1:1.7.0.91-2.6.2.1.el7_1 java-1.7.0-openjdk-headless.x86_64 1:1.7.0.91-2.6.2.1.el7_1 javapackages-tools.noarch 0:3.4.1-6.el7_0
jbigkit-libs.x86_64 0:2.0-11.el7 libICE.x86_64 0:1.0.8-7.el7 libSM.x86_64 0:1.2.1-7.el7
libX11.x86_64 0:1.6.0-2.1.el7 libX11-common.noarch 0:1.6.0-2.1.el7 libXau.x86_64 0:1.0.8-2.1.el7
libXcomposite.x86_64 0:0.4.4-4.1.el7 libXcursor.x86_64 0:1.1.14-2.1.el7 libXdamage.x86_64 0:1.1.4-4.1.el7
libXext.x86_64 0:1.3.2-2.1.el7 libXfixes.x86_64 0:5.0.1-2.1.el7 libXfont.x86_64 0:1.4.7-3.el7_1
libXft.x86_64 0:2.3.1-5.1.el7 libXi.x86_64 0:1.7.2-2.1.el7 libXinerama.x86_64 0:1.1.3-2.1.el7
libXrandr.x86_64 0:1.4.1-2.1.el7 libXrender.x86_64 0:0.9.8-2.1.el7 libXtst.x86_64 0:1.2.2-2.1.el7
libXxf86vm.x86_64 0:1.1.3-2.1.el7 libasyncns.x86_64 0:0.8-7.el7 libdrm.x86_64 0:2.4.56-2.el7
libfontenc.x86_64 0:1.1.1-5.el7 libjpeg-turbo.x86_64 0:1.2.90-5.el7 libogg.x86_64 2:1.3.0-7.el7
libpciaccess.x86_64 0:0.13.1-4.1.el7 libpng.x86_64 2:1.5.13-5.el7 libsndfile.x86_64 0:1.0.25-9.el7
libthai.x86_64 0:0.1.14-9.el7 libtiff.x86_64 0:4.0.3-14.el7 libvorbis.x86_64 1:1.3.3-8.el7
libxcb.x86_64 0:1.9-5.el7 libxslt.x86_64 0:1.1.28-5.el7 lksctp-tools.x86_64 0:1.0.13-3.el7
mesa-libEGL.x86_64 0:10.2.7-5.20140910.el7_1.1 mesa-libGL.x86_64 0:10.2.7-5.20140910.el7_1.1 mesa-libgbm.x86_64 0:10.2.7-5.20140910.el7_1.1
mesa-libglapi.x86_64 0:10.2.7-5.20140910.el7_1.1 mozjs17.x86_64 0:17.0.0-10.el7 pango.x86_64 0:1.34.1-5.el7
pcsc-lite-libs.x86_64 0:1.8.8-5.el7 pixman.x86_64 0:0.32.4-3.el7 polkit.x86_64 0:0.112-5.el7
polkit-pkla-compat.x86_64 0:0.1-4.el7 pulseaudio-libs.x86_64 0:3.0-30.el7 python-javapackages.noarch 0:3.4.1-6.el7_0
python-lxml.x86_64 0:3.2.1-4.el7 ttmkfdir.x86_64 0:3.0.9-41.el7 tzdata-java.noarch 0:2015g-1.el7
xorg-x11-font-utils.x86_64 1:7.5-18.1.el7 xorg-x11-fonts-Type1.noarch 0:7.5-9.el7
Terminé !
# java -version
java version "1.7.0_91"
OpenJDK Runtime Environment (rhel-2.6.2.1.el7_1-x86_64 u91-b00)
OpenJDK 64-Bit Server VM (build 24.91-b01, mixed mode)
===== Scenario ldap to ldap =====
ref
* https://documentation.fusiondirectory.org/en/documentation/merge_ad_openldap_user
* http://rsokolkov.com/synchronizing-users-from-ad-to-openldap/
* http://autoblogs.memiks.fr/planet-libre/?Cl%C3%A9ment-OUDOT-LDAP-Synchronization-Connector-en-mode-2-0
Preparation d'un scenario de synchro de ldap evry vers ldap de fusion mines-telecom
[root@lsc lsc]# mkdir /etc/lsc/ldapevry2ldapimt
[root@lsc lsc]# cd /etc/lsc/ldapevry2ldapimt
[root@lsc ldapevry2ldapimt]# cp /etc/lsc/logback.xml .
[root@lsc ldapevry2ldapimt]# cp /etc/lsc/lsc.xml .
[root@lsc ldapevry2ldapimt]# vim lsc.xml
a suivre [[.:ldap_lsc&#config_lsc_synchro_ldap2ldap|ldap2ldap lsc config plus bas ]]
==== installation openldap-servers ====
[root@lsc ldap2ldap]# yum install openldap-servers openldap-clients
Installed:
openldap-servers.x86_64 0:2.4.39-7.el7.centos
openldap-clients.x86_64 0:2.4.39-7.el7.centos
==== parametrage openldap-server =====
recuperation de schema propres a nos usages accademiques
[root@lsc schema]# cp eduperson-200412.schema supann_2009.schema /etc/openldap/schema/
repertoire systeme où sera stocké la base ldap fusion des sources de synchro (initialement backen BDB à passer en lmdb ...)
[root@lsc openldap]# vim slapd.conf # directory /var/lib/ldap/imt/
[root@lsc openldap]# mkdir /var/lib/ldap/imt/
[root@lsc openldap]# chown ldap:ldap /var/lib/ldap/imt/
[root@lsc openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/imt/DB_CONFIG
[root@lsc openldap]# chown ldap:ldap /var/lib/ldap/imt/DB_CONFIG
==== demarrage du serveur au boot ====
[root@lsc openldap]# systemctl enable slapd.service
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
s'assurer que le firewall est ouver sur ldap , exemple avec firewalld
# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.158.0.0/16" service name="ldap" log prefix="ldap_157_158" accept'
# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.158.0.0/16" service name="ldaps" log prefix="ldaps_157_158" accept'
# firewall-cmd --reload
==== log ldap dans rsyslog ====
[root@lsc openldap]# vim /etc/rsyslog.conf
[root@lsc openldap]# systemctl restart rsyslog.service
[root@lsc openldap]# grep ldap /etc/rsyslog.conf
local4.* /var/log/ldap.log
==== Premier lancement du serveur a vide ====
[root@lsc openldap]# ./olcgene.sh
565ad68c /etc/openldap/slapd.conf: line 208: rootdn is always granted unlimited privileges.
565ad68c /etc/openldap/slapd.conf: line 215: rootdn is always granted unlimited privileges.
565ad68c bdb_db_open: database "dc=mines-telecom,dc=fr": db_open(/var/lib/ldap/imt//id2entry.bdb) failed: No such file or directory (2).
565ad68c backend_startup_one (type=bdb, suffix="dc=mines-telecom,dc=fr"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)
[root@lsc openldap]# ls -al /var/lib/ldap/imt/
total 19552
drwxr-xr-x 2 ldap ldap 4096 Nov 29 11:42 .
drwx------ 3 ldap ldap 4096 Nov 29 11:11 ..
-rw-r--r-- 1 ldap ldap 845 Nov 29 11:15 DB_CONFIG
-rw------- 1 ldap ldap 2801664 Nov 29 11:42 __db.001
-rw------- 1 ldap ldap 17489920 Nov 29 11:42 __db.002
-rw------- 1 ldap ldap 1884160 Nov 29 11:42 __db.003
-rw-r--r-- 1 ldap ldap 2048 Nov 29 11:42 alock
-rw------- 1 ldap ldap 8192 Nov 29 11:42 dn2id.bdb
-rw------- 1 ldap ldap 32768 Nov 29 11:42 id2entry.bdb
-rw------- 1 ldap ldap 10485760 Nov 29 11:42 log.0000000001
[root@lsc openldap]# tail -f /var/log/ldap.log
Nov 29 11:42:20 lscimt slapd[3275]: @(#) $OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12) $
mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
Nov 29 11:42:20 lscimt slapd[3276]: slapd starting
[root@lsc openldap]# ps auwx |grep slapd
ldap 3276 0.0 2.0 429780 5504 ? Ssl 11:42 0:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
==== ajout de la racine de l'arbre ldap ====
fichier ldap represantant la racine de l'arbre de fusion ldap
# cat root-mt.ldif
# mt
dn: dc=mines-telecom,dc=fr
dc: mines-telecom
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: mines-telecom.fr
insertion dans l'instance ldap imt
[root@lsc ~]# ldapadd -f root-mt.ldif -H ldap://localhost -D cn=admin,dc=mines-telecom,dc=fr -WEnter LDAP Password:
adding new entry "dc=mines-telecom,dc=fr"
[root@lsc ~]# tail -f /var/log/ldap.log
Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 fd=11 ACCEPT from IP=[::1]:47596 (IP=[::]:389)
Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=0 BIND dn="cn=admin,dc=mines-telecom,dc=fr" method=128
Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=0 BIND dn="cn=admin,dc=mines-telecom,dc=fr" mech=SIMPLE ssf=0
Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=0 RESULT tag=97 err=0 text=
Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=1 ADD dn="dc=mines-telecom,dc=fr"
Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=1 RESULT tag=105 err=0 text=
Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=2 UNBIND
Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 fd=11 closed
et de la sous branche people
[root@lsc ~]# vim people.ldif
[root@lsc ~]# ldapadd -f people.ldif -H ldap://localhost -D cn=admin,dc=mines-telecom,dc=fr -WEnter LDAP Password:
adding new entry "ou=people,dc=mines-telecom,dc=fr"
[root@lsc ~]# cat people.ldif
dn: ou=people,dc=mines-telecom,dc=fr
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: people
contenu actuel de notre "coquille vide"
[root@lsc ~]# ldapsearch -x objectclass=* -H ldap://localhost -b dc=mines-telecom,dc=fr -D cn=admin,dc=mines-telecom,dc=fr -W dn -LLL
Enter LDAP Password:
dn: dc=mines-telecom,dc=fr
dn: ou=people,dc=mines-telecom,dc=fr
===== Config LSC synchro ldap2ldap =====
le principe ici est de synchroniser des annuaires ldap vers un annuaire mutualisé assurant la fusion des annuaires d'etablissements dans des sous branches propres a l'etablissement .
Ici , on fait une exclusion des objectclass et attributs non indispensables a un annuaire pages blanches via le objectclass :
[root@lscimt ldapevry2ldapimt]# cat lsc.xml
tem-tsp
ldap://ldapze.int.fr:389/dc=int,dc=fr
cn=adm,dc=int,dc=fr
secret
SIMPLE
IGNORE
NEVER
VERSION_3
-1
com.sun.jndi.ldap.LdapCtxFactory
false
mines-telecom
ldap://127.0.0.1:389/dc=mines-telecom,dc=fr
cn=adm,dc=mines-telecom,dc=fr
secret
SIMPLE
THROW
NEVER
VERSION_3
-1
com.sun.jndi.ldap.LdapCtxFactory
false
user
org.lsc.beans.SimpleBean
user-source-service
ou=people,dc=int,dc=fr
cn
cn
mail
sn
departmentNumber
employeeType
givenName
telephoneNumber
user-dest-service
ou=evry,ou=people,dc=mines-telecom,dc=fr
cn
cn
objectClass
mail
sn
departmentNumber
employeeType
givenName
telephoneNumber
js:"cn=" + javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) + ",ou=evry,ou=people,dc=mines-telecom,dc=fr"
;
FORCE
true
true
true
true
objectclass
KEEP
"inetOrgPerson"
"organizationalPerson"
"person"
"top"
===== synchro =====
[root@lsc ldapevry2ldapimt]# lsc -s user --config /etc/lsc/ldapevry2ldapimt/
11:41:14,248 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback-test.xml]
11:41:14,248 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Found resource [logback.xml] at [file:/etc/lsc/ldapevry2ldapimt/logback.xml]
11:41:14,249 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs multiple times on the classpath.
11:41:14,249 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs at [file:/etc/lsc/ldapevry2ldapimt/logback.xml]
11:41:14,249 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs at [jar:file:/usr/lib/lsc/lsc-core-2.1.3.jar!/logback.xml]
nov. 30 11:41:14 - INFO - Reflections took 105 ms to scan 1 urls, producing 55 keys and 115 values
nov. 30 11:41:15 - INFO - Logging configuration successfully loaded from /etc/lsc/ldapevry2ldapimt/logback.xml
nov. 30 11:41:15 - INFO - LSC configuration successfully loaded from /etc/lsc/ldapevry2ldapimt/
nov. 30 11:41:15 - INFO - Connecting to LDAP server ldap://127.0.0.1:389/dc=mines-telecom,dc=fr as cn=adm,dc=mines-telecom,dc=fr
nov. 30 11:41:15 - INFO - Connecting to LDAP server ldap://ldapze.int.fr:389/dc=int-evry,dc=fr as cn=adm,dc=int,dc=fr
nov. 30 11:41:15 - INFO - Starting sync for user
nov. 30 11:41:15 - INFO - # Adding new object cn=Guy BERNARD,ou=evry,ou=people,dc=mines-telecom,dc=fr for user
# Mon Nov 30 11:41:15 CET 2015
dn: cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr
changetype: add
employeeType:: UHJvZmVzc2V1ciBpbnZpdMOp
mail: jacques.martin@tem-tsp.eu
sn: MARTIN
departmentNumber: INFO
cn: Jacques MARTIN
telephoneNumber: +33161764567
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
givenName: Jacques
nov. 30 11:41:15 - INFO - All entries: 5, to modify entries: 5, successfully modified entries: 5, errors: 0
==== modification d'attributs ====
il est possible de modifier à la volée des valeurs d'attribut pour les rendre conforme a une syntaxte et nomenclature commune .
Exemple d'ajout d'un dataset qui modifie lors de la synchro la valeur d'attribut departmentNumber ,
ici si à la source departmentNumber contient MCI alors le transformer en DSI :
departmentNumber
FORCE
log associés a cette synchro
nov. 30 14:45:17 - INFO - # Updating object cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr for user
nov. 30 14:45:17 - INFO - # Updating object cn=Albert MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr for user
# Mon Nov 30 14:45:17 CET 2015
dn: cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr
changetype: modify
replace: departmentNumber
departmentNumber: DSI
-
# Mon Nov 30 14:45:17 CET 2015
dn: cn=Albert MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr
changetype: modify
replace: departmentNumber
departmentNumber: DSI
-
nov. 30 14:45:17 - INFO - All entries: 5, to modify entries: 2, successfully modified entries: 2, errors: 0
===== suppression =====
pour supprimer un compte il faut ajouter l'option
-c,--clean Cleaning type (one of the available
tasks or 'all')
et aussi s'assurer qu'il n'y a pas zero entrée dans la source , autrement lsc par sécurité ne supprime rien .
déc. 01 14:29:00 - INFO - Starting sync for user
déc. 01 14:29:00 - ERROR - Empty or non existant source (no IDs found)
voici l'exemple de suppression d'une entrée à la source .
[root@lsc ldap2ldapmintel]# lsc -s user -c user --config /etc/lsc/ldap2ldapmintel/
...
déc. 01 15:21:52 - INFO - Reflections took 104 ms to scan 1 urls, producing 55 keys and 115 values
déc. 01 15:21:52 - INFO - Logging configuration successfully loaded from /etc/lsc/ldap2ldapmintel/logback.xml
déc. 01 15:21:52 - INFO - LSC configuration successfully loaded from /etc/lsc/ldap2ldapmintel/
déc. 01 15:21:52 - INFO - Connecting to LDAP server ldap://127.0.0.1:389/dc=mines-telecom,dc=fr as cn=adm,dc=mines-telecom,dc=fr
déc. 01 15:21:52 - INFO - Connecting to LDAP server ldap://ldap4.tem-tsp.eu:389/dc=int-evry,dc=fr as cn=adm,dc=int,dc=fr
déc. 01 15:21:52 - INFO - Starting sync for user
déc. 01 15:21:52 - ERROR - Empty or non existant source (no IDs found)
déc. 01 15:21:52 - INFO - Starting clean for user
déc. 01 15:21:52 - INFO - # Removing object cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr for user
# Tue Dec 01 15:21:52 CET 2015
dn: cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr
changetype: delete
déc. 01 15:21:52 - INFO - All entries: 6, to modify entries: 1, successfully modified entries: 1, errors: 0