import ldif total
- admin password
Configuration 2.4 dynamique
script conversion dynamique
- script
- conversion iconv UTF8 des schemas
DB_CONFIG
replication
SSL
ldapadd
centos rhel 7
- install
centos 7 firewallD
references
lastbind rpm

import ldif total

importation de toute la base

[root@ldapmaster schema]# time slapadd -f /etc/openldap/slapd.conf -l /usr/local/ldapbackup2/jour-2014-01-09.ldif
...
added: "uid=testgil,ou=People,dc=int-evry,dc=fr" (0000164d)
*#################### 100.00% eta   none elapsed          01m04s spd   3.2 M/s 
Closing DB...

real	1m5.250s
user	0m28.635s
sys	0m15.655s

admin password

generation pour la configuration slapd.conf :

cli : slappasswd -h <scheme> -s <secret>
<scheme> is an RFC 2307 scheme such as {MD5}, {CRYPT} or {SSHA} (the default), and <secret> is the secret to hash, default {SSHA} , 
The output can be copy-pasted into the LDAP configuration file for the rootpw field.

exemple

# slappasswd -h  {SSHA}  -s secret
{SSHA}2c4m7rvutm1HrNFvthmeidRkWWLdERxQ

Configuration 2.4 dynamique

Depuis openldap 2.4, la configuration est dynamique (dans ldap /etc/openldap/slapd.d).

Idealement il faudrait utiliser completement cette fonctionnalité et ainsi utiliser des commandes ldap pour modifier la configuration dynamique. Pour des raisons “d'anciennes pratiques”, il sera utilisé ici un script qui genere automatiquement la configuration dynamqiue

script conversion dynamique

configuration traditionnelle à base de slapd.conf et generation dans slapd.d de la configuration dynamique attendue par openldap 2.4

script

script maison “olcgene.sh” qui genre le slapd.d a partir du slapd.conf

[root@ldapmaster openldap]# cat olcgene.sh 
/etc/init.d/slapd stop
cd /etc/openldap/slapd.d
rm -rf *
cd ..
/usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
chown -R ldap:ldap /var/lib/ldap
/etc/init.d/slapd start

au premier lancement j'ai eu ce genre d'erreur

[root@ldapmaster openldap]# /usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config_build_attrs: error 21 on olcAttributeTypes value #25
config_build_entry: build "cn={17}int-evry" failed: ""
backend_startup_one (type=config, suffix="cn=config"): bi_db_open failed! (-1)
slap_startup failed (test would succeed using the -u switch)

apres lecture de http://opennomad.com/content/openldap-and-magic-latin-1-versus-unicode-schema on s'apperçoit c'est un probleme d'encodage des fichiers schema

conversion iconv UTF8 des schemas

conversion en utf8

[root@ldapmaster schema]# for x in *.schema; do iconv -f iso-8859-1 -t utf-8 ${x} > ${x}.new; done

affichage des differences (reparrage des fichiers qui pose pb)

[root@ldapmaster schema]# for x in *.schema; do echo ${x}; diff ${x} ${x}.new; done
int-evry.schema
1c1
< #definitions propres � l'int
---
> #definitions propres à l'int

schac-20090326-1.4.0.schema
243c243
< # Descrip: Specifies a person�s home organization using the domain name 
---
> # Descrip: Specifies a person´s home organization using the domain name 

supann_2009.schema
9c9
< # Plac� sous l'arc 1.3.6.1.4.1.7135.1.2 du CRU
---
> # Placé sous l'arc 1.3.6.1.4.1.7135.1.2 du CRU
...
[root@ldapmaster schema]# mv int-evry.schema.new int-evry.schema
[root@ldapmaster schema]# mv schac-20090326-1.4.0.schema.new schac-20090326-1.4.0.schema
[root@ldapmaster schema]# mv supann_2009.schema.new supann_2009.schema

Cela se passe mieux maitenant

[root@ldapmaster openldap]# ./olcgene.sh 
Stopping slapd:                                            [  OK  ]
bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap/int: (2).
Expect poor performance for suffix "dc=int-evry,dc=fr".
config file testing succeeded
Starting slapd:                                            [  OK  ]

DB_CONFIG

on notera ci-dessus le message “bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).”

on va recopier un fichier exemple de DB_CONFIG dans le repertoire de base de notre annuaire et on genere a nouveau la configuration qui cette fois se termine sans warning .

[root@ldapmaster openldap]# cp /root/openldap/DB_CONFIG.example /var/lib/ldap
[root@ldapmaster openldap]# mv /var/lib/ldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldapmaster openldap]# chown ldap /var/lib/ldap/DB_CONFIG
[root@ldapmaster openldap]# ./olcgene.sh 
Stopping slapd:                                            [  OK  ]
config file testing succeeded
Starting slapd:                                            [  OK  ]

replication

s'assurer que le size limit du master ne bloque pas la replication

Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1012 op=2 UNBIND
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1012 fd=18 closed
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 fd=18 ACCEPT from IP=157.159.110.247:45775 (IP=0.0.0.0:636)
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 fd=18 TLS established tls_ssf=256 ssf=256
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 op=0 BIND dn="cn=replicator,ou=system,dc=int-evry,dc=fr" method=128
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 op=0 BIND dn="cn=replicator,ou=System,dc=int-evry,dc=fr" mech=SIMPLE ssf=0
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 op=0 RESULT tag=97 err=0 text=
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 op=1 SRCH base="dc=int-evry,dc=fr" scope=2 deref=0 filter="(objectClass=*)"
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 op=1 SRCH attr=* +
Jan 10 13:16:08 ldapmaster slapd[17562]: conn=1013 op=1 SEARCH RESULT tag=101 err=4 nentries=500 text=
Jan 10 13:16:08 ldapmaster slapd[17562]: conn=1013 op=2 UNBIND
Jan 10 13:16:08 ldapmaster slapd[17562]: conn=1013 fd=18 closed

ici le err=4 singal un depassement du size limit

http://www.zytrax.com/books/ldap/ch12/ ⇒ LDAP_SIZELIMIT_EXCEEDED 4 (x'04) An LDAP size limit was exceeded.

SSL

sous centos, penser a valider l'option de demarrage en SSL

[root@ldap1 openldap]# grep LDAPS /etc/sysconfig/ldap
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
SLAPD_LDAPS=yes

en centos/rehl 7

# grep ldaps /etc/sysconfig/slapd   
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

Parametrer slapd.conf avec les directives qui vont bien

TLSCACertificateFile /etc/pki/tls/certs/cachain-TERENA_UTN-USERFirst-Hardware_AddTrust.pem
TLSCertificateFile /etc/pki/tls/certs/cert-1075-wildcard.it-sudparis.eu.pem
TLSCertificateKeyFile /etc/pki/tls/private/wildcard_itsudparis.key

TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3

et pour les recherches en ligne de commande ldapsearch , preciser le chemin du certificat racine dans /etc/openldap/ldap.conf

[root@ldap4 openldap]# grep TLS_CACERT /etc/openldap/ldap.conf
TLS_CACERT /etc/pki/tls/certs/add_trust_external_ca_root.pem
#TLS_CACERTDIR  /etc/openldap/certs

exemple de LdapSearch en SSL (-H ldaps…) :

[root@ldap4 openldap]# ldapsearch -x uid=test -H ldaps://ldap-4.it-sudparis.eu -D cn=repl,ou=System,dc=int-evry,dc=fr -W cn -LL
Enter LDAP Password:
version: 1

dn: uid=test,ou=People,dc=int-evry,dc=fr
cn: test TEST

ldapadd

exemple d'ajout a chaud d'un object people depuis un ldif

[root@ldapmasterdev ldifs]# ldapadd -f ./annu-studpeople.ldif -D cn=admin,dc=ups,dc=fr -W -h localhost -v -x -W 
ldap_initialize( ldap://localhost )
Enter LDAP Password: 
add mailRoutingAddress:
	email@email
add eduPersonAffiliation:
	student
...
adding new entry "uid=caristan,ou=People,dc=ups,dc=fr"
modify complete

centos rhel 7

install

# yum install openldap-servers
Installé :
  openldap-servers.x86_64 0:2.4.39-3.el7                                                                                                                                               
Dépendances installées :
  libtool-ltdl.x86_64 0:2.4.2-20.el7

activation avec systemctl

# systemctl enable slapd.service
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'

# systemctl start slapd.service

# systemctl status slapd.service

slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled)
   Active: active (running) since Fri 2015-01-09 14:56:58 CET; 6s ago
  Process: 1319 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
  Process: 1295 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
 Main PID: 1320 (slapd)
   CGroup: /system.slice/slapd.service
           `-1320 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

Jan 09 14:56:58 japi runuser[1309]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jan 09 14:56:58 japi runuser[1309]: pam_unix(runuser:session): session closed for user ldap
Jan 09 14:56:58 japi runuser[1311]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jan 09 14:56:58 japi runuser[1311]: pam_unix(runuser:session): session closed for user ldap
Jan 09 14:56:58 japi runuser[1313]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jan 09 14:56:58 japi runuser[1313]: pam_unix(runuser:session): session closed for user ldap
Jan 09 14:56:58 japi runuser[1315]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jan 09 14:56:58 japi runuser[1315]: pam_unix(runuser:session): session closed for user ldap
Jan 09 14:56:58 japi slapd[1319]: @(#) $OpenLDAP: slapd 2.4.39 (Jun  9 2014 23:23:12) $
                                          mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
Jan 09 14:56:58 japi systemd[1]: Started OpenLDAP Server Daemon.

centos 7 firewallD

ref

service ldap

au depart, par defaul il y a le service ssh d'ouvert

# firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

liste services

les services sont definit dans des fichiers xml dans une arborescence systeme

[root@ldap ~]# firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
[root@ldap ~]# ls /usr/lib/firewalld/services/
amanda-client.xml  dhcp.xml               http.xml        kerberos.xml     libvirt.xml  nfs.xml      pmwebapis.xml   radius.xml        ssh.xml                  vnc-server.xml
bacula-client.xml  dns.xml                imaps.xml       kpasswd.xml      mdns.xml     ntp.xml      pmwebapi.xml    rpc-bind.xml      telnet.xml               wbem-https.xml
bacula.xml         ftp.xml                ipp-client.xml  ldaps.xml        mountd.xml   openvpn.xml  pop3s.xml       samba-client.xml  tftp-client.xml
dhcpv6-client.xml  high-availability.xml  ipp.xml         ldap.xml         ms-wbt.xml   pmcd.xml     postgresql.xml  samba.xml         tftp.xml
dhcpv6.xml         https.xml              ipsec.xml       libvirt-tls.xml  mysql.xml    pmproxy.xml  proxy-dhcp.xml  smtp.xml          transmission-client.xml

rich rule ldap

ajouter une regle ldap depuis une source IP

[root@ldap ~]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="177.169.222.0/24" service name="ldap" accept'
success
[root@ldap ~]# firewall-cmd --reload
success
[root@ldap ~]# firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="177.169.222.0/24" service name="ldap" accept

references

lastbind rpm

integration de lastbind au package source openldap

recuperation package source via yum

# yum install yum-utils
# yumdownloader --source openldap-servers
# ls -l openldap-2.4.39-6.el7.src.rpm 
-rw-r--r-- 1 root root 5593007 31 mars  21:19 openldap-2.4.39-6.el7.src.rpm

http://wiki.centos.org/HowTos/SetupRpmBuildEnvironment

# yum install rpm-build

compiler les package avec un user non privilegié

[root@japi ~]# useradd builder
[root@japi ~]# su - builder
[builder@japi ~]$ ls
[builder@japi ~]$ mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
[builder@japi ~]$ echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros

[builder@japi ~]$ rpm -iv /tmp/openldap-2.4.39-6.el7.src.rpm 
[builder@japi ~]$ ls -l rpmbuild/SPECS/
total 76
-rw-rw-r-- 1 builder builder 76148 Mar  6 03:21 openldap.spec

dependances necessaire pour le build

[root@japi ~]# yum install nss-devel krb5-devel tcp_wrappers-devel unixODBC-devel glibc-devel libtool libtool-ltdl-devel groff perl-devel openssl-devel libdb-devel cracklib-devel perl-ExtUtils-Embed
Résumé de la transaction
=====================================================================================================
Installation   13 Paquets (+37 Paquets en dépendance)

Taille totale des téléchargements : 35 M
Taille d'installation : 83 M

Table of Contents