[[import ldif total]]
Trace: import ldif total
Show pagesourceOld revisions
AdminRecent ChangesSitemap

* ancien site

This is an old revision of the document!

import ldif total

importation de toute la base 

[root@ldapmaster schema]# time slapadd -f /etc/openldap/slapd.conf -l /usr/local/ldapbackup2/jour-2014-01-09.ldif
...
added: "uid=testgil,ou=People,dc=int-evry,dc=fr" (0000164d)
*#################### 100.00% eta   none elapsed          01m04s spd   3.2 M/s 
Closing DB...

real	1m5.250s
user	0m28.635s
sys	0m15.655s

admin password

generation pour la configuration slapd.conf : 

cli : slappasswd -h <scheme> -s <secret>
<scheme> is an RFC 2307 scheme such as {MD5}, {CRYPT} or {SSHA} (the default), and <secret> is the secret to hash, default {SSHA} , 
The output can be copy-pasted into the LDAP configuration file for the rootpw field.

exemple 

# slappasswd -h  {SSHA}  -s secret
{SSHA}2c4m7rvutm1HrNFvthmeidRkWWLdERxQ

Configuration 2.4 dynamique

Depuis openldap 2.4, la configuration est dynamique (dans ldap /etc/openldap/slapd.d).

Idealement il faudrait utiliser completement cette fonctionnalité et ainsi utiliser des commandes ldap pour modifier la configuration dynamique. Pour des raisons “d'anciennes pratiques”, il sera utilisé ici un script qui genere automatiquement la configuration dynamqiue

script conversion dynamique

configuration traditionnelle à base de slapd.conf et generation dans slapd.d de la configuration dynamique attendue par openldap 2.4

script

script maison “olcgene.sh” qui genre le slapd.d a partir du slapd.conf 

[root@ldapmaster openldap]# cat olcgene.sh 
/etc/init.d/slapd stop
cd /etc/openldap/slapd.d
rm -rf *
cd ..
/usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
chown -R ldap:ldap /var/lib/ldap
/etc/init.d/slapd start

au premier lancement j'ai eu ce genre d'erreur 

[root@ldapmaster openldap]# /usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config_build_attrs: error 21 on olcAttributeTypes value #25
config_build_entry: build "cn={17}int-evry" failed: ""
backend_startup_one (type=config, suffix="cn=config"): bi_db_open failed! (-1)
slap_startup failed (test would succeed using the -u switch)

apres lecture de http://opennomad.com/content/openldap-and-magic-latin-1-versus-unicode-schema on s'apperçoit c'est un probleme d'encodage des fichiers schema

conversion iconv UTF8 des schemas

conversion en utf8 

[root@ldapmaster schema]# for x in *.schema; do iconv -f iso-8859-1 -t utf-8 ${x} > ${x}.new; done

affichage des differences (reparrage des fichiers qui pose pb) 

[root@ldapmaster schema]# for x in *.schema; do echo ${x}; diff ${x} ${x}.new; done
int-evry.schema
1c1
< #definitions propres � l'int
---
> #definitions propres à l'int

schac-20090326-1.4.0.schema
243c243
< # Descrip: Specifies a person�s home organization using the domain name 
---
> # Descrip: Specifies a person´s home organization using the domain name 

supann_2009.schema
9c9
< # Plac� sous l'arc 1.3.6.1.4.1.7135.1.2 du CRU
---
> # Placé sous l'arc 1.3.6.1.4.1.7135.1.2 du CRU
...
[root@ldapmaster schema]# mv int-evry.schema.new int-evry.schema
[root@ldapmaster schema]# mv schac-20090326-1.4.0.schema.new schac-20090326-1.4.0.schema
[root@ldapmaster schema]# mv supann_2009.schema.new supann_2009.schema

Cela se passe mieux maitenant 

[root@ldapmaster openldap]# ./olcgene.sh 
Stopping slapd:                                            [  OK  ]
bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap/int: (2).
Expect poor performance for suffix "dc=int-evry,dc=fr".
config file testing succeeded
Starting slapd:                                            [  OK  ]

DB_CONFIG

on notera ci-dessus le message “bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).”

on va recopier un fichier exemple de DB_CONFIG dans le repertoire de base de notre annuaire et on genere a nouveau la configuration qui cette fois se termine sans warning . 

[root@ldapmaster openldap]# cp /root/openldap/DB_CONFIG.example /var/lib/ldap
[root@ldapmaster openldap]# mv /var/lib/ldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldapmaster openldap]# chown ldap /var/lib/ldap/DB_CONFIG
[root@ldapmaster openldap]# ./olcgene.sh 
Stopping slapd:                                            [  OK  ]
config file testing succeeded
Starting slapd:                                            [  OK  ]

replication

s'assurer que le size limit du master ne bloque pas la replication 

Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1012 op=2 UNBIND
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1012 fd=18 closed
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 fd=18 ACCEPT from IP=157.159.110.247:45775 (IP=0.0.0.0:636)
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 fd=18 TLS established tls_ssf=256 ssf=256
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 op=0 BIND dn="cn=replicator,ou=system,dc=int-evry,dc=fr" method=128
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 op=0 BIND dn="cn=replicator,ou=System,dc=int-evry,dc=fr" mech=SIMPLE ssf=0
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 op=0 RESULT tag=97 err=0 text=
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 op=1 SRCH base="dc=int-evry,dc=fr" scope=2 deref=0 filter="(objectClass=*)"
Jan 10 13:16:02 ldapmaster slapd[17562]: conn=1013 op=1 SRCH attr=* +
Jan 10 13:16:08 ldapmaster slapd[17562]: conn=1013 op=1 SEARCH RESULT tag=101 err=4 nentries=500 text=
Jan 10 13:16:08 ldapmaster slapd[17562]: conn=1013 op=2 UNBIND
Jan 10 13:16:08 ldapmaster slapd[17562]: conn=1013 fd=18 closed

ici le err=4 singal un depassement du size limit

http://www.zytrax.com/books/ldap/ch12/ ⇒ LDAP_SIZELIMIT_EXCEEDED 4 (x'04) An LDAP size limit was exceeded.

SSL

sous centos, penser a valider l'option de demarrage en SSL 

[root@ldap1 openldap]# grep LDAPS /etc/sysconfig/ldap
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
SLAPD_LDAPS=yes

en centos/rehl 7 

# grep ldaps /etc/sysconfig/slapd   
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

Parametrer slapd.conf avec les directives qui vont bien 

TLSCACertificateFile /etc/pki/tls/certs/cachain-TERENA_UTN-USERFirst-Hardware_AddTrust.pem
TLSCertificateFile /etc/pki/tls/certs/cert-1075-wildcard.it-sudparis.eu.pem
TLSCertificateKeyFile /etc/pki/tls/private/wildcard_itsudparis.key

TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3

et pour les recherches en ligne de commande ldapsearch , preciser le chemin du certificat racine dans /etc/openldap/ldap.conf 

[root@ldap4 openldap]# grep TLS_CACERT /etc/openldap/ldap.conf
TLS_CACERT /etc/pki/tls/certs/add_trust_external_ca_root.pem
#TLS_CACERTDIR  /etc/openldap/certs

exemple de LdapSearch en SSL (-H ldaps…) : 

[root@ldap4 openldap]# ldapsearch -x uid=test -H ldaps://ldap-4.it-sudparis.eu -D cn=repl,ou=System,dc=int-evry,dc=fr -W cn -LL
Enter LDAP Password:
version: 1

dn: uid=test,ou=People,dc=int-evry,dc=fr
cn: test TEST

ldapadd

exemple d'ajout a chaud d'un object people depuis un ldif 

[root@ldapmasterdev ldifs]# ldapadd -f ./annu-studpeople.ldif -D cn=admin,dc=ups,dc=fr -W -h localhost -v -x -W 
ldap_initialize( ldap://localhost )
Enter LDAP Password: 
add mailRoutingAddress:
	email@email
add eduPersonAffiliation:
	student
...
adding new entry "uid=caristan,ou=People,dc=ups,dc=fr"
modify complete

centos rhel 7

activation avec systemctl 

# systemctl enable slapd.service
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'

# systemctl start slapd.service

# systemctl status slapd.service

slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled)
   Active: active (running) since Fri 2015-01-09 14:56:58 CET; 6s ago
  Process: 1319 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
  Process: 1295 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
 Main PID: 1320 (slapd)
   CGroup: /system.slice/slapd.service
           `-1320 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

Jan 09 14:56:58 japi runuser[1309]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jan 09 14:56:58 japi runuser[1309]: pam_unix(runuser:session): session closed for user ldap
Jan 09 14:56:58 japi runuser[1311]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jan 09 14:56:58 japi runuser[1311]: pam_unix(runuser:session): session closed for user ldap
Jan 09 14:56:58 japi runuser[1313]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jan 09 14:56:58 japi runuser[1313]: pam_unix(runuser:session): session closed for user ldap
Jan 09 14:56:58 japi runuser[1315]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jan 09 14:56:58 japi runuser[1315]: pam_unix(runuser:session): session closed for user ldap
Jan 09 14:56:58 japi slapd[1319]: @(#) $OpenLDAP: slapd 2.4.39 (Jun  9 2014 23:23:12) $
                                          mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
Jan 09 14:56:58 japi systemd[1]: Started OpenLDAP Server Daemon.

references

docpublic/systemes/ldap/ldap2-4.1420813876.txt.gz · Last modified: 2015/01/09 14:31 by procacci@tem-tsp.eu
Show pagesourceOld revisions
[unknown link type]Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0