openldap Centos8
contexte
RedHat (RHEL8) ne fournit plus openldap-servers :
Packages el8 openldap-servers
ref docs
repo LTB openldap-servers
vi /etc/yum.repos.d/ltb-project.repo [root@ldapex ~]# cat /etc/yum.repos.d/ltb-project.repo [ltb-project] name=LTB project packages baseurl=https://ltb-project.org/rpm/$releasever/$basearch enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project [root@ldapex ~]# yum update LTB project packages 37 kB/s | 40 kB 00:01 [root@ldapex ~]# rpm --import https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project
install
[root@ldapex ~]# yum install openldap-ltb Dernière vérification de l’expiration des métadonnées effectuée il y a 0:01:34 le jeu. 09 janv. 2020 21:40:13 CET. Dépendances résolues. =================================================================================================================================== Paquet Architecture Version Dépôt Taille =================================================================================================================================== Installing: openldap-ltb x86_64 2.4.48-2.el8 ltb-project 2.9 M Installation des dépendances: libtool-ltdl x86_64 2.4.6-25.el8 BaseOS 58 k berkeleydb-ltb x86_64 4.6.21.NC-4.el8.patch4 ltb-project 5.7 M Résumé de la transaction =================================================================================================================================== Installer 3 Paquets Taille totale des téléchargements : 8.6 M Taille des paquets installés : 38 M Installé: openldap-ltb-2.4.48-2.el8.x86_64 libtool-ltdl-2.4.6-25.el8.x86_64 berkeleydb-ltb-4.6.21.NC-4.el8.patch4.x86_64
toute l'installation openldap-servers est dans /usr/local/openldap !
etat initial
[root@ldapex ~]# systemctl status slapd.service
● slapd.service - OpenLDAP LTB startup script
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: https://ltb-project.org/documentation
OLC config dynamique
https://ltb-project.org/documentation/general/migrate_slapd_conf_cn_config
[root@ldapfr8 ~]# mkdir /usr/local/openldap/etc/openldap/slapd.d [root@ldapfr8 ~]# cp /usr/local/openldap/etc/openldap/slapd.conf /usr/local/openldap/etc/openldap/slapd.conf.dist [root@ldapfr8 ~]# vim /usr/local/openldap/etc/openldap/slapd.conf [root@ldapfr8 ~]# ls -l /usr/local/openldap/var/openldap-data -rw-r--r-- 1 ldap ldap 924 29 août 20:52 DB_CONFIG -rw------- 1 ldap ldap 845 29 août 20:52 DB_CONFIG.example [root@ldapfr8 ~]# vim /usr/local/openldap/etc/openldap/slapd.conf [root@ldapfr8 ~]# slaptest -f /usr/local/openldap/etc/openldap/slapd.conf -F /usr/local/openldap/etc/openldap/slapd.d -d 256 5e1796ed mdb_db_open: database "dc=int,dc=fr" cannot be opened: No such file or directory (2). Restore from backup! 5e1796ed backend_startup_one (type=mdb, suffix="dc=int,dc=fr"): bi_db_open failed! (2) slap_startup failed (test would succeed using the -u switch) [root@ldapfr8 ~]# chown -R ldap.ldap /usr/local/openldap/etc/openldap/slapd.d
cn=config acces
necessité de declarer les acces a cn=config pour que l'acces peercred -Y EXTERNAL en ldapi fonctionne
https://serverfault.com/questions/938235/openldap-cn-config-no-such-object-32
il faut donc ajouter au slapd.conf l'acces du compte system root: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth au cn=config et on en profite aussi pour declarer la databsqe monitor pour le futur monitoring .
## JP enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * read
##JP enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact=cn=manager,dc=int,dc=fr read
by * none
resultat olc :
[root@ldap8 ~]# ls -ltr /usr/local/openldap/etc/openldap/slapd.d/cn\=config
# ls -ltr /usr/local/openldap/etc/openldap/slapd.d/cn\=config
total 108
-rw------- 1 ldap ldap 86116 10 janv. 18:28 'cn=schema.ldif'
drwxr-x--- 2 ldap ldap 4096 10 janv. 18:28 'cn=schema'
-rw------- 1 ldap ldap 689 10 janv. 18:28 'olcDatabase={2}monitor.ldif'
-rw------- 1 ldap ldap 846 10 janv. 18:28 'olcDatabase={1}mdb.ldif'
-rw------- 1 ldap ldap 596 10 janv. 18:28 'olcDatabase={-1}frontend.ldif'
-rw------- 1 ldap ldap 663 10 janv. 18:28 'olcDatabase={0}config.ldif'
mise a jour du chemin de conf dans /usr/local/openldap/etc/openldap/slapd-cli.conf
[root@ldapfr8 ~]# vim /usr/local/openldap/etc/openldap/slapd-cli.conf [root@ldapfr8 ~]# grep SLAPD_CONF_DIR /usr/local/openldap/etc/openldap/slapd-cli.conf SLAPD_CONF_DIR="$SLAPD_PATH/etc/openldap/slapd.d"
start initial
[root@ldapfr8 ~]# systemctl start slapd.service
[root@ldapfr8 ~]# systemctl status slapd.service
● slapd.service - OpenLDAP LTB startup script
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2020-01-09 22:19:11 CET; 2s ago
Docs: https://ltb-project.org/documentation
Process: 922 ExecStart=/usr/local/openldap/sbin/slapd-cli start (code=exited, status=0/SUCCESS)
Main PID: 954 (slapd)
Tasks: 2 (limit: 26213)
Memory: 5.0M
CGroup: /system.slice/slapd.service
└─954 /usr/local/openldap/libexec/slapd -h ldap://*:389 ldaps://*:636 ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -F /usr/loca>
janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [INFO] Using /usr/local/openldap/etc/openldap/slapd-cli.conf for configura>
janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [INFO] Create LDAPI socket dir /var/run/slapd
janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [INFO] Launching OpenLDAP configuration test...
janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [OK] OpenLDAP configuration test successful
janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [INFO] No db_recover done
janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [INFO] Launching OpenLDAP...
janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [OK] File descriptor limit set to 1024
janv. 09 22:19:10 ldapfr8 slapd[953]: @(#) $OpenLDAP: slapd 2.4.48 (Aug 29 2019 14:52:08) $
clement@kptn-rhel8.example.com:/home/clement/build/BUILD/openldap-2.4.48/servers/>
janv. 09 22:19:11 ldapfr8 slapd-cli[922]: slapd-cli: [OK] OpenLDAP started
janv. 09 22:19:11 ldapfr8 systemd[1]: Started OpenLDAP LTB startup script.
Database mdb
[root@ldapfr8 ~]# ls -ltr /usr/local/openldap/var/openldap-data total 24 -rw------- 1 ldap ldap 845 29 août 20:52 DB_CONFIG.example -rw-r--r-- 1 ldap ldap 924 29 août 20:52 DB_CONFIG -rw------- 1 ldap ldap 8192 9 janv. 22:19 lock.mdb -rw------- 1 ldap ldap 12288 9 janv. 22:19 data.mdb
config initiale
il n'y a que le schema Core par default
[root@ldap8 ~]# ls -ltr /usr/local/openldap/etc/openldap/slapd.d/cn\=config/cn\=schema
total 16
-rw------- 1 ldap ldap 15546 10 janv. 12:21 'cn={0}core.ldif'
le RootDSE contient bien notre base MDB initiale
[root@ldap8 ~]# ldapsearch -H ldap:// -x -s base -b "" -LLL "+" dn: structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: dc=int,dc=fr monitorContext: cn=Monitor ... supportedLDAPVersion: 3 entryDN: subschemaSubentry: cn=Subschema
interrogation du context de configuration de base cn=config via une connexion SASL (-Y) et sur une socket unix (ldapi) avec affichage des DN seulement (pas les attributs, retirer dn pour details) )
ldapi ici tourne sous la socket
ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi
cf slapd-cli.conf et ps auwx ci-dessous
[root@ldap8 openldap]# ps auwx | grep slapd
ldap 1971 0.0 0.8 1281088 4268 ? Ssl 18:28 0:00 /usr/local/openldap/libexec/slapd -h ldap://*:389 ldaps://*:636 ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -F /usr/local/openldap/etc/openldap/slapd.d -u ldap -g ldap -l local4
root 1983 0.0 0.1 221840 716 pts/0 S+ 18:34 0:00 grep --color=auto slapd
[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=config" -LLL -Q dn
dn: cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}mdb,cn=config
dn: olcDatabase={2}monitor,cn=config
parametres globaux
parametres globaux du service openldap qui s'appliques a tous les sous contexts / DIT
[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=config" -LLL -Q -s base dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /usr/local/openldap/etc/openldap/slapd.conf olcConfigDir: /usr/local/openldap/etc/openldap/slapd.d olcArgsFile: /usr/local/openldap/var/run/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcListenerThreads: 1 olcLocalSSF: 71 olcLogLevel: 0 olcPidFile: /usr/local/openldap/var/run/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCRLCheck: none olcTLSVerifyClient: never olcTLSProtocolMin: 0.0 olcToolThreads: 1 olcWriteTimeout: 0
compte ldap admin
compte admin ldap de base
[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" olcSuffix olcRootDN olcRootPW -LLL -Q
dn: olcDatabase={0}config,cn=config
olcRootDN: cn=config
dn: olcDatabase={1}mdb,cn=config
olcSuffix: dc=int,dc=fr
olcRootDN: cn=manager,dc=int,dc=fr
olcRootPW: {SSHA}SECRETSEZzjM1yPZj30m9vsRSECRET/0
schemas
ajouts de schemas via slapd.conf et conversion en dynamique cn=config
include /usr/local/openldap/etc/openldap/schema/corba.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/duaconf.schema include /usr/local/openldap/etc/openldap/schema/dyngroup.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap/etc/openldap/schema/java.schema include /usr/local/openldap/etc/openldap/schema/misc.schema include /usr/local/openldap/etc/openldap/schema/nis.schema include /usr/local/openldap/etc/openldap/schema/openldap.schema include /usr/local/openldap/etc/openldap/schema/ppolicy.schema include /usr/local/openldap/etc/openldap/schema/collective.schema include /usr/local/openldap/etc/openldap/schema/supann-2019-02-05.schema include /usr/local/openldap/etc/openldap/schema/eduperson-200412.schema include /usr/local/openldap/etc/openldap/schema/schac-20090326-1.4.0.schema include /usr/local/openldap/etc/openldap/schema/samba.schema include /usr/local/openldap/etc/openldap/schema/autofs.schema
resultat apres stop slapd , conversion via
/usr/local/openldap/sbin/slaptest -f /usr/local/openldap/etc/openldap/slapd.conf -F /usr/local/openldap/etc/openldap/slapd.d
puis start slapd
[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=schema,cn=config" -s one -Q -LLL dn
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}corba,cn=schema,cn=config
dn: cn={2}cosine,cn=schema,cn=config
dn: cn={3}duaconf,cn=schema,cn=config
dn: cn={4}dyngroup,cn=schema,cn=config
dn: cn={5}inetorgperson,cn=schema,cn=config
dn: cn={6}java,cn=schema,cn=config
dn: cn={7}misc,cn=schema,cn=config
dn: cn={8}nis,cn=schema,cn=config
dn: cn={9}openldap,cn=schema,cn=config
dn: cn={10}ppolicy,cn=schema,cn=config
dn: cn={11}collective,cn=schema,cn=config
dn: cn={12}supann-2019-02-05,cn=schema,cn=config
dn: cn={13}eduperson-200412,cn=schema,cn=config
dn: cn={14}schac-20090326-1,cn=schema,cn=config
dn: cn={15}samba,cn=schema,cn=config
dn: cn={16}autofs,cn=schema,cn=config
mdb racine tree
Fichier ldif racine de l'arborescence
# cat /root/Ldifs/root-tree-int.ldif dn: dc=int,dc=fr dc: int objectClass: top objectClass: domain objectClass: domainRelatedObject associatedDomain: int.fr
ldapadd racine
[root@ldap8 openldap]# ldapadd -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -f /root/Ldifs/root-tree-int.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "dc=int,dc=fr"
import initial / restore
s'il s'agit d'une migration, il est necessaire de recuperer un contenu d'annuaire existant, depuis un export ldif de l'existant, on import ce dernier dans notre nouvelle instance, pas besoin de la racine ci-dessus qui au contraire va genrer un conflit si deja existancte (sinon la retirer du ldif d'import )
reconstruction de base
on part de rien et on reconstruit tout notre annauire a base d'un script (utile si operation repetée)
vider les fichiers DB apres avoir arreter slapd ceci detruit tout l'annuaire :
[root@ldap8 var]# systemctl stop slapd.service [root@ldap8 var]# rm openldap-data/* rm : supprimer 'openldap-data/data.mdb' du type fichier ? y rm : supprimer 'openldap-data/lock.mdb' du type fichier ? y
reconstruction de la configuration dynamique (OLC) depuis un slapd.conf
[root@ldap8 openldap]# ./olcgene.sh 5e2af9bf /usr/local/openldap/etc/openldap/slapd.conf: line 127: rootdn is always granted unlimited privileges. config file testing succeeded Job for slapd.service failed because the control process exited with error code. See "systemctl status slapd.service" and "journalctl -xe" for details.
[root@ldap8 openldap]# time /usr/local/openldap/sbin/slapadd -l /root/jour-2020-01-21.ldif -f /usr/local/openldap/etc/openldap/slapd.conf -b "dc=int,dc=fr" 5e2af79d /usr/local/openldap/etc/openldap/slapd.conf: line 127: rootdn is always granted unlimited privileges. .#################### 100.00% eta none elapsed 08s spd 20.1 M/s Closing DB... real 0m8,837s user 0m2,902s sys 0m4,095s [root@ldap8 openldap]#
admin de config
creation d'un compte administrateur de configuration independant le la database d'exemple
passage par slapd.conf
database config
rootdn "cn=admin,cn=config"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}SECRETZzjM1yPZj30m9vSECRET