RedHat (RHEL8) ne fournit plus openldap-servers :
vi /etc/yum.repos.d/ltb-project.repo [root@ldapex ~]# cat /etc/yum.repos.d/ltb-project.repo [ltb-project] name=LTB project packages baseurl=https://ltb-project.org/rpm/$releasever/$basearch enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project [root@ldapex ~]# yum update LTB project packages 37 kB/s | 40 kB 00:01 [root@ldapex ~]# rpm --import https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project
[root@ldapex ~]# yum install openldap-ltb Dernière vérification de l’expiration des métadonnées effectuée il y a 0:01:34 le jeu. 09 janv. 2020 21:40:13 CET. Dépendances résolues. =================================================================================================================================== Paquet Architecture Version Dépôt Taille =================================================================================================================================== Installing: openldap-ltb x86_64 2.4.48-2.el8 ltb-project 2.9 M Installation des dépendances: libtool-ltdl x86_64 2.4.6-25.el8 BaseOS 58 k berkeleydb-ltb x86_64 4.6.21.NC-4.el8.patch4 ltb-project 5.7 M Résumé de la transaction =================================================================================================================================== Installer 3 Paquets Taille totale des téléchargements : 8.6 M Taille des paquets installés : 38 M Installé: openldap-ltb-2.4.48-2.el8.x86_64 libtool-ltdl-2.4.6-25.el8.x86_64 berkeleydb-ltb-4.6.21.NC-4.el8.patch4.x86_64
toute l'installation openldap-servers est dans /usr/local/openldap !
[root@ldapex ~]# systemctl status slapd.service ● slapd.service - OpenLDAP LTB startup script Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: https://ltb-project.org/documentation
https://ltb-project.org/documentation/general/migrate_slapd_conf_cn_config
[root@ldapfr8 ~]# mkdir /usr/local/openldap/etc/openldap/slapd.d [root@ldapfr8 ~]# cp /usr/local/openldap/etc/openldap/slapd.conf /usr/local/openldap/etc/openldap/slapd.conf.dist [root@ldapfr8 ~]# vim /usr/local/openldap/etc/openldap/slapd.conf [root@ldapfr8 ~]# ls -l /usr/local/openldap/var/openldap-data -rw-r--r-- 1 ldap ldap 924 29 août 20:52 DB_CONFIG -rw------- 1 ldap ldap 845 29 août 20:52 DB_CONFIG.example [root@ldapfr8 ~]# vim /usr/local/openldap/etc/openldap/slapd.conf [root@ldapfr8 ~]# slaptest -f /usr/local/openldap/etc/openldap/slapd.conf -F /usr/local/openldap/etc/openldap/slapd.d -d 256 5e1796ed mdb_db_open: database "dc=int,dc=fr" cannot be opened: No such file or directory (2). Restore from backup! 5e1796ed backend_startup_one (type=mdb, suffix="dc=int,dc=fr"): bi_db_open failed! (2) slap_startup failed (test would succeed using the -u switch) [root@ldapfr8 ~]# chown -R ldap.ldap /usr/local/openldap/etc/openldap/slapd.d
necessité de declarer les acces a cn=config pour que l'acces peercred -Y EXTERNAL en ldapi fonctionne
https://serverfault.com/questions/938235/openldap-cn-config-no-such-object-32
il faut donc ajouter au slapd.conf l'acces du compte system root: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth au cn=config et on en profite aussi pour declarer la databsqe monitor pour le futur monitoring .
## JP enable on-the-fly configuration (cn=config) database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * read ##JP enable server status monitoring (cn=monitor) database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact=cn=manager,dc=int,dc=fr read by * none
resultat olc :
[root@ldap8 ~]# ls -ltr /usr/local/openldap/etc/openldap/slapd.d/cn\=config # ls -ltr /usr/local/openldap/etc/openldap/slapd.d/cn\=config total 108 -rw------- 1 ldap ldap 86116 10 janv. 18:28 'cn=schema.ldif' drwxr-x--- 2 ldap ldap 4096 10 janv. 18:28 'cn=schema' -rw------- 1 ldap ldap 689 10 janv. 18:28 'olcDatabase={2}monitor.ldif' -rw------- 1 ldap ldap 846 10 janv. 18:28 'olcDatabase={1}mdb.ldif' -rw------- 1 ldap ldap 596 10 janv. 18:28 'olcDatabase={-1}frontend.ldif' -rw------- 1 ldap ldap 663 10 janv. 18:28 'olcDatabase={0}config.ldif'
mise a jour du chemin de conf dans /usr/local/openldap/etc/openldap/slapd-cli.conf
[root@ldapfr8 ~]# vim /usr/local/openldap/etc/openldap/slapd-cli.conf [root@ldapfr8 ~]# grep SLAPD_CONF_DIR /usr/local/openldap/etc/openldap/slapd-cli.conf SLAPD_CONF_DIR="$SLAPD_PATH/etc/openldap/slapd.d"
[root@ldapfr8 ~]# systemctl start slapd.service [root@ldapfr8 ~]# systemctl status slapd.service ● slapd.service - OpenLDAP LTB startup script Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2020-01-09 22:19:11 CET; 2s ago Docs: https://ltb-project.org/documentation Process: 922 ExecStart=/usr/local/openldap/sbin/slapd-cli start (code=exited, status=0/SUCCESS) Main PID: 954 (slapd) Tasks: 2 (limit: 26213) Memory: 5.0M CGroup: /system.slice/slapd.service └─954 /usr/local/openldap/libexec/slapd -h ldap://*:389 ldaps://*:636 ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -F /usr/loca> janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [INFO] Using /usr/local/openldap/etc/openldap/slapd-cli.conf for configura> janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [INFO] Create LDAPI socket dir /var/run/slapd janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [INFO] Launching OpenLDAP configuration test... janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [OK] OpenLDAP configuration test successful janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [INFO] No db_recover done janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [INFO] Launching OpenLDAP... janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [OK] File descriptor limit set to 1024 janv. 09 22:19:10 ldapfr8 slapd[953]: @(#) $OpenLDAP: slapd 2.4.48 (Aug 29 2019 14:52:08) $ clement@kptn-rhel8.example.com:/home/clement/build/BUILD/openldap-2.4.48/servers/> janv. 09 22:19:11 ldapfr8 slapd-cli[922]: slapd-cli: [OK] OpenLDAP started janv. 09 22:19:11 ldapfr8 systemd[1]: Started OpenLDAP LTB startup script.
Database mdb
[root@ldapfr8 ~]# ls -ltr /usr/local/openldap/var/openldap-data total 24 -rw------- 1 ldap ldap 845 29 août 20:52 DB_CONFIG.example -rw-r--r-- 1 ldap ldap 924 29 août 20:52 DB_CONFIG -rw------- 1 ldap ldap 8192 9 janv. 22:19 lock.mdb -rw------- 1 ldap ldap 12288 9 janv. 22:19 data.mdb
il n'y a que le schema Core par default
[root@ldap8 ~]# ls -ltr /usr/local/openldap/etc/openldap/slapd.d/cn\=config/cn\=schema total 16 -rw------- 1 ldap ldap 15546 10 janv. 12:21 'cn={0}core.ldif'
le RootDSE contient bien notre base MDB initiale
[root@ldap8 ~]# ldapsearch -H ldap:// -x -s base -b "" -LLL "+" dn: structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: dc=int,dc=fr monitorContext: cn=Monitor ... supportedLDAPVersion: 3 entryDN: subschemaSubentry: cn=Subschema
interrogation du context de configuration de base cn=config via une connexion SASL (-Y) et sur une socket unix (ldapi) avec affichage des DN seulement (pas les attributs, retirer dn pour details) ) ldapi ici tourne sous la socket
ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi
cf slapd-cli.conf et ps auwx ci-dessous
[root@ldap8 openldap]# ps auwx | grep slapd ldap 1971 0.0 0.8 1281088 4268 ? Ssl 18:28 0:00 /usr/local/openldap/libexec/slapd -h ldap://*:389 ldaps://*:636 ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -F /usr/local/openldap/etc/openldap/slapd.d -u ldap -g ldap -l local4 root 1983 0.0 0.1 221840 716 pts/0 S+ 18:34 0:00 grep --color=auto slapd [root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=config" -LLL -Q dn dn: cn=config dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: olcDatabase={-1}frontend,cn=config dn: olcDatabase={0}config,cn=config dn: olcDatabase={1}mdb,cn=config dn: olcDatabase={2}monitor,cn=config
parametres globaux du service openldap qui s'appliques a tous les sous contexts / DIT
[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=config" -LLL -Q -s base dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /usr/local/openldap/etc/openldap/slapd.conf olcConfigDir: /usr/local/openldap/etc/openldap/slapd.d olcArgsFile: /usr/local/openldap/var/run/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcListenerThreads: 1 olcLocalSSF: 71 olcLogLevel: 0 olcPidFile: /usr/local/openldap/var/run/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCRLCheck: none olcTLSVerifyClient: never olcTLSProtocolMin: 0.0 olcToolThreads: 1 olcWriteTimeout: 0
compte admin ldap de base
[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" olcSuffix olcRootDN olcRootPW -LLL -Q dn: olcDatabase={0}config,cn=config olcRootDN: cn=config dn: olcDatabase={1}mdb,cn=config olcSuffix: dc=int,dc=fr olcRootDN: cn=manager,dc=int,dc=fr olcRootPW: {SSHA}SECRETSEZzjM1yPZj30m9vsRSECRET/0
ajouts de schemas via slapd.conf et conversion en dynamique cn=config
include /usr/local/openldap/etc/openldap/schema/corba.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/duaconf.schema include /usr/local/openldap/etc/openldap/schema/dyngroup.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap/etc/openldap/schema/java.schema include /usr/local/openldap/etc/openldap/schema/misc.schema include /usr/local/openldap/etc/openldap/schema/nis.schema include /usr/local/openldap/etc/openldap/schema/openldap.schema include /usr/local/openldap/etc/openldap/schema/ppolicy.schema include /usr/local/openldap/etc/openldap/schema/collective.schema include /usr/local/openldap/etc/openldap/schema/supann-2019-02-05.schema include /usr/local/openldap/etc/openldap/schema/eduperson-200412.schema include /usr/local/openldap/etc/openldap/schema/schac-20090326-1.4.0.schema include /usr/local/openldap/etc/openldap/schema/samba.schema include /usr/local/openldap/etc/openldap/schema/autofs.schema
resultat apres stop slapd , conversion via
/usr/local/openldap/sbin/slaptest -f /usr/local/openldap/etc/openldap/slapd.conf -F /usr/local/openldap/etc/openldap/slapd.d
puis start slapd
[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=schema,cn=config" -s one -Q -LLL dn dn: cn={0}core,cn=schema,cn=config dn: cn={1}corba,cn=schema,cn=config dn: cn={2}cosine,cn=schema,cn=config dn: cn={3}duaconf,cn=schema,cn=config dn: cn={4}dyngroup,cn=schema,cn=config dn: cn={5}inetorgperson,cn=schema,cn=config dn: cn={6}java,cn=schema,cn=config dn: cn={7}misc,cn=schema,cn=config dn: cn={8}nis,cn=schema,cn=config dn: cn={9}openldap,cn=schema,cn=config dn: cn={10}ppolicy,cn=schema,cn=config dn: cn={11}collective,cn=schema,cn=config dn: cn={12}supann-2019-02-05,cn=schema,cn=config dn: cn={13}eduperson-200412,cn=schema,cn=config dn: cn={14}schac-20090326-1,cn=schema,cn=config dn: cn={15}samba,cn=schema,cn=config dn: cn={16}autofs,cn=schema,cn=config
Fichier ldif racine de l'arborescence
# cat /root/Ldifs/root-tree-int.ldif dn: dc=int,dc=fr dc: int objectClass: top objectClass: domain objectClass: domainRelatedObject associatedDomain: int.fr
[root@ldap8 openldap]# ldapadd -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -f /root/Ldifs/root-tree-int.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "dc=int,dc=fr"
s'il s'agit d'une migration, il est necessaire de recuperer un contenu d'annuaire existant, depuis un export ldif de l'existant, on import ce dernier dans notre nouvelle instance, pas besoin de la racine ci-dessus qui au contraire va genrer un conflit si deja existancte (sinon la retirer du ldif d'import )
on part de rien et on reconstruit tout notre annauire a base d'un script (utile si operation repetée)
vider les fichiers DB apres avoir arreter slapd ceci detruit tout l'annuaire :
[root@ldap8 var]# systemctl stop slapd.service [root@ldap8 var]# rm openldap-data/* rm : supprimer 'openldap-data/data.mdb' du type fichier ? y rm : supprimer 'openldap-data/lock.mdb' du type fichier ? y
reconstruction de la configuration dynamique (OLC) depuis un slapd.conf
[root@ldap8 openldap]# ./olcgene.sh 5e2af9bf /usr/local/openldap/etc/openldap/slapd.conf: line 127: rootdn is always granted unlimited privileges. config file testing succeeded Job for slapd.service failed because the control process exited with error code. See "systemctl status slapd.service" and "journalctl -xe" for details.
[root@ldap8 openldap]# time /usr/local/openldap/sbin/slapadd -l /root/jour-2020-01-21.ldif -f /usr/local/openldap/etc/openldap/slapd.conf -b "dc=int,dc=fr" 5e2af79d /usr/local/openldap/etc/openldap/slapd.conf: line 127: rootdn is always granted unlimited privileges. .#################### 100.00% eta none elapsed 08s spd 20.1 M/s Closing DB... real 0m8,837s user 0m2,902s sys 0m4,095s [root@ldap8 openldap]#
creation d'un compte administrateur de configuration independant le la database d'exemple
passage par slapd.conf
database config rootdn "cn=admin,cn=config" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}SECRETZzjM1yPZj30m9vSECRET