Annuaire openldap OLC + LSC
references
package server et client
yum install openldap-servers openldap-clients systemctl start slapd.service
config de base
arboresence
/etc/openldap/slapd.d/ contient la configuration online/dynamique :
[root@idm ~]# ls -l /etc/openldap/slapd.d/cn\=config
total 24
drwxr-x--- 2 ldap ldap 4096 16 mars 17:29 cn=schema
-rw------- 1 ldap ldap 378 16 mars 17:29 cn=schema.ldif
-rw------- 1 ldap ldap 513 16 mars 17:29 olcDatabase={0}config.ldif
-rw------- 1 ldap ldap 443 16 mars 17:29 olcDatabase={-1}frontend.ldif
-rw------- 1 ldap ldap 562 16 mars 17:29 olcDatabase={1}monitor.ldif
-rw------- 1 ldap ldap 609 16 mars 17:29 olcDatabase={2}hdb.ldif
les schemas ldap sont dans /etc/openldap/slapd.d/cn=config/cn=schema/
il n'y a que core par defaut
[root@idm ~]# ls -l /etc/openldap/slapd.d/cn\=config/cn\=schema/
total 16
-rw------- 1 ldap ldap 15578 16 mars 17:29 cn={0}core.ldif
rootDSE
Racine du serveur openldap
[root@idm ~]# ldapsearch -H ldap:// -x -s base -b "" -LLL "+" dn: structuralObjectClass: OpenLDAProotDSE configContext: cn=config monitorContext: cn=Monitor namingContexts: dc=my-domain,dc=com
interrogation du context de configuration de base cn=config via une connexion SASL (-Y) et sur une socket unix (ldapi) avec affichage des DN seulement (pas les attribtus, retirer dn pour details) )
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q dn
dn: cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}monitor,cn=config
dn: olcDatabase={2}hdb,cn=config
parametres globaux
parametres globaux du service openldap qui s'appliques a tous les sous contexts / DIT
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q -s base dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap/slapd.args olcPidFile: /var/run/openldap/slapd.pid olcTLSCACertificatePath: /etc/openldap/certs olcTLSCertificateFile: "OpenLDAP Server" olcTLSCertificateKeyFile: /etc/openldap/certs/password
compte ldap admin
compte admin ldap de base
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" olcSuffix olcRootDN olcRootPW -LLL -Q
dn: olcDatabase={2}hdb,cn=config
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
schemas
de base un seul schema “core” avec le package centos openldap-servers
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=schema,cn=config" -s one -Q -LLL dn
dn: cn={0}core,cn=schema,cn=config
ajout de schemas
[root@idm ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=schema,cn=config" -s one -Q -LLL dn
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
conversion de schema en ldif
quand on ne dispose pas de la definition ldif du schema il faut le generer , cf
[root@idm schema]# cat schema_conv.conf include ./core.schema include ./eduperson-200412.schema include ./schac-20090326-1.4.0.schema include ./supann_2009.schema
bien que deja disponible en ldif, on a integré “core.schema” car il contient le défition de telephoneNumber utilisé dans supann_2009 .
[root@idm schema]# slaptest -f ./schema_conv.conf -F /tmp/ldif
[root@idm schema]# ls /tmp/ldif/cn\=config/cn\=schema
cn={0}core.ldif cn={1}eduperson-200412.ldif cn={2}schac-20090326-1.ldif
cn={0}eduperson-200412.ldif cn={1}schac-20090326-1.ldif cn={3}supann_2009.ldif
on edit dans le repertoire temporaire le fichier ldif du schema a integrer en ajoutant cn=schema,cn=config sur la premiere ligne du dn + retrait du numero d'ordre {0} , idem dans l'attribut cn
exemple :
dn: cn=schac-20090326-1,cn=schema,cn=config objectClass: olcSchemaConfig cn: schac-20090326-1
et on retire tous les attributs operationnels en fin de fichier (structuralObjectClass: entryUUID *Timestamp …)
il ne reste plus qu'a recopier ce fichier modifié dans l'arborescence des schema et l'integré a la config .
cp /tmp/ldif/cn\=config/cn\=schema/cn\=\{1\}schac-20090326-1.ldif /etc/openldap/schema/
[root@idm cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cn\=\{1\}schac-20090326-1.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=schac-20090326-1,cn=schema,cn=config"
puis idem avec nis.ldif, inetorgperson.ldif, misc.ldif, supann_2009.ldif, schac-20090326-1.ldif, eduperson-200412.ldif
[root@idm cn=schema]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=schema,cn=config" -s one -Q -LLL dn
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}misc,cn=schema,cn=config
dn: cn={4}ppolicy,cn=schema,cn=config
dn: cn={5}inetorgperson,cn=schema,cn=config
dn: cn={6}supann_2009,cn=schema,cn=config
dn: cn={7}eduperson-200412,cn=schema,cn=config
dn: cn={8}schac-20090326-1,cn=schema,cn=config
databases
liste de database par defaut , la database frontend est une pseudo database qui permet de definir des parametres globaux a toutes les databases (sauf override)
The special frontend database is always numbered “{-1}” and the config database is always numbered “{0}”.
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q "olcDatabase=*" dn
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}monitor,cn=config
dn: olcDatabase={2}hdb,cn=config
La database d'exemple
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "olcDatabase={2}hdb,cn=config" -LLL -Q -s base
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
définition de l'acces root (local user) a tout par defaut :
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "olcDatabase={0}config,cn=config" -LLL -Q
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" manage by * none
ldapvi
il est pratique (mais risqué …) d'utiliser directement ldapvi pour editer la config .
[root@idm ~]# yum install ldapvi
admin de config
creation d'un compte administrateur de configuration independant le la datatase d'exemple
ref: https://gos.si/blog/installing-openldap-on-debian-squeeze-with-olc/
password
generation d'un mot de passe chiffré
[root@idm ~]# slappasswd
New password: unpassldap
Re-enter new password: unpassldap
{SSHA}zyYFZtFh6PjWSFykUdrFFjAlRtzf6vii
rootDN
[root@idm ~]# cat rootDNConfig.ldif
# uncomment this part, if there is no olcRootDN present
# use replace instead of add, if you want to change the root dn
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}zyYFZtFh6PjWSFykUdrFFjAlRtzf6vii
ajout rootDN
ajout de cette entrée
[root@idm ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f rootDNConfig.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
modifying entry "olcDatabase={0}config,cn=config"
verification de notre ajout
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "olcDatabase={0}config,cn=config" -LLL olcRootDN olcRootPW
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={0}config,cn=config
olcRootDN: cn=admin,cn=config
olcRootPW: {SSHA}zyYFZtFh6PjWSFykUdrFFjAlRtzf6vii
verification d'une requete ldap sur la config avec notre nouvel administrateur
[root@idm ~]# ldapsearch -b cn=config -D cn=admin,cn=config -W olcRootDN=* olcRootDN -LLL
Enter LDAP Password:
dn: olcDatabase={0}config,cn=config
olcRootDN: cn=admin,cn=config
dn: olcDatabase={2}hdb,cn=config
olcRootDN: cn=Manager,dc=my-domain,dc=com
firewall
[root@idm ~]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" port port=389 protocol=tcp log prefix="389" accept' success [root@idm ~]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" port port=636 protocol=tcp log prefix="636" accept' success [root@idm ~]# firewall-cmd --reload success [root@idm ~]# firewall-cmd --list-all
Access ACL
par defaut il y a ce type de control d'acces :
[root@idm ~]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcAccess -LLL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" manage by * none
dn: olcDatabase={1}monitor,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
donc un acces complet a l'utilisateur system (root gid=0) au cn=config et {1}monitor,cn=config , pas de control sur {2}hdb,cn=config
ouvrons l'acces a notre admin “maison” cn=admin,cn=config
[root@idm ~]# cat olcAdminConfigAccess.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn="cn=admin,cn=config" write by * none
[root@idm ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f olcAdminConfigAccess.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
maintenant notre cn=admin,cn=config à acces à la branche de configuration
[root@idm ~]# ldapsearch -H ldap://idm.int-evry.fr -b cn=config -D cn=admin,cn=config -W olcRootDN=* olcAccess -LLL
Enter LDAP Password:
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" manage by dn="cn=admin,cn=config" write by * none
dn: olcDatabase={2}hdb,cn=config
remote config access
ref: https://gauvain.pocentek.net/docs/cn-config-admin/
de base il y a pas d'ouverture globale/remote au cn=config, l'heritage de ldap database frontend est vide :
[root@idm ~]# ldapsearch -Y EXTERNAL -H ldapi:/// -b "olcDatabase={-1}frontend,cn=config" -LLL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
il est donc possible aussi d'ajouter cet acces globalement (frontend = metabase dont herites les autres) :
[root@idm ~]# cat olcRemoteFrontendAccess.ldif
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber= 0,cn=peercred,cn=external,cn=auth" manage by dn="cn=admin,cn=config" write by * none
[root@idm ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f olcRemoteFrontendAccess.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
acces Apache Directory Studio
Maintenant un acces avec un browser ldap (apache Directory Studio ici) permet de visuliser l'ensemble graphiquement :
TLS access
afin de chiffrer les echanges ldap il faut ajouter au serveur un certificat (autosigné ou depuis une CA, ici Digicert)
[root@idm ~]# cat olcTLS.ldif dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/pki/tls/certs/star_domain_fr.crt dn: cn=config changetype: modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/pki/tls/private/star_digicert_domain_fr.key dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/pki/tls/certs/DigiCertCA.crt [root@idm ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f olcTLS.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" modifying entry "cn=config" modifying entry "cn=config"
Parametré le systeme (centos 7 ici) pour qu'il lance slapd avec ecoute sur TLS (ajout de “ldaps:”)
[root@idm ~]# grep ldaps /etc/sysconfig/slapd # - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
test ldapsearch en startTLS (zz)
# ldapsearch -x -LLL -H ldap://idm.domain.fr -ZZ -b cn=config -D cn=admin,cn=config -W
MDB database
par defaut il est preferable maintenant de passer a une database de type mbd (bdb et hdb devenant prochainement deprecated)
definition de la base
[root@idm ~]# cat olcMDBdatabase1.ldif
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap/id
olcSuffix: dc=id,dc=fr
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * none
olcLastMod: TRUE
olcMonitoring: TRUE
olcRootDN: cn=admin,dc=id,dc=fr
olcRootPW: {SSHA}GjYMfSqAcBMf3h3A28b08RG1qAckkYT4
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
Preparation de l'arboresence de stockage
[root@idm ~]# mkdir /var/lib/ldap/id [root@idm ~]# chown ldap:ldap /var/lib/ldap/id
creation
[root@idm ~]# ldapadd -D 'cn=admin,cn=config' -W -x -f olcMDBdatabase1.ldif
Enter LDAP Password:
adding new entry "olcDatabase={1}mdb,cn=config"
notre nouvelle base a bien été intégrée
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q "olcDatabase=*" dn
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}mdb,cn=config
dn: olcDatabase={2}monitor,cn=config
dn: olcDatabase={3}hdb,cn=config
[root@idm ~]# ls -ltr /var/lib/ldap/id/
total 16
-rw------- 1 ldap ldap 8192 1 avril 16:57 lock.mdb
-rw------- 1 ldap ldap 12288 1 avril 16:57 data.mdb
integration de l'arboresence racine
[root@idm ~]# cat root-id.ldif # id dn: dc=id,dc=fr dc: id objectClass: top objectClass: domain objectClass: domainRelatedObject associatedDomain: id.fr [root@idm ~]# ldapadd -D 'cn=admin,dc=id,dc=fr' -W -x -f root-id.ldif Enter LDAP Password: adding new entry "dc=id,dc=fr"
verification
[root@idm ~]# ldapsearch -H ldap://idm.int-evry.fr -b dc=id,dc=fr -D cn=admin,dc=id,dc=fr -W objectclass=* -LLL Enter LDAP Password: dn: dc=id,dc=fr dc: id objectClass: top objectClass: domain objectClass: domainRelatedObject associatedDomain: id.fr
integration des branches
creation de sous branches de notre annuaire , system, mte, mte avec des ou=people dessous:
[root@idm ~]# cat system-idm-ous.ldif.wiki dn: ou=system,dc=id,dc=fr changetype: add objectClass: organizationalUnit objectClass: top ou: system dn: ou=mte,dc=id,dc=fr changetype: add objectClass: organizationalUnit objectClass: top ou: dsi-mte dn: ou=people,ou=mte,dc=id,dc=fr changetype: add objectClass: organizationalUnit objectClass: top ou: people dn: ou=mtp,dc=id,dc=fr changetype: add objectClass: organizationalUnit objectClass: top ou: dsi-mtp dn: ou=people,ou=mtp,dc=id,dc=fr changetype: add objectClass: organizationalUnit objectClass: top ou: people [root@idm ~]# ldapadd -D 'cn=admin,dc=id,dc=fr' -W -x -f system-idm-ous.ldif Enter LDAP Password: adding new entry "ou=system,dc=id,dc=fr" adding new entry "ou=mte,dc=id,dc=fr" adding new entry "ou=people,ou=mte,dc=id,dc=fr" adding new entry "ou=mtp,dc=id,dc=fr" adding new entry "ou=people,ou=mtp,dc=id,dc=fr"
ACL specifiques a cette database
nous donnons des acces bien precis a chaques arboresences et attributs avec anticipation de l'usage d'un user de synchronisation privilegé (acces write pour cn=syncuser cf lsc apres)
Fichier ldif
[root@idm ~]# cat olcAccessModId.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
-
add: olcAccess
olcAccess: {1}to dn.subtree="dc=id,dc=fr" attrs=entry,objectclass,contextCSN by dn="cn=syncuser,ou=system,dc=id,dc=fr" write
-
add: olcAccess
olcAccess: {2}to dn.subtree="dc=id,dc=fr" attrs=cn,sn,uid,jpegphoto,supannListeRouge,RoomNumber,postalAddress,LabeledURI,memberuid,member,mail,description,entry,objectclass,ou,manager,secretary,title,description,mailLocalAddress,eduPersonPrimaryOrgUnitDn,eduPersonOrgUnitDn,l,supannEntiteAffectationPrincipale,supannCivilite,supannOrganisme,supannAffectation,eduPersonAffiliation,eduPersonPrimaryAffiliation,eduPersonOrgDN,eduPersonOrgUnitDN,eduPersonPrimaryOrgUnitDN,eduPersonScopedAffiliation,facsimileTelephoneNumber,employeeType,supannEtuId,employeeNumber by dn="cn=syncuser,ou=system,dc=id,dc=fr" write by self read by * none
-
add: olcAccess
olcAccess: {3}to * by * none
execution
root@idm ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcAccessModId.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"
verification
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "olcDatabase={1}mdb,cn=config" -LLL olcAccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by * none
olcAccess: {1}to dn.subtree="dc=id,dc=fr" attrs=entry,objectclass,contextCSN
by dn="cn=syncuser,ou=system,dc=id,dc=fr" write
olcAccess: {2}to dn.subtree="dc=id,dc=fr" attrs=cn,sn,uid,jpegphoto,supannLis
teRouge,RoomNumber,postalAddress,LabeledURI,memberuid,member,mail,description
,entry,objectclass,ou,manager,secretary,title,description,mailLocalAddress,ed
uPersonPrimaryOrgUnitDn,eduPersonOrgUnitDn,l,supannEntiteAffectationPrincipal
e,supannCivilite,supannOrganisme,supannAffectation,eduPersonAffiliation,eduPe
rsonPrimaryAffiliation,eduPersonOrgDN,eduPersonOrgUnitDN,eduPersonPrimaryOrgU
nitDN,eduPersonScopedAffiliation,facsimileTelephoneNumber,employeeType,supann
EtuId,employeeNumber by dn="cn=syncuser,ou=system,dc=id,dc=fr" write by self r
ead by * none
olcAccess: {3}to * by * none
si necessité de detruite une regle, exemple de ldif qui supprime la regle 3 :
[root@idm ~]# cat olcAccessDelId.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {3}
LSC project synchro
installation et bases
definition du repository pour installation via yum
[root@idm ~]# cat /etc/yum.repos.d/lsc-project.repo [lsc-project] name=LSC project packages baseurl=http://lsc-project.org/rpm/noarch enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project
import de la clé
[root@idm ~]# rpm --import http://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project
installation
[root@idm ~]# yum install lsc aille totale des téléchargements : 32 M Taille d'installation : 36 M Is this ok [y/d/N]: y Installé : lsc.noarch 0:2.1.4-0.el5 Terminé !
verification de la presence de java
[root@idm ~]# rpm -q java-1.8.0-openjdk java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64 [root@idm ~]# java -version openjdk version "1.8.0_121" OpenJDK Runtime Environment (build 1.8.0_121-b13) OpenJDK 64-Bit Server VM (build 25.121-b13, mixed mode)
Config LSC synchro ldap2ldap
le principe ici est de synchroniser des annuaires ldap vers un annuaire mutualisé assurant la fusion des annuaires d'etablissements dans des sous branches propres a l'etablissement .
Ici , on fait une exclusion des objectclass et attributs non indispensables a un annuaire pages blanches via le <dataset> objectclass :
compte de synchro
on crée un compte qui pourra réaliser les synchro (acces en ecriture sur les sous-branches)
[root@idm ~]# cat syncuser.ldif
dn: cn=syncuser,ou=system,dc=id,dc=fr
objectclass: inetOrgPerson
cn: syncuser
sn: sync
uid: syncuser
userpassword: {SSHA}l4UjRTkoPJ3IBE95paVKB8Rk8s530bBO
ou: system
[root@idm ~]# ldapadd -D 'cn=admin,dc=id,dc=fr' -W -x -f syncuser.ldif
Enter LDAP Password:
adding new entry "cn=syncuser,ou=system,dc=id,dc=fr"
si perte de mot de passe et necessité de refaire l'entrée ⇒ ldapdelete :
[root@idm ~]# ldapdelete -H ldap://idm.tem-tsp.eu -D "cn=admin,dc=id,dc=fr" -W -x cn=syncuser,ou=system,dc=id,dc=fr Enter LDAP Password:
creation du repertoire de travail
nous allons creer une arborescence de travail par entité a integrer , exempk;e ici l'entite mte
[root@idm ~]# cd /etc/lsc/ [root@idm lsc]# mkdir ldap-mte2id [root@idm lsc]# cp lsc.xml ldap-mte2id [root@idm lsc]# cd ldap-mte2id
lsc logic
lsc.xml
exemple de configuration d'une synchro ldap 2 ldap
execution lsc
[root@idm ldap-mte2id]# lsc -s user --config /etc/lsc/ldap-mte2id/ 20:27:22,073 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback-test.xml] 20:27:22,073 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Found resource [logback.xml] at [file:/etc/lsc/ldap-mte2id/logback.xml] 20:27:22,074 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs multiple times on the classpath. ... avr. 03 20:27:22 - INFO - Reflections took 68 ms to scan 1 urls, producing 56 keys and 117 values avr. 03 20:27:22 - INFO - Logging configuration successfully loaded from /etc/lsc/ldap-mte2id/logback.xml avr. 03 20:27:22 - INFO - LSC configuration successfully loaded from /etc/lsc/ldap-mte2id/ avr. 03 20:27:22 - INFO - Connecting to LDAP server ldap://localhost:389/dc=id,dc=fr as cn=syncid,ou=system,dc=idm,dc=fr avr. 03 20:27:22 - INFO - Connecting to LDAP server ldap://ldapmte.idm.fr:389/dc=mte,dc=fr as cn=syncuser,ou=System,dc=mte,dc=fr avr. 03 20:27:22 - INFO - Starting sync for user avr. 03 20:27:24 - INFO - # Adding new object eduPersonPrincipalName=proc@tm-tp.eu,ou=people,ou=mte,dc=id,dc=fr for user # Mon Apr 03 20:27:24 UTC 2017 dn: eduPersonPrincipalName=proc@tm-tp.eu,ou=people,ou=mte,dc=id,dc=fr changetype: add supannListeRouge: FALSE ... objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: supannPerson objectClass: eduPerson objectClass: organizationalPerson objectClass: labeledURIObject supanncivilite: M. ... sn: PROC avr. 03 20:27:24 - INFO - All entries: 1, to modify entries: 1, successfully modified entries: 1, errors: 0
log ldap associés
Apr 3 20:27:22 idm slapd[4786]: conn=1207 fd=25 ACCEPT from IP=127.0.0.1:35778 (IP=0.0.0.0:389) Apr 3 20:27:22 idm slapd[4786]: conn=1207 op=0 BIND dn="cn=syncuser,ou=system,dc=id,dc=fr" method=128 Apr 3 20:27:22 idm slapd[4786]: conn=1207 op=0 BIND dn="cn=syncuser,ou=system,dc=id,dc=fr" mech=SIMPLE ssf=0 Apr 3 20:27:22 idm slapd[4786]: conn=1207 op=0 RESULT tag=97 err=0 text= Apr 3 20:27:23 idm slapd[4786]: conn=1207 op=1 SRCH base="ou=people,ou=mte,dc=id,dc=fr" scope=2 deref=0 filter="(&(objectClass=inetOrgPerson)(eduPersonPrincipalName=proc@tm-tp.eu))" Apr 3 20:27:23 idm slapd[4786]: conn=1207 op=1 SRCH attr=description cn sn userPassword objectClass uid mail departmentNumber employeeType givenName telephoneNumber mobile LabeledURI postalAddress title jpegphoto edupersonAffiliation eduPersonPrincipalName supanncivilite supannListeRouge supannEntiteAffectation Apr 3 20:27:23 idm slapd[4786]: <= mdb_equality_candidates: (eduPersonPrincipalName) not indexed Apr 3 20:27:23 idm slapd[4786]: conn=1207 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Apr 3 20:27:24 idm slapd[4786]: conn=1207 op=2 ADD dn="eduPersonPrincipalName=proc@tm-tp.eu,ou=people,ou=mte,dc=id,dc=fr" Apr 3 20:27:24 idm slapd[4786]: conn=1207 op=2 RESULT tag=105 err=0 text= Apr 3 20:27:24 idm slapd[4786]: conn=1207 op=3 UNBIND Apr 3 20:27:24 idm slapd[4786]: conn=1207 fd=25 closed