Ldap Server: Difference between revisions

From Objectif Client Inc
Jump to navigation Jump to search
 
(7 intermediate revisions by the same user not shown)
Line 45: Line 45:


=== Add a new Schema ===
=== Add a new Schema ===
Add Samba Schema
* Add Samba Schema
<syntaxhighlight lang="bash">ldapadd -Q -Y EXTERNAL -H ldapi:/// -f samba.ldif</syntaxhighlight>
<syntaxhighlight lang="bash">
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
</syntaxhighlight>
 
=== Identify the 'olcDatabase' ===
* Retreive current information
<syntaxhighlight lang="bash">
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config dn olcRootDN
</syntaxhighlight>
* You need to modify the entry dn: "olcDatabase={1}mdb,cn=config"


=== Add a password to root ===
* Get SSHA password with slappasswd
<syntaxhighlight lang="bash">
slappasswd
</syntaxhighlight>


=== Change Database Suffix ===
* Create an ldif file (ldaprootpasswd.ldif) with the following content
Use the following command
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">ldapmodify -Y EXTERNAL -H ldapi:///</syntaxhighlight>
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}... password from slappasswd
</syntaxhighlight>
 
* Apply modification
<syntaxhighlight lang="bash">
ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
</syntaxhighlight>
 
=== Ad Domain information ===
* Create an ldif file (ldapdomain.ldif) with the following content
<syntaxhighlight lang="bash">
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=admin,dc=objclt,dc=com" read by * none


Then enter the following info
dn: olcDatabase={1}mdb,cn=config
<pre>dn: olcDatabase={1}mdb,cn=config
changetype: modify
changetype: modify
replace: olcSuffix
replace: olcSuffix
olcSuffix: dc=objclt,dc=com
olcSuffix: dc=objclt,dc=com
</pre>
Press enter twice


=== Change Root DN ===
dn: olcDatabase={1}mdb,cn=config
Retreive current information
changetype: modify
<syntaxhighlight lang="bash">ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config dn olcRootDN</syntaxhighlight>
replace: olcRootDN
You need to modify the entry dn: "olcDatabase={1}mdb,cn=config"
olcRootDN: cn=admin,dc=objclt,dc=com


Proceed to modify
dn: olcDatabase={1}mdb,cn=config
<syntaxhighlight lang="bash">ldapmodify -Y EXTERNAL -H ldapi:///</syntaxhighlight>
changetype: modify
add: olcRootPW
olcRootPW:{SSHA} password from ldappasswd


Provide the following information:
dn: olcDatabase={1}mdb,cn=config
* The entry we want to modify
changetype: modify
* The action and the parameter we want to modify
add: olcAccess
* The value
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=admin,dc=objclt,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=objclt,dc=com" write by * read
</syntaxhighlight>


* Apply modification
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
dn: olcDatabase={1}mdb,cn=config
ldapadd -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif
replace: olcRootDN
olcRootDN: cn=admin,dc=objclt,dc=com
</syntaxhighlight>
</syntaxhighlight>


Press enter twice to confirm
=== Ldap debug Code ===
{| class="wikitable alternance left"
|+ Debugging Levels
 
! scope="col" |Level
! scope="col" |Description
|-
!scope="row" | -1
| enable all debugging
|-
!scope="row" | 0
| no debugging
|-
!scope="row" | 1
| trace function calls
|-
!scope="row" | 2
| debug packet handling
|-
!scope="row" | 4
| heavy trace debugging
|-
!scope="row" | 8
| connection management
|-
!scope="row" |16
| print out packets sent and received
|-
!scope="row" | 32
| search filter processing
|-
!scope="row" | 64
| configuration file processing
|-
!scope="row" | 128
| access control list processing
|-
!scope="row" | 256
| stats log connections/operations/results
|-
!scope="row" | 512
| stats log entries sent
|-
!scope="row" |1024
| print communication with shell backends
|-
!scope="row" | 2048
| print entry parsing debugging
|}


== Backup / Restore ==
== Backup / Restore ==

Latest revision as of 12:30, 25 October 2019

Installation

Preparation

By default the installation of slapd will create a working configuration based on the hostname. If you want a suffix dc=objclt,dc=com then your host file "/etc/hosts" would have a line similar to this: 

127.0.1.1   hostname.objclt.com  hostname

Install

Install Ldap server and utilities 

apt-get install slapd ldap-utils

Validate your install

Inquiry the Ldap configuration 

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn

dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: olcBackend={0}mdb,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}mdb,cn=config

Explanation of entries

  1. cn=config: global settings
  2. cn=module{0},cn=config: a dynamically loaded module
  3. cn=schema,cn=config: contains hard-coded system-level schema
  4. cn={0}core,cn=schema,cn=config: the hard-coded core schema
  5. cn={1}cosine,cn=schema,cn=config: the cosine schema
  6. cn={2}nis,cn=schema,cn=config: the nis schema
  7. cn={3}inetorgperson,cn=schema,cn=config: the inetorgperson schema
  8. olcBackend={0}hdb,cn=config: the 'hdb' backend storage type
  9. olcDatabase={-1}frontend,cn=config: frontend database, default settings for other databases
  10. olcDatabase={0}config,cn=config: slapd configuration database (cn=config)
  11. olcDatabase={1}hdb,cn=config: your database instance (dc=examle,dc=com)

Display the dc=objclt,dc=com DIT 

ldapsearch -x -LLL -H ldap:/// -b dc=objclt,dc=com dn

Setup Ldap

Add a new Schema

  • Add Samba Schema
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

Identify the 'olcDatabase'

  • Retreive current information
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config dn olcRootDN
  • You need to modify the entry dn: "olcDatabase={1}mdb,cn=config"

Add a password to root

  • Get SSHA password with slappasswd
slappasswd
  • Create an ldif file (ldaprootpasswd.ldif) with the following content
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}... password from slappasswd
  • Apply modification
ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif

Ad Domain information

  • Create an ldif file (ldapdomain.ldif) with the following content
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=admin,dc=objclt,dc=com" read by * none

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=objclt,dc=com

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=objclt,dc=com

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA} password from ldappasswd

dn: olcDatabase={1}mdb,cn=config 
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=admin,dc=objclt,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=objclt,dc=com" write by * read
  • Apply modification
ldapadd -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif

Ldap debug Code

Debugging Levels
Level Description
-1 enable all debugging
0 no debugging
1 trace function calls
2 debug packet handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 configuration file processing
128 access control list processing
256 stats log connections/operations/results
512 stats log entries sent
1024 print communication with shell backends
2048 print entry parsing debugging

Backup / Restore

Backup

/usr/sbin/slapcat -l /mnt/Backup/Ldap/ldap_backup.ldif

Restore

Clean Backup File

cat ldap_backup.ldif | grep -v 'structuralObjectClass' | grep -v 'modifyTimestamp' | grep -v 'modifiersName' / 
| grep -v 'entryCSN' | grep -v 'createTimestamp' | grep -v 'creatorsName' | grep -v 'entryUUID' > /backup/ldap/ldap_backup_clean.ldif

Restore from Ldif

ldapadd -x -D cn=admin,dc=objclt,dc=com -W -f /mnt/Backup/Ldap/ldap_backup_clean.ldif


CheckSum

cp /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif /tmp
tail -n +3 /tmp/olcDatabase={1}mdb.ldif > /tmp/fixed.ldif
/check-4.3/check  /tmp/fixed.ldif

/tmp/fixed.ldif                  CRC-32 = 5bf0745e, size = 832 bytes

Replace the new CRC-32 value into the original file using your favourite editor 

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 5bf0745e

Ldap Client

Retrieved from "http://wiki.objclt.ca/wiki/index.php?title=Ldap_Server&oldid=1080"