Ldap Server: Difference between revisions

From Objectif Client Inc
Jump to navigation Jump to search
No edit summary
 
(26 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Installation ==
== Installation ==
=== Preparation ===
By default the installation of slapd will create a working configuration based on the hostname. If you want a suffix dc=objclt,dc=com then your host file "/etc/hosts" would have a line similar to this:
By default the installation of slapd will create a working configuration based on the hostname. If you want a suffix dc=objclt,dc=com then your host file "/etc/hosts" would have a line similar to this:
<pre>127.0.1.1  hostname.objclt.com  hostname</pre>
<syntaxhighlight lang="bash">127.0.1.1  hostname.objclt.com  hostname</syntaxhighlight>
 
=== Install ===
Install Ldap server and utilities
<syntaxhighlight lang="bash">apt-get install slapd ldap-utils</syntaxhighlight>
 
=== Validate your install ===
Inquiry the Ldap configuration
<syntaxhighlight lang="bash">ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn</syntaxhighlight>
<pre>
dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: olcBackend={0}mdb,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}mdb,cn=config
</pre>
 
Explanation of entries
 
#    cn=config: global settings
#    cn=module{0},cn=config: a dynamically loaded module
#    cn=schema,cn=config: contains hard-coded system-level schema
#    cn={0}core,cn=schema,cn=config: the hard-coded core schema
#    cn={1}cosine,cn=schema,cn=config: the cosine schema
#    cn={2}nis,cn=schema,cn=config: the nis schema
#    cn={3}inetorgperson,cn=schema,cn=config: the inetorgperson schema
#    olcBackend={0}hdb,cn=config: the 'hdb' backend storage type
#    olcDatabase={-1}frontend,cn=config: frontend database, default settings for other databases
#    olcDatabase={0}config,cn=config: slapd configuration database (cn=config)
#    olcDatabase={1}hdb,cn=config: your database instance (dc=examle,dc=com)
 
Display the dc=objclt,dc=com DIT
<syntaxhighlight lang="bash">ldapsearch -x -LLL -H ldap:/// -b dc=objclt,dc=com dn</syntaxhighlight>


== Setup Ldap ==
== Setup Ldap ==
=== Change Root DN ===
Retreive current information
<pre>ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config dn olcRootDN</pre>
You need to modify the entry dn: "olcDatabase={1}hdb,cn=config"


Proceed to modify
=== Add a new Schema ===
<pre>ldapmodify -Y EXTERNAL -H ldapi:///</pre>
* Add Samba Schema
<syntaxhighlight lang="bash">
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
</syntaxhighlight>
 
=== Identify the 'olcDatabase' ===
* Retreive current information
<syntaxhighlight lang="bash">
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config dn olcRootDN
</syntaxhighlight>
* You need to modify the entry dn: "olcDatabase={1}mdb,cn=config"
 
=== Add a password to root ===
* Get SSHA password with slappasswd
<syntaxhighlight lang="bash">
slappasswd
</syntaxhighlight>
 
* Create an ldif file (ldaprootpasswd.ldif) with the following content
<syntaxhighlight lang="bash">
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}... password from slappasswd
</syntaxhighlight>
 
* Apply modification
<syntaxhighlight lang="bash">
ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
</syntaxhighlight>
 
=== Ad Domain information ===
* Create an ldif file (ldapdomain.ldif) with the following content
<syntaxhighlight lang="bash">
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=admin,dc=objclt,dc=com" read by * none
 
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=objclt,dc=com
 
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=objclt,dc=com
 
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA} password from ldappasswd
 
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=admin,dc=objclt,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=objclt,dc=com" write by * read
</syntaxhighlight>
 
* Apply modification
<syntaxhighlight lang="bash">
ldapadd -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif
</syntaxhighlight>
 
=== Ldap debug Code ===
{| class="wikitable alternance left"
|+ Debugging Levels
 
! scope="col" |Level
! scope="col" |Description
|-
!scope="row" | -1
| enable all debugging
|-
!scope="row" | 0
| no debugging
|-
!scope="row" | 1
| trace function calls
|-
!scope="row" | 2
| debug packet handling
|-
!scope="row" | 4
| heavy trace debugging
|-
!scope="row" | 8
| connection management
|-
!scope="row" |16
| print out packets sent and received
|-
!scope="row" | 32
| search filter processing
|-
!scope="row" | 64
| configuration file processing
|-
!scope="row" | 128
| access control list processing
|-
!scope="row" | 256
| stats log connections/operations/results
|-
!scope="row" | 512
| stats log entries sent
|-
!scope="row" |1024
| print communication with shell backends
|-
!scope="row" | 2048
| print entry parsing debugging
|}
 
== Backup / Restore ==
 
=== Backup ===
<syntaxhighlight lang="bash">/usr/sbin/slapcat -l /mnt/Backup/Ldap/ldap_backup.ldif</syntaxhighlight>
 
=== Restore ===
 
==== Clean Backup File ====
<syntaxhighlight lang="bash">cat ldap_backup.ldif | grep -v 'structuralObjectClass' | grep -v 'modifyTimestamp' | grep -v 'modifiersName' /
| grep -v 'entryCSN' | grep -v 'createTimestamp' | grep -v 'creatorsName' | grep -v 'entryUUID' > /backup/ldap/ldap_backup_clean.ldif</syntaxhighlight>
 
==== Restore from Ldif ====
<syntaxhighlight lang="bash">ldapadd -x -D cn=admin,dc=objclt,dc=com -W -f /mnt/Backup/Ldap/ldap_backup_clean.ldif</syntaxhighlight>
 


First, enter the entry we want to modify
== CheckSum ==
<syntaxhighlight lang="bash">
cp /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif /tmp
tail -n +3 /tmp/olcDatabase={1}mdb.ldif > /tmp/fixed.ldif
/check-4.3/check  /tmp/fixed.ldif
</syntaxhighlight>


<pre>dn: olcDatabase={1}mdb,cn=config</pre>
<pre>/tmp/fixed.ldif                  CRC-32 = 5bf0745e, size = 832 bytes</pre>


Second, type the parameter we want to modify
Replace the new CRC-32 value into the original file using your favourite editor
<pre>replace: olcRootDN</pre>


Third, type the new value you want
<syntaxhighlight lang="bash">
<pre>olcRootDN: cn=admin,dc=objclt,dc=com</pre>
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 5bf0745e
</syntaxhighlight>


Press enter twice to confirm
[[Ldap Client]]

Latest revision as of 12:30, 25 October 2019

Installation

Preparation

By default the installation of slapd will create a working configuration based on the hostname. If you want a suffix dc=objclt,dc=com then your host file "/etc/hosts" would have a line similar to this: 

127.0.1.1   hostname.objclt.com  hostname

Install

Install Ldap server and utilities 

apt-get install slapd ldap-utils

Validate your install

Inquiry the Ldap configuration 

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn

dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: olcBackend={0}mdb,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}mdb,cn=config

Explanation of entries

  1. cn=config: global settings
  2. cn=module{0},cn=config: a dynamically loaded module
  3. cn=schema,cn=config: contains hard-coded system-level schema
  4. cn={0}core,cn=schema,cn=config: the hard-coded core schema
  5. cn={1}cosine,cn=schema,cn=config: the cosine schema
  6. cn={2}nis,cn=schema,cn=config: the nis schema
  7. cn={3}inetorgperson,cn=schema,cn=config: the inetorgperson schema
  8. olcBackend={0}hdb,cn=config: the 'hdb' backend storage type
  9. olcDatabase={-1}frontend,cn=config: frontend database, default settings for other databases
  10. olcDatabase={0}config,cn=config: slapd configuration database (cn=config)
  11. olcDatabase={1}hdb,cn=config: your database instance (dc=examle,dc=com)

Display the dc=objclt,dc=com DIT 

ldapsearch -x -LLL -H ldap:/// -b dc=objclt,dc=com dn

Setup Ldap

Add a new Schema

  • Add Samba Schema
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

Identify the 'olcDatabase'

  • Retreive current information
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config dn olcRootDN
  • You need to modify the entry dn: "olcDatabase={1}mdb,cn=config"

Add a password to root

  • Get SSHA password with slappasswd
slappasswd
  • Create an ldif file (ldaprootpasswd.ldif) with the following content
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}... password from slappasswd
  • Apply modification
ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif

Ad Domain information

  • Create an ldif file (ldapdomain.ldif) with the following content
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=admin,dc=objclt,dc=com" read by * none

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=objclt,dc=com

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=objclt,dc=com

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA} password from ldappasswd

dn: olcDatabase={1}mdb,cn=config 
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=admin,dc=objclt,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=objclt,dc=com" write by * read
  • Apply modification
ldapadd -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif

Ldap debug Code

Debugging Levels
Level Description
-1 enable all debugging
0 no debugging
1 trace function calls
2 debug packet handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 configuration file processing
128 access control list processing
256 stats log connections/operations/results
512 stats log entries sent
1024 print communication with shell backends
2048 print entry parsing debugging

Backup / Restore

Backup

/usr/sbin/slapcat -l /mnt/Backup/Ldap/ldap_backup.ldif

Restore

Clean Backup File

cat ldap_backup.ldif | grep -v 'structuralObjectClass' | grep -v 'modifyTimestamp' | grep -v 'modifiersName' / 
| grep -v 'entryCSN' | grep -v 'createTimestamp' | grep -v 'creatorsName' | grep -v 'entryUUID' > /backup/ldap/ldap_backup_clean.ldif

Restore from Ldif

ldapadd -x -D cn=admin,dc=objclt,dc=com -W -f /mnt/Backup/Ldap/ldap_backup_clean.ldif


CheckSum

cp /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif /tmp
tail -n +3 /tmp/olcDatabase={1}mdb.ldif > /tmp/fixed.ldif
/check-4.3/check  /tmp/fixed.ldif

/tmp/fixed.ldif                  CRC-32 = 5bf0745e, size = 832 bytes

Replace the new CRC-32 value into the original file using your favourite editor 

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 5bf0745e

Ldap Client

Retrieved from "http://wiki.objclt.ca/wiki/index.php?title=Ldap_Server&oldid=1080"