Navigation
Nouveautés
Je passe les étapes d'installation à la portée de tous pour noter les éléments de configuration avancées.
Il y a 2 techniques pour arriver à paramétrer votre LDAP: soit par le fichier slapd.conf soit par les instructions olc par injection LDIF. Le paramétrage dans le fichier nécessite de redémarrer alors que les modifs dans “cn=config” sont prises au chaud.
L'appel du fichier slapd.conf se fait dans /etc/default/slapd sous Debian 7.
Documentation :
Dans les 2 cas de figure, il faut rediriger les logs via rsyslog :
# LOGGING FOR SLAPD local4.* /var/log/openldap/slapd.log
mkdir /var/log/openldap && service rsyslog restart
dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: 256
ldapmodify -Y EXTERNAL -H ldapi:/// -f olcLogLevel.ldif
# LOG LEVEL loglevel 256
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ldap/ssl/root.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.key - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/ssl/ldap.crt
ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif
# LDAPS TLSCertificateKeyFile /etc/ldap/ssl/ldaps_key.pem TLSCertificateFile /etc/ldap/ssl/ldaps_cer.pem TLSCACertificateFile /etc/ldap/ssl/ldaps_cer.pem
dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: cn pres,sub,eq - add: olcDbIndex olcDbIndex: sn pres,sub,eq - add: olcDbIndex olcDbIndex: uid pres,sub,eq - add: olcDbIndex olcDbIndex: displayName pres,sub,eq - add: olcDbIndex olcDbIndex: default sub - add: olcDbIndex olcDbIndex: uidNumber eq - add: olcDbIndex olcDbIndex: gidNumber eq - add: olcDbIndex olcDbIndex: mail,givenName eq,subinitial - add: olcDbIndex olcDbIndex: dc eq
ldapmodify -Y EXTERNAL -H ldapi:/// -f olcDbIndex.ldif
Pour vérifier, exécuter la commande:
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" "Objectclass=olcHdbConfig"
# Indexing options for database #1 # Unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq
service slapd restart
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=test,dc=local" write by * none - add: olcAccess olcAccess: {1}to dn.subtree="ou=people,dc=test,dc=local" by dn="cn=admin,dc=test,dc=local" write by dn="cn=ldap_rw,ou=system,dc=test,dc=local" write by anonymous auth by * read - add: olcAccess olcAccess: {2}to dn.subtree="ou=groups,dc=test,dc=local" by dn="cn=admin,dc=test,dc=local" write by dn="cn=ldap_rw,ou=system,dc=test,dc=local" write by anonymous auth by * read - add: olcAccess olcAccess: {3}to * by dn="cn=admin,dc=test,dc=local" write by * read - add: olcAccess olcAccess: {4}to dn.base="" by * read - add: olcAccess olcAccess: {5}to * by self write by dn="cn=admin,dc=test,dc=local" write by dn="cn=master,ou=system,dc=test,dc=local" write by dn="cn=master2,ou=system,dc=test,dc=local" write by * read
ldapmodify -Y EXTERNAL -H ldapi:/// -f olcAccess.ldif
access to dn.base="" by * read access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=test,dc=local" write by anonymous auth by self write by * none access to dn.subtree="ou=people,dc=test,dc=local" by dn="cn=admin,dc=test,dc=local" write by dn="cn=ldap_rw,ou=system,dc=test,dc=local" write by anonymous auth by * read access to * by dn="cn=admin,dc=test,dc=local" write by dn="cn=master,ou=system,dc=test,dc=local" write by * read
dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib/ldap olcModuleLoad: memberof
ldapmodify -Y EXTERNAL -H ldapi:/// -f memberOf_module.ldif
dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf
ldapmodify -Y EXTERNAL -H ldapi:/// -f memberOf_overlay.ldif
Vérifier la configuration avec:
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" "Objectclass=olcModuleList"
# LOAD OVERLAYS moduleload memberof.la # MEMBEROF overlay memberof memberof-refint true memberof-dangling error memberof-group-oc groupOfNames memberof-member-ad member memberof-memberof-ad memberOf
service slpad restart
ldapsearch -H ldapi:/// -b 'DC=test,DC=dev' -D 'CN=admin,DC=test,DC=dev' -W '(cn=user1)' memberOf
# slapo-ppolicy has extra schema requirements include /etc/ldap/schema/ppolicy.schema # LOAD OVERLAYS moduleload ppolicy.la # PASSWORD POLICY overlay ppolicy ppolicy_default "cn=default,ou=policies,ou=system,dc=exemple,dc=com"
dn: cn=default,ou=policies,ou=system,dc=exemple,dc=com cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 600 pwdFailureCountInterval: 60 pwdGraceAuthNLimit: 5 pwdInHistory: 1 pwdLockout: TRUE pwdLockoutDuration: 300 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value
ldapadd -H "ldap://127.0.0.1" -D "CN=admin,DC=test,DC=local" -W -f ./password_policy.ldif
Très important de mon point de vue! désolé je ne fournis que la conf classique par manque de temps…
Ce module permet de faire des suppressions en cascade à la manière d'une BDD.
Il permet également d'insérer l'admin par exemple lorsque aucun membre n'est présent dans un groupOfNames après modif.
# LOAD OVERLAYS moduleload refint.la # REFERENTIAL INTEGRITY overlay refint refint_attributes member refint_nothing "cn=admin,dc=test,dc=local"
# LOAD OVERLAYS moduleload ppolicy.la # UNIQUELESS #overlay unique #unique_uri ldap:///?mail?sub?
Dans cet exemple, il sera impossible de créer 2 utilisateurs ayant le même email.
service slapd restart
# LOAD BACKEND moduleload back_monitor.la # monitor backend for statistical reporting access to dn.subtree="cn=Monitor" by dn.exact="cn=admin,dc=test,dc=local" write by dn.exact="cn=monitor,ou=system,dc=test,dc=local" read by * none database monitor
dn: cn=monitor,ou=system,dc=test,dc=local objectClass: simpleSecurityObject objectClass: organizationalRole cn: monitor description: LDAP monitor userPassword:{SSHA}k/N7idpYZtthh/HjBBcosQY3Fup68zsA
Astuce pour le HASH du password:
slappasswd -s MOTDEPASSE
Import du LDIF pour la création de l'utilisateur de monitoring :
ldapadd -H "ldap://127.0.0.1" -D "CN=admin,DC=test,DC=local" -W -f ./monitor_user.ldif
ldapsearch -H ldap://127.0.0.1 -D "cn=monitor,ou=system,dc=test,dc=local" -W -b "cn=Monitor" -s base '(objectClass=*)' '*' '+'
ldapsearch -H ldap://127.0.0.1 -D "cn=monitor,ou=system,dc=test,dc=local" -w "loshViHac5" -b "cn=Monitor"
ldapsearch -H ldap://127.0.0.1 -D "cn=monitor,ou=system,dc=test,dc=local" -w "loshViHac5" -b "cn=Connections,cn=Monitor"
apttiude install munin-node
cd /etc/munin/plugins ln -s /usr/share/munin/plugins/slapd_ slapd_connections ln -s /usr/share/munin/plugins/slapd_ slapd_operations ...
# Change these to reflect your LDAP ACL. The given DN must have # read access to the Monitor branch. my $basedn = "cn=Monitor"; my $server = ($ENV{'server'} || 'localhost'); my $userdn = ($ENV{'binddn'} || ''); my $userpw = ($ENV{'bindpw'} || '');
aptitude install libnet-ldap-perl
munin-run -d slapd_operations
service slapd stop && ps -ef | grep slap
su openldap -c '/usr/sbin/slapindex -f /etc/ldap/slapd.conf -d 3' -s /bin/bash
find /var/lib/ldap/ -type f -name "*.bdb" -exec ls -ail {} \;