Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:ldap:ldap_lsc [2015/11/28 10:58]
procacci@tem-tsp.eu [dependace java]
+++ docpublic:systemes:ldap:ldap_lsc [2015/12/01 15:43] (current)
procacci@tem-tsp.eu [suppression]
@@ Line 77: / Line 77: @@
 </code>
+===== Scenario ldap to ldap =====
+ref
+  * https://documentation.fusiondirectory.org/en/documentation/merge_ad_openldap_user
+  * http://rsokolkov.com/synchronizing-users-from-ad-to-openldap/
+  * http://autoblogs.memiks.fr/planet-libre/?Cl%C3%A9ment-OUDOT-LDAP-Synchronization-Connector-en-mode-2-0
+Preparation d'un scenario de synchro de ldap evry  vers ldap de fusion mines-telecom
+<code>
+[root@lsc lsc]# mkdir /etc/lsc/ldapevry2ldapimt
+[root@lsc lsc]# cd /etc/lsc/ldapevry2ldapimt
+[root@lsc ldapevry2ldapimt]# cp /etc/lsc/logback.xml .
+[root@lsc ldapevry2ldapimt]# cp /etc/lsc/lsc.xml .
+[root@lsc ldapevry2ldapimt]# vim lsc.xml
+</code>
+a suivre [[.:ldap_lsc&#config_lsc_synchro_ldap2ldap|ldap2ldap lsc config plus bas ]]
+==== installation openldap-servers ====
+<code>
+[root@lsc ldap2ldap]# yum install openldap-servers openldap-clients
+Installed:
+  openldap-servers.x86_64 0:2.4.39-7.el7.centos
+  openldap-clients.x86_64 0:2.4.39-7.el7.centos
+</code>
+==== parametrage openldap-server =====
+recuperation de schema propres a nos usages accademiques
+<code>
+[root@lsc schema]# cp eduperson-200412.schema supann_2009.schema /etc/openldap/schema/
+</code>
+repertoire systeme où sera stocké la base ldap fusion des sources de synchro (initialement backen BDB à passer en lmdb ...)
+<code>
+[root@lsc openldap]# vim slapd.conf # directory       /var/lib/ldap/imt/
+[root@lsc openldap]# mkdir /var/lib/ldap/imt/
+[root@lsc openldap]# chown ldap:ldap /var/lib/ldap/imt/
+[root@lsc openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/imt/DB_CONFIG
+[root@lsc openldap]# chown ldap:ldap /var/lib/ldap/imt/DB_CONFIG
+</code>
+==== demarrage du serveur au boot ====
+<code>
+[root@lsc openldap]# systemctl enable slapd.service
+ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
+</code>
+s'assurer que le firewall est ouver sur ldap , exemple avec firewalld
+<code>
+# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.158.0.0/16" service name="ldap" log prefix="ldap_157_158" accept'
+# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.158.0.0/16" service name="ldaps" log prefix="ldaps_157_158" accept'
+# firewall-cmd --reload
+</code>
+==== log ldap dans rsyslog ====
+<code>
+[root@lsc openldap]# vim /etc/rsyslog.conf
+[root@lsc openldap]# systemctl restart rsyslog.service
+[root@lsc openldap]# grep ldap /etc/rsyslog.conf
+local4.*						/var/log/ldap.log
+</code>
+==== Premier lancement du serveur a vide ====
+<code>
+[root@lsc openldap]# ./olcgene.sh
+ad68c /etc/openldap/slapd.conf: line 208: rootdn is always granted unlimited privileges.
+ad68c /etc/openldap/slapd.conf: line 215: rootdn is always granted unlimited privileges.
+ad68c bdb_db_open: database "dc=mines-telecom,dc=fr": db_open(/var/lib/ldap/imt//id2entry.bdb) failed: No such file or directory (2).
+ad68c backend_startup_one (type=bdb, suffix="dc=mines-telecom,dc=fr"): bi_db_open failed! (2)
+slap_startup failed (test would succeed using the -u switch)
+[root@lsc openldap]# ls -al /var/lib/ldap/imt/
+total 19552
+drwxr-xr-x 2 ldap ldap     4096 Nov 29 11:42 .
+drwx------ 3 ldap ldap     4096 Nov 29 11:11 ..
+-rw-r--r-- 1 ldap ldap      845 Nov 29 11:15 DB_CONFIG
+-rw------- 1 ldap ldap  2801664 Nov 29 11:42 __db.001
+-rw------- 1 ldap ldap 17489920 Nov 29 11:42 __db.002
+-rw------- 1 ldap ldap  1884160 Nov 29 11:42 __db.003
+-rw-r--r-- 1 ldap ldap     2048 Nov 29 11:42 alock
+-rw------- 1 ldap ldap     8192 Nov 29 11:42 dn2id.bdb
+-rw------- 1 ldap ldap    32768 Nov 29 11:42 id2entry.bdb
+-rw------- 1 ldap ldap 10485760 Nov 29 11:42 log.0000000001
+[root@lsc openldap]# tail -f /var/log/ldap.log
+Nov 29 11:42:20 lscimt slapd[3275]: @(#) $OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12) $
+	mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
+Nov 29 11:42:20 lscimt slapd[3276]: slapd starting
+[root@lsc openldap]# ps auwx |grep slapd
+ldap      3276  0.0  2.0 429780  5504 ?        Ssl  11:42   0:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
+</code>
+==== ajout de la racine de l'arbre ldap ====
+fichier ldap represantant la racine de l'arbre de fusion ldap
+<code>
+# cat root-mt.ldif
+# mt
+dn: dc=mines-telecom,dc=fr
+dc: mines-telecom
+objectClass: top
+objectClass: domain
+objectClass: domainRelatedObject
+associatedDomain: mines-telecom.fr
+</code>
+insertion dans l'instance ldap imt
+<code>
+[root@lsc ~]# ldapadd -f root-mt.ldif -H ldap://localhost -D cn=admin,dc=mines-telecom,dc=fr -WEnter LDAP Password:
+adding new entry "dc=mines-telecom,dc=fr"
+[root@lsc ~]# tail -f /var/log/ldap.log
+Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 fd=11 ACCEPT from IP=[::1]:47596 (IP=[::]:389)
+Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=0 BIND dn="cn=admin,dc=mines-telecom,dc=fr" method=128
+Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=0 BIND dn="cn=admin,dc=mines-telecom,dc=fr" mech=SIMPLE ssf=0
+Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=0 RESULT tag=97 err=0 text=
+Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=1 ADD dn="dc=mines-telecom,dc=fr"
+Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=1 RESULT tag=105 err=0 text=
+Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=2 UNBIND
+Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 fd=11 closed
+</code>
+et de la sous branche people
+<code>
+[root@lsc ~]# vim people.ldif
+[root@lsc ~]# ldapadd -f people.ldif -H ldap://localhost -D cn=admin,dc=mines-telecom,dc=fr -WEnter LDAP Password:
+adding new entry "ou=people,dc=mines-telecom,dc=fr"
+[root@lsc ~]# cat people.ldif
+dn: ou=people,dc=mines-telecom,dc=fr
+changetype: add
+objectClass: organizationalUnit
+objectClass: top
+ou: people
+</code>
+contenu actuel de notre "coquille vide"
+<code>
+[root@lsc ~]# ldapsearch -x objectclass=* -H ldap://localhost -b dc=mines-telecom,dc=fr -D cn=admin,dc=mines-telecom,dc=fr -W dn -LLL
+Enter LDAP Password:
+dn: dc=mines-telecom,dc=fr
+dn: ou=people,dc=mines-telecom,dc=fr
+</code>
+===== Config LSC synchro ldap2ldap =====
+le principe ici est de synchroniser des annuaires ldap vers un annuaire mutualisé assurant la fusion des annuaires d'etablissements dans des sous branches propres a l'etablissement .
+Ici , on fait une exclusion des objectclass et attributs non indispensables a un annuaire pages blanches via le <dataset> objectclass :
+<code>
+[root@lscimt ldapevry2ldapimt]# cat lsc.xml
+<?xml version="1.0" ?>
+<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd" revision="0">
+  <connections>
+    <ldapConnection>
+      <name>tem-tsp</name>
+      <url>ldap://ldapze.int.fr:389/dc=int,dc=fr</url>
+      <username>cn=adm,dc=int,dc=fr</username>
+      <password>secret</password>
+      <authentication>SIMPLE</authentication>
+      <referral>IGNORE</referral>
+      <derefAliases>NEVER</derefAliases>
+      <version>VERSION_3</version>
+      <pageSize>-1</pageSize>
+      <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
+      <tlsActivated>false</tlsActivated>
+    </ldapConnection>
+    <ldapConnection>
+      <name>mines-telecom</name>
+      <url>ldap://127.0.0.1:389/dc=mines-telecom,dc=fr</url>
+      <username>cn=adm,dc=mines-telecom,dc=fr</username>
+      <password>secret</password>
+      <authentication>SIMPLE</authentication>
+      <referral>THROW</referral>
+      <derefAliases>NEVER</derefAliases>
+      <version>VERSION_3</version>
+      <pageSize>-1</pageSize>
+      <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
+      <tlsActivated>false</tlsActivated>
+    </ldapConnection>
+  </connections>
+  <tasks>
+    <task>
+      <name>user</name>
+      <bean>org.lsc.beans.SimpleBean</bean>
+       <ldapSourceService>
+        <name>user-source-service</name>
+        <connection reference="tem-tsp" />
+        <baseDn>ou=people,dc=int,dc=fr</baseDn>
+        <pivotAttributes>
+          <string>cn</string>
+        </pivotAttributes>
+        <fetchedAttributes>
+          <string>cn</string>
+          <string>mail</string>
+          <string>sn</string>
+          <string>departmentNumber</string>
+          <string>employeeType</string>
+          <string>givenName</string>
+          <string>telephoneNumber</string>
+        </fetchedAttributes>
+        <getAllFilter><![CDATA[(&(cn=*)(objectClass=inetOrgPerson)(uid=martin*))]]></getAllFilter>
+        <getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(cn={cn}))]]></getOneFilter>
+        <cleanFilter><![CDATA[(&(objectClass=inetOrgPerson)(cn={cn}))]]></cleanFilter>
+    </ldapSourceService>
+    <ldapDestinationService>
+        <name>user-dest-service</name>
+        <connection reference="mines-telecom" />
+        <baseDn>ou=evry,ou=people,dc=mines-telecom,dc=fr</baseDn>
+        <pivotAttributes>
+          <string>cn</string>
+        </pivotAttributes>
+        <fetchedAttributes>
+          <string>cn</string>
+          <string>objectClass</string>
+          <string>mail</string>
+          <string>sn</string>
+          <string>departmentNumber</string>
+          <string>employeeType</string>
+          <string>givenName</string>
+          <string>telephoneNumber</string>
+        </fetchedAttributes>
+        <getAllFilter><![CDATA[(&(cn=*)(objectClass=inetOrgPerson))]]></getAllFilter>
+        <getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(cn={cn}))]]></getOneFilter>
+    </ldapDestinationService>
+      <propertiesBasedSyncOptions>
+        <mainIdentifier>js:"cn=" + javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) + ",ou=evry,ou=people,dc=mines-telecom,dc=fr"</mainIdentifier>
+        <defaultDelimiter>;</defaultDelimiter>
+        <defaultPolicy>FORCE</defaultPolicy>
+        <conditions>
+          <create>true</create>
+          <update>true</update>
+          <delete>true</delete>
+          <changeId>true</changeId>
+        </conditions>
+         <dataset>
+          <name>objectclass</name>
+          <policy>KEEP</policy>
+          <createValues>
+            <string>"inetOrgPerson"</string>
+            <string>"organizationalPerson"</string>
+            <string>"person"</string>
+            <string>"top"</string>
+          </createValues>
+        </dataset>
+      </propertiesBasedSyncOptions>
+    </task>
+  </tasks>
+</lsc>
+</code>
+===== synchro =====
+<code>
+[root@lsc ldapevry2ldapimt]# lsc -s user --config /etc/lsc/ldapevry2ldapimt/
+:41:14,248 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback-test.xml]
+:41:14,248 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Found resource [logback.xml] at [file:/etc/lsc/ldapevry2ldapimt/logback.xml]
+:41:14,249 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs multiple times on the classpath.
+:41:14,249 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs at [file:/etc/lsc/ldapevry2ldapimt/logback.xml]
+:41:14,249 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs at [jar:file:/usr/lib/lsc/lsc-core-2.1.3.jar!/logback.xml]
+nov. 30 11:41:14 - INFO  - Reflections took 105 ms to scan 1 urls, producing 55 keys and 115 values
+nov. 30 11:41:15 - INFO  - Logging configuration successfully loaded from /etc/lsc/ldapevry2ldapimt/logback.xml
+nov. 30 11:41:15 - INFO  - LSC configuration successfully loaded from /etc/lsc/ldapevry2ldapimt/
+nov. 30 11:41:15 - INFO  - Connecting to LDAP server ldap://127.0.0.1:389/dc=mines-telecom,dc=fr as cn=adm,dc=mines-telecom,dc=fr
+nov. 30 11:41:15 - INFO  - Connecting to LDAP server ldap://ldapze.int.fr:389/dc=int-evry,dc=fr as cn=adm,dc=int,dc=fr
+nov. 30 11:41:15 - INFO  - Starting sync for user
+nov. 30 11:41:15 - INFO  - # Adding new object cn=Guy BERNARD,ou=evry,ou=people,dc=mines-telecom,dc=fr for user
+# Mon Nov 30 11:41:15 CET 2015
+dn: cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr
+changetype: add
+employeeType:: UHJvZmVzc2V1ciBpbnZpdMOp
+mail: jacques.martin@tem-tsp.eu
+sn: MARTIN
+departmentNumber: INFO
+cn: Jacques MARTIN
+telephoneNumber: +33161764567
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+givenName: Jacques
+nov. 30 11:41:15 - INFO  - All entries: 5, to modify entries: 5, successfully modified entries: 5, errors: 0
+</code>
+==== modification d'attributs ====
+il est possible de modifier à la volée des valeurs d'attribut pour les rendre conforme a une syntaxte et nomenclature commune .
+Exemple d'ajout d'un dataset qui modifie lors de la synchro la valeur d'attribut departmentNumber ,
+ici si à la source departmentNumber contient MCI alors le transformer en DSI :
+<code>
+ <dataset>
+          <name>departmentNumber</name>
+          <policy>FORCE</policy>
+          <forceValues>
+            <string><![CDATA[js:
+                var department = srcBean.getDatasetFirstValueById("departmentNumber");
+                if ( department == "MCI" ) { department = "DSI"; }
+                department;
+            ]]></string>
+          </forceValues>
+       </dataset>
+</code>
+log associés a cette synchro
+<code>
+nov. 30 14:45:17 - INFO  - # Updating object cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr for user
+nov. 30 14:45:17 - INFO  - # Updating object cn=Albert MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr for user
+# Mon Nov 30 14:45:17 CET 2015
+dn: cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr
+changetype: modify
+replace: departmentNumber
+departmentNumber: DSI
+-
+# Mon Nov 30 14:45:17 CET 2015
+dn: cn=Albert MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr
+changetype: modify
+replace: departmentNumber
+departmentNumber: DSI
+-
+nov. 30 14:45:17 - INFO  - All entries: 5, to modify entries: 2, successfully modified entries: 2, errors: 0
+</code>
+===== suppression =====
+pour supprimer un compte il faut ajouter l'option
+<code>
+-c,--clean <arg>                      Cleaning type (one of the available
+                                       tasks or 'all')
+</code>
+et aussi s'assurer qu'il n'y a pas zero entrée dans la source , autrement lsc par sécurité ne supprime rien .
+<code>
+déc. 01 14:29:00 - INFO  - Starting sync for user
+déc. 01 14:29:00 - ERROR - Empty or non existant source (no IDs found)
+</code>
+voici l'exemple de suppression d'une entrée à la source .
+<code>
+[root@lsc ldap2ldapmintel]# lsc -s user -c user --config /etc/lsc/ldap2ldapmintel/
+...
+déc. 01 15:21:52 - INFO  - Reflections took 104 ms to scan 1 urls, producing 55 keys and 115 values
+déc. 01 15:21:52 - INFO  - Logging configuration successfully loaded from /etc/lsc/ldap2ldapmintel/logback.xml
+déc. 01 15:21:52 - INFO  - LSC configuration successfully loaded from /etc/lsc/ldap2ldapmintel/
+déc. 01 15:21:52 - INFO  - Connecting to LDAP server ldap://127.0.0.1:389/dc=mines-telecom,dc=fr as cn=adm,dc=mines-telecom,dc=fr
+déc. 01 15:21:52 - INFO  - Connecting to LDAP server ldap://ldap4.tem-tsp.eu:389/dc=int-evry,dc=fr as cn=adm,dc=int,dc=fr
+déc. 01 15:21:52 - INFO  - Starting sync for user
+déc. 01 15:21:52 - ERROR - Empty or non existant source (no IDs found)
+déc. 01 15:21:52 - INFO  - Starting clean for user
+déc. 01 15:21:52 - INFO  - # Removing object cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr for user
+# Tue Dec 01 15:21:52 CET 2015
+dn: cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr
+changetype: delete
+déc. 01 15:21:52 - INFO  - All entries: 6, to modify entries: 1, successfully modified entries: 1, errors: 0
+</code>

docpublic/systemes/ldap/ldap_lsc.1448708321.txt.gz · Last modified: 2015/11/28 10:58 by procacci@tem-tsp.eu

Show page Old revisions

[unknown link type]Back to top