Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
docpublic:systemes:ldap:ldapc8 [2020/01/09 21:03] procacci@tem-tsp.eu [etat initial] |
docpublic:systemes:ldap:ldapc8 [2020/01/24 14:39] (current) procacci@tem-tsp.eu [reconstruction de base] |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| RedHat (RHEL8) ne fournit plus openldap-servers : | RedHat (RHEL8) ne fournit plus openldap-servers : | ||
| - | https:// | + | * https:// |
| ==== Packages el8 openldap-servers ==== | ==== Packages el8 openldap-servers ==== | ||
| - | https:// | + | * https:// |
| - | https:// | + | |
| + | ==== ref docs ==== | ||
| + | * https:// | ||
| ==== repo LTB openldap-servers ==== | ==== repo LTB openldap-servers ==== | ||
| Line 26: | Line 28: | ||
| gpgkey=file:/// | gpgkey=file:/// | ||
| - | [root@ldapex ~]# vim / | ||
| [root@ldapex ~]# yum update | [root@ldapex ~]# yum update | ||
| LTB project packages | LTB project packages | ||
| + | |||
| + | [root@ldapex ~]# rpm --import https:// | ||
| + | |||
| </ | </ | ||
| Line 69: | Line 73: | ||
| </ | </ | ||
| + | ===== OLC config dynamique ==== | ||
| + | https:// | ||
| + | < | ||
| + | [root@ldapfr8 ~]# mkdir / | ||
| + | [root@ldapfr8 ~]# cp / | ||
| + | [root@ldapfr8 ~]# vim / | ||
| + | [root@ldapfr8 ~]# ls -l / | ||
| + | -rw-r--r-- 1 ldap ldap 924 29 août 20:52 DB_CONFIG | ||
| + | -rw------- 1 ldap ldap 845 29 août 20:52 DB_CONFIG.example | ||
| + | [root@ldapfr8 ~]# vim / | ||
| + | [root@ldapfr8 ~]# slaptest -f / | ||
| + | 5e1796ed mdb_db_open: | ||
| + | 5e1796ed backend_startup_one (type=mdb, suffix=" | ||
| + | slap_startup failed (test would succeed using the -u switch) | ||
| + | [root@ldapfr8 ~]# chown -R ldap.ldap / | ||
| + | </ | ||
| + | |||
| + | ==== cn=config acces ==== | ||
| + | |||
| + | necessité de declarer les acces a cn=config pour que l' | ||
| + | |||
| + | https:// | ||
| + | |||
| + | il faut donc ajouter au slapd.conf l' | ||
| + | et on en profite aussi pour declarer la databsqe monitor pour le futur monitoring . | ||
| + | |||
| + | < | ||
| + | ## JP enable on-the-fly configuration (cn=config) | ||
| + | database config | ||
| + | access to * | ||
| + | by dn.exact=" | ||
| + | by * read | ||
| + | |||
| + | ##JP enable server status monitoring (cn=monitor) | ||
| + | database monitor | ||
| + | access to * | ||
| + | by dn.exact=" | ||
| + | by dn.exact=cn=manager, | ||
| + | by * none | ||
| + | </ | ||
| + | |||
| + | resultat olc : | ||
| + | |||
| + | < | ||
| + | [root@ldap8 ~]# ls -ltr / | ||
| + | # ls -ltr / | ||
| + | total 108 | ||
| + | -rw------- 1 ldap ldap 86116 10 janv. 18:28 ' | ||
| + | drwxr-x--- 2 ldap ldap 4096 10 janv. 18:28 ' | ||
| + | -rw------- 1 ldap ldap 689 10 janv. 18:28 ' | ||
| + | -rw------- 1 ldap ldap 846 10 janv. 18:28 ' | ||
| + | -rw------- 1 ldap ldap 596 10 janv. 18:28 ' | ||
| + | -rw------- 1 ldap ldap 663 10 janv. 18:28 ' | ||
| + | </ | ||
| + | |||
| + | mise a jour du chemin de conf dans / | ||
| + | |||
| + | < | ||
| + | [root@ldapfr8 ~]# vim / | ||
| + | [root@ldapfr8 ~]# grep SLAPD_CONF_DIR / | ||
| + | SLAPD_CONF_DIR=" | ||
| + | </ | ||
| + | |||
| + | ==== start initial ==== | ||
| + | |||
| + | < | ||
| + | [root@ldapfr8 ~]# systemctl start slapd.service | ||
| + | [root@ldapfr8 ~]# systemctl status slapd.service | ||
| + | ● slapd.service - OpenLDAP LTB startup script | ||
| + | | ||
| + | | ||
| + | Docs: https:// | ||
| + | Process: 922 ExecStart=/ | ||
| + | Main PID: 954 (slapd) | ||
| + | Tasks: 2 (limit: 26213) | ||
| + | | ||
| + | | ||
| + | | ||
| + | |||
| + | janv. 09 22:19:10 ldapfr8 slapd-cli[922]: | ||
| + | janv. 09 22:19:10 ldapfr8 slapd-cli[922]: | ||
| + | janv. 09 22:19:10 ldapfr8 slapd-cli[922]: | ||
| + | janv. 09 22:19:10 ldapfr8 slapd-cli[922]: | ||
| + | janv. 09 22:19:10 ldapfr8 slapd-cli[922]: | ||
| + | janv. 09 22:19:10 ldapfr8 slapd-cli[922]: | ||
| + | janv. 09 22:19:10 ldapfr8 slapd-cli[922]: | ||
| + | janv. 09 22:19:10 ldapfr8 slapd[953]: @(#) $OpenLDAP: slapd 2.4.48 (Aug 29 2019 14:52:08) $ | ||
| + | clement@kptn-rhel8.example.com:/ | ||
| + | janv. 09 22:19:11 ldapfr8 slapd-cli[922]: | ||
| + | janv. 09 22:19:11 ldapfr8 systemd[1]: Started OpenLDAP LTB startup script. | ||
| + | </ | ||
| + | |||
| + | Database mdb | ||
| + | |||
| + | < | ||
| + | [root@ldapfr8 ~]# ls -ltr / | ||
| + | total 24 | ||
| + | -rw------- 1 ldap ldap 845 29 août 20:52 DB_CONFIG.example | ||
| + | -rw-r--r-- 1 ldap ldap 924 29 août 20:52 DB_CONFIG | ||
| + | -rw------- 1 ldap ldap 8192 9 janv. 22:19 lock.mdb | ||
| + | -rw------- 1 ldap ldap 12288 9 janv. 22:19 data.mdb | ||
| + | </ | ||
| + | |||
| + | |||
| + | |||
| + | ==== config initiale ==== | ||
| + | |||
| + | il n'y a que le schema Core par default | ||
| + | |||
| + | < | ||
| + | [root@ldap8 ~]# ls -ltr / | ||
| + | total 16 | ||
| + | -rw------- 1 ldap ldap 15546 10 janv. 12:21 ' | ||
| + | </ | ||
| + | |||
| + | le RootDSE contient bien notre base MDB initiale | ||
| + | |||
| + | < | ||
| + | [root@ldap8 ~]# ldapsearch -H ldap:// -x -s base -b "" | ||
| + | dn: | ||
| + | structuralObjectClass: | ||
| + | configContext: | ||
| + | namingContexts: | ||
| + | monitorContext: | ||
| + | |||
| + | ... | ||
| + | supportedLDAPVersion: | ||
| + | entryDN: | ||
| + | subschemaSubentry: | ||
| + | </ | ||
| + | |||
| + | interrogation du context de configuration de base cn=config via une connexion SASL (-Y) et sur une socket unix (ldapi) avec affichage des DN seulement (pas les attributs, retirer dn pour details) ) | ||
| + | :!: ldapi ici tourne sous la socket < | ||
| + | |||
| + | |||
| + | < | ||
| + | [root@ldap8 openldap]# ps auwx | grep slapd | ||
| + | ldap 1971 0.0 0.8 1281088 4268 ? Ssl 18:28 0:00 / | ||
| + | root 1983 0.0 0.1 221840 | ||
| + | [root@ldap8 openldap]# ldapsearch -H ldapi:// | ||
| + | dn: cn=config | ||
| + | dn: cn=schema, | ||
| + | dn: cn={0}core, | ||
| + | dn: olcDatabase={-1}frontend, | ||
| + | dn: olcDatabase={0}config, | ||
| + | dn: olcDatabase={1}mdb, | ||
| + | dn: olcDatabase={2}monitor, | ||
| + | </ | ||
| + | |||
| + | === parametres globaux === | ||
| + | |||
| + | parametres globaux du service openldap qui s' | ||
| + | |||
| + | < | ||
| + | [root@ldap8 openldap]# ldapsearch -H ldapi:// | ||
| + | dn: cn=config | ||
| + | objectClass: | ||
| + | cn: config | ||
| + | olcConfigFile: | ||
| + | olcConfigDir: | ||
| + | olcArgsFile: | ||
| + | olcAttributeOptions: | ||
| + | olcAuthzPolicy: | ||
| + | olcConcurrency: | ||
| + | olcConnMaxPending: | ||
| + | olcConnMaxPendingAuth: | ||
| + | olcGentleHUP: | ||
| + | olcIdleTimeout: | ||
| + | olcIndexSubstrIfMaxLen: | ||
| + | olcIndexSubstrIfMinLen: | ||
| + | olcIndexSubstrAnyLen: | ||
| + | olcIndexSubstrAnyStep: | ||
| + | olcIndexIntLen: | ||
| + | olcListenerThreads: | ||
| + | olcLocalSSF: | ||
| + | olcLogLevel: | ||
| + | olcPidFile: / | ||
| + | olcReadOnly: | ||
| + | olcReverseLookup: | ||
| + | olcSaslSecProps: | ||
| + | olcSockbufMaxIncoming: | ||
| + | olcSockbufMaxIncomingAuth: | ||
| + | olcThreads: 16 | ||
| + | olcTLSCRLCheck: | ||
| + | olcTLSVerifyClient: | ||
| + | olcTLSProtocolMin: | ||
| + | olcToolThreads: | ||
| + | olcWriteTimeout: | ||
| + | </ | ||
| + | |||
| + | === compte ldap admin === | ||
| + | |||
| + | compte admin ldap de base | ||
| + | |||
| + | < | ||
| + | [root@ldap8 openldap]# ldapsearch -H ldapi:// | ||
| + | dn: olcDatabase={0}config, | ||
| + | olcRootDN: cn=config | ||
| + | |||
| + | dn: olcDatabase={1}mdb, | ||
| + | olcSuffix: dc=int, | ||
| + | olcRootDN: cn=manager, | ||
| + | olcRootPW: {SSHA}SECRETSEZzjM1yPZj30m9vsRSECRET/ | ||
| + | </ | ||
| + | |||
| + | |||
| + | ==== schemas ==== | ||
| + | |||
| + | ajouts de schemas via slapd.conf et conversion en dynamique cn=config | ||
| + | |||
| + | < | ||
| + | include | ||
| + | include | ||
| + | include | ||
| + | include | ||
| + | include | ||
| + | include | ||
| + | include | ||
| + | include | ||
| + | include | ||
| + | include | ||
| + | include | ||
| + | include | ||
| + | include | ||
| + | include | ||
| + | include | ||
| + | include | ||
| + | </ | ||
| + | |||
| + | resultat apres stop slapd , conversion via | ||
| + | |||
| + | / | ||
| + | |||
| + | puis start slapd | ||
| + | |||
| + | < | ||
| + | |||
| + | [root@ldap8 openldap]# ldapsearch -H ldapi:// | ||
| + | dn: cn={0}core, | ||
| + | dn: cn={1}corba, | ||
| + | dn: cn={2}cosine, | ||
| + | dn: cn={3}duaconf, | ||
| + | dn: cn={4}dyngroup, | ||
| + | dn: cn={5}inetorgperson, | ||
| + | dn: cn={6}java, | ||
| + | dn: cn={7}misc, | ||
| + | dn: cn={8}nis, | ||
| + | dn: cn={9}openldap, | ||
| + | dn: cn={10}ppolicy, | ||
| + | dn: cn={11}collective, | ||
| + | dn: cn={12}supann-2019-02-05, | ||
| + | dn: cn={13}eduperson-200412, | ||
| + | dn: cn={14}schac-20090326-1, | ||
| + | dn: cn={15}samba, | ||
| + | dn: cn={16}autofs, | ||
| + | </ | ||
| + | |||
| + | ==== mdb racine tree ==== | ||
| + | |||
| + | Fichier ldif racine de l' | ||
| + | |||
| + | |||
| + | < | ||
| + | # cat / | ||
| + | dn: dc=int, | ||
| + | dc: int | ||
| + | objectClass: | ||
| + | objectClass: | ||
| + | objectClass: | ||
| + | associatedDomain: | ||
| + | </ | ||
| + | |||
| + | === ldapadd racine === | ||
| + | |||
| + | < | ||
| + | [root@ldap8 openldap]# ldapadd -H ldapi:// | ||
| + | SASL/ | ||
| + | SASL username: gidNumber=0+uidNumber=0, | ||
| + | SASL SSF: 0 | ||
| + | adding new entry " | ||
| + | </ | ||
| + | |||
| + | |||
| + | |||
| + | ===== import initial / restore ===== | ||
| + | |||
| + | s'il s'agit d'une migration, il est necessaire de recuperer un contenu d' | ||
| + | |||
| + | ==== reconstruction de base ==== | ||
| + | |||
| + | on part de rien et on reconstruit tout notre annauire a base d'un script (utile si operation repetée) | ||
| + | |||
| + | vider les fichiers DB apres avoir arreter slapd :!: ceci detruit tout l' | ||
| + | |||
| + | < | ||
| + | [root@ldap8 var]# systemctl stop slapd.service | ||
| + | |||
| + | [root@ldap8 var]# rm openldap-data/ | ||
| + | rm : supprimer ' | ||
| + | rm : supprimer ' | ||
| + | </ | ||
| + | |||
| + | reconstruction de la configuration dynamique (OLC) depuis un slapd.conf | ||
| + | |||
| + | < | ||
| + | [root@ldap8 openldap]# ./ | ||
| + | 5e2af9bf / | ||
| + | config file testing succeeded | ||
| + | Job for slapd.service failed because the control process exited with error code. | ||
| + | See " | ||
| + | </ | ||
| + | |||
| + | < | ||
| + | [root@ldap8 openldap]# time / | ||
| + | 5e2af79d / | ||
| + | .#################### | ||
| + | Closing DB... | ||
| + | |||
| + | real 0m8, | ||
| + | user 0m2, | ||
| + | sys 0m4, | ||
| + | [root@ldap8 openldap]# | ||
| + | </ | ||
| + | ==== admin de config ==== | ||
| + | |||
| + | creation d'un compte administrateur de configuration independant le la database d' | ||
| + | |||
| + | * ref: https:// | ||
| + | |||
| + | passage par slapd.conf | ||
| + | |||
| + | < | ||
| + | database config | ||
| + | rootdn | ||
| + | # Cleartext passwords, especially for the rootdn, should | ||
| + | # be avoid. | ||
| + | # Use of strong authentication encouraged. | ||
| + | rootpw | ||
| + | </ | ||
