[[openldap Centos8]]
Trace:
Show pageOld revisions
AdminRecent ChangesSitemap

* ancien site

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
docpublic:systemes:ldap:ldapc8 [2020/01/10 17:33]
procacci@tem-tsp.eu [config initiale] 		docpublic:systemes:ldap:ldapc8 [2020/01/24 14:39] (current)
procacci@tem-tsp.eu [reconstruction de base]
Line 5: Line 5:
 RedHat (RHEL8) ne fournit plus openldap-servers : RedHat (RHEL8) ne fournit plus openldap-servers :
  
-https://access.redhat.com/solutions/2440481+  * https://access.redhat.com/solutions/2440481
  
 ==== Packages el8 openldap-servers ==== ==== Packages el8 openldap-servers ====
  
-https://www.worteks.com/fr/2019/06/07/paquets-openldap-ltb-pour-redhat-entreprise-linux-8/ +  * https://www.worteks.com/fr/2019/06/07/paquets-openldap-ltb-pour-redhat-entreprise-linux-8/ 
-https://ltb-project.org/documentation/openldap-rpm+  https://ltb-project.org/documentation/openldap-rpm
  
 +==== ref docs ====
  
 +  * https://www.digitalocean.com/community/tutorials/how-to-configure-openldap-and-perform-administrative-ldap-tasks
 ==== repo LTB openldap-servers ==== ==== repo LTB openldap-servers ====
  
Line 206: Line 208:
  
 interrogation du context de configuration de base cn=config via une connexion SASL (-Y) et sur une socket unix (ldapi) avec affichage des DN seulement (pas les attributs, retirer dn pour details) )  interrogation du context de configuration de base cn=config via une connexion SASL (-Y) et sur une socket unix (ldapi) avec affichage des DN seulement (pas les attributs, retirer dn pour details) ) 
 +:!: ldapi ici tourne sous la socket <code>ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi</code> cf slapd-cli.conf et ps auwx ci-dessous :!:
  
 +
 +<code>
 +[root@ldap8 openldap]# ps auwx | grep slapd
 +ldap      1971  0.0  0.8 1281088 4268 ?        Ssl  18:28   0:00 /usr/local/openldap/libexec/slapd -h ldap://*:389 ldaps://*:636 ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -F /usr/local/openldap/etc/openldap/slapd.d -u ldap -g ldap -l local4
 +root      1983  0.0  0.1 221840   716 pts/0    S+   18:34   0:00 grep --color=auto slapd
 +[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=config" -LLL -Q dn
 +dn: cn=config
 +dn: cn=schema,cn=config
 +dn: cn={0}core,cn=schema,cn=config
 +dn: olcDatabase={-1}frontend,cn=config
 +dn: olcDatabase={0}config,cn=config
 +dn: olcDatabase={1}mdb,cn=config
 +dn: olcDatabase={2}monitor,cn=config
 +</code>
 +
 +=== parametres globaux ===
 +
 +parametres globaux du service openldap qui s'appliques a tous les sous contexts / DIT 
 +
 +<code>
 +[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=config" -LLL -Q -s base
 +dn: cn=config
 +objectClass: olcGlobal
 +cn: config
 +olcConfigFile: /usr/local/openldap/etc/openldap/slapd.conf
 +olcConfigDir: /usr/local/openldap/etc/openldap/slapd.d
 +olcArgsFile: /usr/local/openldap/var/run/slapd.args
 +olcAttributeOptions: lang-
 +olcAuthzPolicy: none
 +olcConcurrency: 0
 +olcConnMaxPending: 100
 +olcConnMaxPendingAuth: 1000
 +olcGentleHUP: FALSE
 +olcIdleTimeout: 0
 +olcIndexSubstrIfMaxLen: 4
 +olcIndexSubstrIfMinLen: 2
 +olcIndexSubstrAnyLen: 4
 +olcIndexSubstrAnyStep: 2
 +olcIndexIntLen: 4
 +olcListenerThreads: 1
 +olcLocalSSF: 71
 +olcLogLevel: 0
 +olcPidFile: /usr/local/openldap/var/run/slapd.pid
 +olcReadOnly: FALSE
 +olcReverseLookup: FALSE
 +olcSaslSecProps: noplain,noanonymous
 +olcSockbufMaxIncoming: 262143
 +olcSockbufMaxIncomingAuth: 16777215
 +olcThreads: 16
 +olcTLSCRLCheck: none
 +olcTLSVerifyClient: never
 +olcTLSProtocolMin: 0.0
 +olcToolThreads: 1
 +olcWriteTimeout: 0
 +</code>
 +
 +=== compte ldap admin ===
 +
 +compte admin ldap de base 
 +
 +<code>
 +[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" olcSuffix olcRootDN olcRootPW -LLL -Q
 +dn: olcDatabase={0}config,cn=config
 +olcRootDN: cn=config
 +
 +dn: olcDatabase={1}mdb,cn=config
 +olcSuffix: dc=int,dc=fr
 +olcRootDN: cn=manager,dc=int,dc=fr
 +olcRootPW: {SSHA}SECRETSEZzjM1yPZj30m9vsRSECRET/0
 +</code>
 +
 +
 +==== schemas ====
 +
 +ajouts de schemas via slapd.conf et conversion en dynamique cn=config
 +
 +<code>
 +include         /usr/local/openldap/etc/openldap/schema/corba.schema
 +include         /usr/local/openldap/etc/openldap/schema/cosine.schema
 +include         /usr/local/openldap/etc/openldap/schema/duaconf.schema
 +include         /usr/local/openldap/etc/openldap/schema/dyngroup.schema
 +include         /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
 +include         /usr/local/openldap/etc/openldap/schema/java.schema
 +include         /usr/local/openldap/etc/openldap/schema/misc.schema
 +include         /usr/local/openldap/etc/openldap/schema/nis.schema
 +include         /usr/local/openldap/etc/openldap/schema/openldap.schema
 +include         /usr/local/openldap/etc/openldap/schema/ppolicy.schema
 +include         /usr/local/openldap/etc/openldap/schema/collective.schema
 +include         /usr/local/openldap/etc/openldap/schema/supann-2019-02-05.schema
 +include         /usr/local/openldap/etc/openldap/schema/eduperson-200412.schema
 +include         /usr/local/openldap/etc/openldap/schema/schac-20090326-1.4.0.schema
 +include         /usr/local/openldap/etc/openldap/schema/samba.schema
 +include         /usr/local/openldap/etc/openldap/schema/autofs.schema
 +</code>
 +
 +resultat apres stop slapd , conversion via 
 +
 +/usr/local/openldap/sbin/slaptest -f /usr/local/openldap/etc/openldap/slapd.conf -F /usr/local/openldap/etc/openldap/slapd.d
 +
 +puis start slapd 
 +
 +<code>
 +
 +[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL  -b "cn=schema,cn=config" -s one -Q -LLL dn
 +dn: cn={0}core,cn=schema,cn=config
 +dn: cn={1}corba,cn=schema,cn=config
 +dn: cn={2}cosine,cn=schema,cn=config
 +dn: cn={3}duaconf,cn=schema,cn=config
 +dn: cn={4}dyngroup,cn=schema,cn=config
 +dn: cn={5}inetorgperson,cn=schema,cn=config
 +dn: cn={6}java,cn=schema,cn=config
 +dn: cn={7}misc,cn=schema,cn=config
 +dn: cn={8}nis,cn=schema,cn=config
 +dn: cn={9}openldap,cn=schema,cn=config
 +dn: cn={10}ppolicy,cn=schema,cn=config
 +dn: cn={11}collective,cn=schema,cn=config
 +dn: cn={12}supann-2019-02-05,cn=schema,cn=config
 +dn: cn={13}eduperson-200412,cn=schema,cn=config
 +dn: cn={14}schac-20090326-1,cn=schema,cn=config
 +dn: cn={15}samba,cn=schema,cn=config
 +dn: cn={16}autofs,cn=schema,cn=config
 +</code>
 +
 +==== mdb racine tree ====
 +
 +Fichier ldif racine de l'arborescence
 +
 +
 +<code>
 +# cat /root/Ldifs/root-tree-int.ldif
 +dn: dc=int,dc=fr
 +dc: int
 +objectClass: top
 +objectClass: domain
 +objectClass: domainRelatedObject
 +associatedDomain: int.fr
 +</code>
 +
 +=== ldapadd racine ===
 +
 +<code>
 +[root@ldap8 openldap]# ldapadd -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL  -f /root/Ldifs/root-tree-int.ldif 
 +SASL/EXTERNAL authentication started
 +SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 +SASL SSF: 0
 +adding new entry "dc=int,dc=fr"
 +</code>
 +
 +
 +
 +===== import initial / restore =====
 +
 +s'il s'agit d'une migration, il est necessaire de recuperer un contenu d'annuaire existant, depuis un export ldif de l'existant, on import ce dernier dans notre nouvelle instance, pas besoin de la racine ci-dessus qui au contraire va genrer un conflit si deja existancte (sinon la retirer du ldif d'import ) 
 +
 +==== reconstruction de base ====
 +
 +on part de rien et on reconstruit tout notre annauire a base d'un script (utile si operation repetée) 
 +
 +vider les fichiers DB apres avoir arreter slapd  :!: ceci detruit tout l'annuaire :!:  : 
 +
 +<code>
 +[root@ldap8 var]# systemctl stop slapd.service 
 +
 +[root@ldap8 var]# rm openldap-data/*
 +rm : supprimer 'openldap-data/data.mdb' du type fichier ? y
 +rm : supprimer 'openldap-data/lock.mdb' du type fichier ? y
 +</code>
 +
 +reconstruction de la configuration dynamique (OLC) depuis un slapd.conf
 +
 +<code>
 +[root@ldap8 openldap]# ./olcgene.sh 
 +5e2af9bf /usr/local/openldap/etc/openldap/slapd.conf: line 127: rootdn is always granted unlimited privileges.
 +config file testing succeeded
 +Job for slapd.service failed because the control process exited with error code.
 +See "systemctl status slapd.service" and "journalctl -xe" for details.
 +</code>
 +
 +<code>
 +[root@ldap8 openldap]# time /usr/local/openldap/sbin/slapadd -l /root/jour-2020-01-21.ldif -f /usr/local/openldap/etc/openldap/slapd.conf -b "dc=int,dc=fr" 
 +5e2af79d /usr/local/openldap/etc/openldap/slapd.conf: line 127: rootdn is always granted unlimited privileges.
 +.#################### 100.00% eta   none elapsed             08s spd  20.1 M/s 
 +Closing DB...
 +
 +real 0m8,837s
 +user 0m2,902s
 +sys 0m4,095s
 +[root@ldap8 openldap]# 
 +</code>
 +==== admin de config ====
 +
 +creation d'un compte administrateur de configuration independant le la database d'exemple
 +
 +  * ref: https://gos.si/blog/installing-openldap-on-debian-squeeze-with-olc/
 +
 +passage par slapd.conf
 +
 +<code>
 +database config
 +rootdn          "cn=admin,cn=config"
 +# Cleartext passwords, especially for the rootdn, should
 +# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
 +# Use of strong authentication encouraged.
 +rootpw          {SSHA}SECRETZzjM1yPZj30m9vSECRET
 +</code>
docpublic/systemes/ldap/ldapc8.1578677620.txt.gz · Last modified: 2020/01/10 17:33 by procacci@tem-tsp.eu
Show pageOld revisions
[unknown link type]Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0