Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:ldap:ldapc8 [2020/01/10 17:34]
procacci@tem-tsp.eu [contexte]
+++ docpublic:systemes:ldap:ldapc8 [2020/01/24 14:39] (current)
procacci@tem-tsp.eu [reconstruction de base]
@@ Line 208: / Line 208: @@
 interrogation du context de configuration de base cn=config via une connexion SASL (-Y) et sur une socket unix (ldapi) avec affichage des DN seulement (pas les attributs, retirer dn pour details) )
+:!: ldapi ici tourne sous la socket <code>ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi</code> cf slapd-cli.conf et ps auwx ci-dessous :!:
+<code>
+[root@ldap8 openldap]# ps auwx | grep slapd
+ldap      1971  0.0  0.8 1281088 4268 ?        Ssl  18:28   0:00 /usr/local/openldap/libexec/slapd -h ldap://*:389 ldaps://*:636 ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -F /usr/local/openldap/etc/openldap/slapd.d -u ldap -g ldap -l local4
+root      1983  0.0  0.1 221840   716 pts/0    S+   18:34   0:00 grep --color=auto slapd
+[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=config" -LLL -Q dn
+dn: cn=config
+dn: cn=schema,cn=config
+dn: cn={0}core,cn=schema,cn=config
+dn: olcDatabase={-1}frontend,cn=config
+dn: olcDatabase={0}config,cn=config
+dn: olcDatabase={1}mdb,cn=config
+dn: olcDatabase={2}monitor,cn=config
+</code>
+=== parametres globaux ===
+parametres globaux du service openldap qui s'appliques a tous les sous contexts / DIT
+<code>
+[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=config" -LLL -Q -s base
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcConfigFile: /usr/local/openldap/etc/openldap/slapd.conf
+olcConfigDir: /usr/local/openldap/etc/openldap/slapd.d
+olcArgsFile: /usr/local/openldap/var/run/slapd.args
+olcAttributeOptions: lang-
+olcAuthzPolicy: none
+olcConcurrency: 0
+olcConnMaxPending: 100
+olcConnMaxPendingAuth: 1000
+olcGentleHUP: FALSE
+olcIdleTimeout: 0
+olcIndexSubstrIfMaxLen: 4
+olcIndexSubstrIfMinLen: 2
+olcIndexSubstrAnyLen: 4
+olcIndexSubstrAnyStep: 2
+olcIndexIntLen: 4
+olcListenerThreads: 1
+olcLocalSSF: 71
+olcLogLevel: 0
+olcPidFile: /usr/local/openldap/var/run/slapd.pid
+olcReadOnly: FALSE
+olcReverseLookup: FALSE
+olcSaslSecProps: noplain,noanonymous
+olcSockbufMaxIncoming: 262143
+olcSockbufMaxIncomingAuth: 16777215
+olcThreads: 16
+olcTLSCRLCheck: none
+olcTLSVerifyClient: never
+olcTLSProtocolMin: 0.0
+olcToolThreads: 1
+olcWriteTimeout: 0
+</code>
+=== compte ldap admin ===
+compte admin ldap de base
+<code>
+[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" olcSuffix olcRootDN olcRootPW -LLL -Q
+dn: olcDatabase={0}config,cn=config
+olcRootDN: cn=config
+dn: olcDatabase={1}mdb,cn=config
+olcSuffix: dc=int,dc=fr
+olcRootDN: cn=manager,dc=int,dc=fr
+olcRootPW: {SSHA}SECRETSEZzjM1yPZj30m9vsRSECRET/0
+</code>
+==== schemas ====
+ajouts de schemas via slapd.conf et conversion en dynamique cn=config
+<code>
+include         /usr/local/openldap/etc/openldap/schema/corba.schema
+include         /usr/local/openldap/etc/openldap/schema/cosine.schema
+include         /usr/local/openldap/etc/openldap/schema/duaconf.schema
+include         /usr/local/openldap/etc/openldap/schema/dyngroup.schema
+include         /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
+include         /usr/local/openldap/etc/openldap/schema/java.schema
+include         /usr/local/openldap/etc/openldap/schema/misc.schema
+include         /usr/local/openldap/etc/openldap/schema/nis.schema
+include         /usr/local/openldap/etc/openldap/schema/openldap.schema
+include         /usr/local/openldap/etc/openldap/schema/ppolicy.schema
+include         /usr/local/openldap/etc/openldap/schema/collective.schema
+include         /usr/local/openldap/etc/openldap/schema/supann-2019-02-05.schema
+include         /usr/local/openldap/etc/openldap/schema/eduperson-200412.schema
+include         /usr/local/openldap/etc/openldap/schema/schac-20090326-1.4.0.schema
+include         /usr/local/openldap/etc/openldap/schema/samba.schema
+include         /usr/local/openldap/etc/openldap/schema/autofs.schema
+</code>
+resultat apres stop slapd , conversion via
+/usr/local/openldap/sbin/slaptest -f /usr/local/openldap/etc/openldap/slapd.conf -F /usr/local/openldap/etc/openldap/slapd.d
+puis start slapd
+<code>
+[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL  -b "cn=schema,cn=config" -s one -Q -LLL dn
+dn: cn={0}core,cn=schema,cn=config
+dn: cn={1}corba,cn=schema,cn=config
+dn: cn={2}cosine,cn=schema,cn=config
+dn: cn={3}duaconf,cn=schema,cn=config
+dn: cn={4}dyngroup,cn=schema,cn=config
+dn: cn={5}inetorgperson,cn=schema,cn=config
+dn: cn={6}java,cn=schema,cn=config
+dn: cn={7}misc,cn=schema,cn=config
+dn: cn={8}nis,cn=schema,cn=config
+dn: cn={9}openldap,cn=schema,cn=config
+dn: cn={10}ppolicy,cn=schema,cn=config
+dn: cn={11}collective,cn=schema,cn=config
+dn: cn={12}supann-2019-02-05,cn=schema,cn=config
+dn: cn={13}eduperson-200412,cn=schema,cn=config
+dn: cn={14}schac-20090326-1,cn=schema,cn=config
+dn: cn={15}samba,cn=schema,cn=config
+dn: cn={16}autofs,cn=schema,cn=config
+</code>
+==== mdb racine tree ====
+Fichier ldif racine de l'arborescence
+<code>
+# cat /root/Ldifs/root-tree-int.ldif
+dn: dc=int,dc=fr
+dc: int
+objectClass: top
+objectClass: domain
+objectClass: domainRelatedObject
+associatedDomain: int.fr
+</code>
+=== ldapadd racine ===
+<code>
+[root@ldap8 openldap]# ldapadd -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL  -f /root/Ldifs/root-tree-int.ldif
+SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+adding new entry "dc=int,dc=fr"
+</code>
+===== import initial / restore =====
+s'il s'agit d'une migration, il est necessaire de recuperer un contenu d'annuaire existant, depuis un export ldif de l'existant, on import ce dernier dans notre nouvelle instance, pas besoin de la racine ci-dessus qui au contraire va genrer un conflit si deja existancte (sinon la retirer du ldif d'import )
+==== reconstruction de base ====
+on part de rien et on reconstruit tout notre annauire a base d'un script (utile si operation repetée)
+vider les fichiers DB apres avoir arreter slapd  :!: ceci detruit tout l'annuaire :!:  :
+<code>
+[root@ldap8 var]# systemctl stop slapd.service
+[root@ldap8 var]# rm openldap-data/*
+rm : supprimer 'openldap-data/data.mdb' du type fichier ? y
+rm : supprimer 'openldap-data/lock.mdb' du type fichier ? y
+</code>
+reconstruction de la configuration dynamique (OLC) depuis un slapd.conf
+<code>
+[root@ldap8 openldap]# ./olcgene.sh
+e2af9bf /usr/local/openldap/etc/openldap/slapd.conf: line 127: rootdn is always granted unlimited privileges.
+config file testing succeeded
+Job for slapd.service failed because the control process exited with error code.
+See "systemctl status slapd.service" and "journalctl -xe" for details.
+</code>
+<code>
+[root@ldap8 openldap]# time /usr/local/openldap/sbin/slapadd -l /root/jour-2020-01-21.ldif -f /usr/local/openldap/etc/openldap/slapd.conf -b "dc=int,dc=fr"
+e2af79d /usr/local/openldap/etc/openldap/slapd.conf: line 127: rootdn is always granted unlimited privileges.
+.#################### 100.00% eta   none elapsed             08s spd  20.1 M/s
+Closing DB...
+real	0m8,837s
+user	0m2,902s
+sys	0m4,095s
+[root@ldap8 openldap]#
+</code>
+==== admin de config ====
+creation d'un compte administrateur de configuration independant le la database d'exemple
+  * ref: https://gos.si/blog/installing-openldap-on-debian-squeeze-with-olc/
+passage par slapd.conf
+<code>
+database config
+rootdn          "cn=admin,cn=config"
+# Cleartext passwords, especially for the rootdn, should
+# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
+# Use of strong authentication encouraged.
+rootpw          {SSHA}SECRETZzjM1yPZj30m9vSECRET
+</code>

docpublic/systemes/ldap/ldapc8.1578677669.txt.gz · Last modified: 2020/01/10 17:34 by procacci@tem-tsp.eu

Show page Old revisions

[unknown link type]Back to top