Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:ldap:ldapolc [2017/04/02 08:34]
procacci@tem-tsp.eu [integration de l'arboresence racine]
+++ docpublic:systemes:ldap:ldapolc [2017/04/03 20:43] (current)
procacci@tem-tsp.eu [lsc.xml]
@@ Line 1: / Line 1: @@
+===== Annuaire openldap OLC + LSC =====
 ===== references =====
@@ Line 130: / Line 133: @@
 </code>
+==== conversion de schema en ldif ====
+quand on ne dispose pas de la definition ldif du schema il faut le generer , cf
+  * https://www.lisenet.com/2015/convert-openldap-schema-to-ldif/
+  * http://richard.brunooo.fr/logiciels/?doc=Openldap
+<code>
+[root@idm schema]# cat schema_conv.conf
+include ./core.schema
+include ./eduperson-200412.schema
+include ./schac-20090326-1.4.0.schema
+include ./supann_2009.schema
+</code>
+bien que deja disponible en ldif, on a integré "core.schema" car il contient le défition de telephoneNumber utilisé dans supann_2009 .
+<code>
+[root@idm schema]# slaptest -f ./schema_conv.conf -F /tmp/ldif
+[root@idm schema]# ls /tmp/ldif/cn\=config/cn\=schema
+cn={0}core.ldif              cn={1}eduperson-200412.ldif  cn={2}schac-20090326-1.ldif
+cn={0}eduperson-200412.ldif  cn={1}schac-20090326-1.ldif  cn={3}supann_2009.ldif
+</code>
+on edit dans le repertoire temporaire le fichier ldif du schema a integrer en ajoutant cn=schema,cn=config sur la premiere ligne du dn + retrait du numero d'ordre {0} , idem dans l'attribut cn
+exemple :
+<code>
+dn: cn=schac-20090326-1,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schac-20090326-1
+</code>
+et on retire tous les attributs operationnels en fin de fichier (structuralObjectClass: entryUUID *Timestamp ...)
+il ne reste plus qu'a recopier ce fichier modifié dans l'arborescence des schema et l'integré a la config .
+<code>
+cp /tmp/ldif/cn\=config/cn\=schema/cn\=\{1\}schac-20090326-1.ldif /etc/openldap/schema/
+[root@idm cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cn\=\{1\}schac-20090326-1.ldif
+SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+adding new entry "cn=schac-20090326-1,cn=schema,cn=config"
+</code>
+puis idem avec nis.ldif, inetorgperson.ldif, misc.ldif, supann_2009.ldif, schac-20090326-1.ldif, eduperson-200412.ldif
+<code>
+[root@idm cn=schema]#  ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=schema,cn=config" -s one -Q -LLL dn
+dn: cn={0}core,cn=schema,cn=config
+dn: cn={1}cosine,cn=schema,cn=config
+dn: cn={2}nis,cn=schema,cn=config
+dn: cn={3}misc,cn=schema,cn=config
+dn: cn={4}ppolicy,cn=schema,cn=config
+dn: cn={5}inetorgperson,cn=schema,cn=config
+dn: cn={6}supann_2009,cn=schema,cn=config
+dn: cn={7}eduperson-200412,cn=schema,cn=config
+dn: cn={8}schac-20090326-1,cn=schema,cn=config
+</code>
 ==== databases ====
@@ Line 507: / Line 575: @@
 </code>
+==== integration des branches ====
+creation de sous branches de notre annuaire , system, mte, mte avec des ou=people dessous:
+<code>
+[root@idm ~]# cat system-idm-ous.ldif.wiki
+dn: ou=system,dc=id,dc=fr
+changetype: add
+objectClass: organizationalUnit
+objectClass: top
+ou: system
+dn: ou=mte,dc=id,dc=fr
+changetype: add
+objectClass: organizationalUnit
+objectClass: top
+ou: dsi-mte
+dn: ou=people,ou=mte,dc=id,dc=fr
+changetype: add
+objectClass: organizationalUnit
+objectClass: top
+ou: people
+dn: ou=mtp,dc=id,dc=fr
+changetype: add
+objectClass: organizationalUnit
+objectClass: top
+ou: dsi-mtp
+dn: ou=people,ou=mtp,dc=id,dc=fr
+changetype: add
+objectClass: organizationalUnit
+objectClass: top
+ou: people
+[root@idm ~]# ldapadd -D 'cn=admin,dc=id,dc=fr' -W -x -f system-idm-ous.ldif
+Enter LDAP Password:
+adding new entry "ou=system,dc=id,dc=fr"
+adding new entry "ou=mte,dc=id,dc=fr"
+adding new entry "ou=people,ou=mte,dc=id,dc=fr"
+adding new entry "ou=mtp,dc=id,dc=fr"
+adding new entry "ou=people,ou=mtp,dc=id,dc=fr"
+</code>
+==== ACL specifiques a cette database ====
+nous donnons des acces bien precis a chaques arboresences et attributs avec anticipation de l'usage d'un user de synchronisation privilegé (acces write pour cn=syncuser cf lsc apres)
+Fichier ldif
+<code>
+[root@idm ~]# cat olcAccessModId.ldif
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+add: olcAccess
+olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
+-
+add: olcAccess
+olcAccess: {1}to dn.subtree="dc=id,dc=fr" attrs=entry,objectclass,contextCSN by dn="cn=syncuser,ou=system,dc=id,dc=fr" write
+-
+add: olcAccess
+olcAccess: {2}to dn.subtree="dc=id,dc=fr" attrs=cn,sn,uid,jpegphoto,supannListeRouge,RoomNumber,postalAddress,LabeledURI,memberuid,member,mail,description,entry,objectclass,ou,manager,secretary,title,description,mailLocalAddress,eduPersonPrimaryOrgUnitDn,eduPersonOrgUnitDn,l,supannEntiteAffectationPrincipale,supannCivilite,supannOrganisme,supannAffectation,eduPersonAffiliation,eduPersonPrimaryAffiliation,eduPersonOrgDN,eduPersonOrgUnitDN,eduPersonPrimaryOrgUnitDN,eduPersonScopedAffiliation,facsimileTelephoneNumber,employeeType,supannEtuId,employeeNumber by dn="cn=syncuser,ou=system,dc=id,dc=fr" write by self read by * none
+-
+add: olcAccess
+olcAccess: {3}to * by * none
+</code>
+execution
+<code>
+root@idm ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcAccessModId.ldif
+SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+modifying entry "olcDatabase={1}mdb,cn=config"
+</code>
+verification
+<code>
+[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "olcDatabase={1}mdb,cn=config" -LLL  olcAccess
+SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+dn: olcDatabase={1}mdb,cn=config
+olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
+ s auth by * none
+olcAccess: {1}to dn.subtree="dc=id,dc=fr" attrs=entry,objectclass,contextCSN
+ by dn="cn=syncuser,ou=system,dc=id,dc=fr" write
+olcAccess: {2}to dn.subtree="dc=id,dc=fr" attrs=cn,sn,uid,jpegphoto,supannLis
+ teRouge,RoomNumber,postalAddress,LabeledURI,memberuid,member,mail,description
+ ,entry,objectclass,ou,manager,secretary,title,description,mailLocalAddress,ed
+ uPersonPrimaryOrgUnitDn,eduPersonOrgUnitDn,l,supannEntiteAffectationPrincipal
+ e,supannCivilite,supannOrganisme,supannAffectation,eduPersonAffiliation,eduPe
+ rsonPrimaryAffiliation,eduPersonOrgDN,eduPersonOrgUnitDN,eduPersonPrimaryOrgU
+ nitDN,eduPersonScopedAffiliation,facsimileTelephoneNumber,employeeType,supann
+ EtuId,employeeNumber by dn="cn=syncuser,ou=system,dc=id,dc=fr" write by self r
+ ead by * none
+olcAccess: {3}to * by * none
+</code>
+si necessité de detruite une regle, exemple de ldif qui supprime la regle 3 :
+<code>
+[root@idm ~]# cat olcAccessDelId.ldif
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+delete: olcAccess
+olcAccess: {3}
+</code>
 ===== LSC project synchro =====
+==== installation et bases ====
 definition du repository pour installation via yum
@@ Line 537: / Line 717: @@
 Installé :
   lsc.noarch 0:2.1.4-0.el5
 Terminé !
 </code>
@@ Line 548: / Line 726: @@
 [root@idm ~]# rpm -q java-1.8.0-openjdk
 java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64
 [root@idm ~]# java -version
@@ Line 556: / Line 733: @@
 </code>
+==== Config LSC synchro ldap2ldap ====
+le principe ici est de synchroniser des annuaires ldap vers un annuaire mutualisé assurant la fusion des annuaires d'etablissements dans des sous branches propres a l'etablissement .
+Ici , on fait une exclusion des objectclass et attributs non indispensables a un annuaire pages blanches via le <dataset> objectclass :
+=== compte de synchro ===
+on crée un compte qui pourra réaliser les synchro (acces en ecriture sur les sous-branches)
+<code>
+[root@idm ~]# cat syncuser.ldif
+dn: cn=syncuser,ou=system,dc=id,dc=fr
+objectclass: inetOrgPerson
+cn: syncuser
+sn: sync
+uid: syncuser
+userpassword: {SSHA}l4UjRTkoPJ3IBE95paVKB8Rk8s530bBO
+ou: system
+[root@idm ~]# ldapadd -D 'cn=admin,dc=id,dc=fr' -W -x -f syncuser.ldif
+Enter LDAP Password:
+adding new entry "cn=syncuser,ou=system,dc=id,dc=fr"
+</code>
+si perte de mot de passe et necessité de refaire l'entrée => ldapdelete :
+<code>
+[root@idm ~]#  ldapdelete -H ldap://idm.tem-tsp.eu -D "cn=admin,dc=id,dc=fr" -W -x  cn=syncuser,ou=system,dc=id,dc=fr
+Enter LDAP Password:
+</code>
+=== creation du repertoire de travail ===
+nous allons creer une arborescence de travail par entité a integrer , exempk;e ici l'entite mte
+<code>
+[root@idm ~]# cd /etc/lsc/
+[root@idm lsc]# mkdir ldap-mte2id
+[root@idm lsc]# cp lsc.xml ldap-mte2id
+[root@idm lsc]# cd ldap-mte2id
+</code>
+==== lsc logic ====
+https://lsc-project.org/documentation/2.1/basics
+==== lsc.xml ====
+exemple de configuration d'une synchro ldap 2 ldap
+{{:docpublic:systemes:ldap:lsc.xml|}}
+==== execution lsc ====
+<code>
+[root@idm ldap-mte2id]# lsc -s user --config /etc/lsc/ldap-mte2id/
+:27:22,073 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback-test.xml]
+:27:22,073 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Found resource [logback.xml] at [file:/etc/lsc/ldap-mte2id/logback.xml]
+:27:22,074 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs multiple times on the classpath.
+...
+avr. 03 20:27:22 - INFO  - Reflections took 68 ms to scan 1 urls, producing 56 keys and 117 values
+avr. 03 20:27:22 - INFO  - Logging configuration successfully loaded from /etc/lsc/ldap-mte2id/logback.xml
+avr. 03 20:27:22 - INFO  - LSC configuration successfully loaded from /etc/lsc/ldap-mte2id/
+avr. 03 20:27:22 - INFO  - Connecting to LDAP server ldap://localhost:389/dc=id,dc=fr as cn=syncid,ou=system,dc=idm,dc=fr
+avr. 03 20:27:22 - INFO  - Connecting to LDAP server ldap://ldapmte.idm.fr:389/dc=mte,dc=fr as cn=syncuser,ou=System,dc=mte,dc=fr
+avr. 03 20:27:22 - INFO  - Starting sync for user
+avr. 03 20:27:24 - INFO  - # Adding new object eduPersonPrincipalName=proc@tm-tp.eu,ou=people,ou=mte,dc=id,dc=fr for user
+# Mon Apr 03 20:27:24 UTC 2017
+dn: eduPersonPrincipalName=proc@tm-tp.eu,ou=people,ou=mte,dc=id,dc=fr
+changetype: add
+supannListeRouge: FALSE
+...
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: supannPerson
+objectClass: eduPerson
+objectClass: organizationalPerson
+objectClass: labeledURIObject
+supanncivilite: M.
+...
+sn: PROC
+avr. 03 20:27:24 - INFO  - All entries: 1, to modify entries: 1, successfully modified entries: 1, errors: 0
+</code>
+log ldap associés
+<code>
+Apr  3 20:27:22 idm slapd[4786]: conn=1207 fd=25 ACCEPT from IP=127.0.0.1:35778 (IP=0.0.0.0:389)
+Apr  3 20:27:22 idm slapd[4786]: conn=1207 op=0 BIND dn="cn=syncuser,ou=system,dc=id,dc=fr" method=128
+Apr  3 20:27:22 idm slapd[4786]: conn=1207 op=0 BIND dn="cn=syncuser,ou=system,dc=id,dc=fr" mech=SIMPLE ssf=0
+Apr  3 20:27:22 idm slapd[4786]: conn=1207 op=0 RESULT tag=97 err=0 text=
+Apr  3 20:27:23 idm slapd[4786]: conn=1207 op=1 SRCH base="ou=people,ou=mte,dc=id,dc=fr" scope=2 deref=0 filter="(&(objectClass=inetOrgPerson)(eduPersonPrincipalName=proc@tm-tp.eu))"
+Apr  3 20:27:23 idm slapd[4786]: conn=1207 op=1 SRCH attr=description cn sn userPassword objectClass uid mail departmentNumber employeeType givenName telephoneNumber mobile LabeledURI postalAddress title jpegphoto edupersonAffiliation eduPersonPrincipalName supanncivilite supannListeRouge supannEntiteAffectation
+Apr  3 20:27:23 idm slapd[4786]: <= mdb_equality_candidates: (eduPersonPrincipalName) not indexed
+Apr  3 20:27:23 idm slapd[4786]: conn=1207 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
+Apr  3 20:27:24 idm slapd[4786]: conn=1207 op=2 ADD dn="eduPersonPrincipalName=proc@tm-tp.eu,ou=people,ou=mte,dc=id,dc=fr"
+Apr  3 20:27:24 idm slapd[4786]: conn=1207 op=2 RESULT tag=105 err=0 text=
+Apr  3 20:27:24 idm slapd[4786]: conn=1207 op=3 UNBIND
+Apr  3 20:27:24 idm slapd[4786]: conn=1207 fd=25 closed
+</code>

docpublic/systemes/ldap/ldapolc.1491122092.txt.gz · Last modified: 2017/04/02 08:34 by procacci@tem-tsp.eu

Show page Old revisions

[unknown link type]Back to top