Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:ldap:ldapolc [2017/04/02 09:54]
procacci@tem-tsp.eu [conversin de schema en ldif]
+++ docpublic:systemes:ldap:ldapolc [2017/04/03 20:43] (current)
procacci@tem-tsp.eu [lsc.xml]
@@ Line 1: / Line 1: @@
+===== Annuaire openldap OLC + LSC =====
 ===== references =====
@@ Line 615: / Line 618: @@
 adding new entry "ou=mtp,dc=id,dc=fr"
 adding new entry "ou=people,ou=mtp,dc=id,dc=fr"
+</code>
+==== ACL specifiques a cette database ====
+nous donnons des acces bien precis a chaques arboresences et attributs avec anticipation de l'usage d'un user de synchronisation privilegé (acces write pour cn=syncuser cf lsc apres)
+Fichier ldif
+<code>
+[root@idm ~]# cat olcAccessModId.ldif
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+add: olcAccess
+olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
+-
+add: olcAccess
+olcAccess: {1}to dn.subtree="dc=id,dc=fr" attrs=entry,objectclass,contextCSN by dn="cn=syncuser,ou=system,dc=id,dc=fr" write
+-
+add: olcAccess
+olcAccess: {2}to dn.subtree="dc=id,dc=fr" attrs=cn,sn,uid,jpegphoto,supannListeRouge,RoomNumber,postalAddress,LabeledURI,memberuid,member,mail,description,entry,objectclass,ou,manager,secretary,title,description,mailLocalAddress,eduPersonPrimaryOrgUnitDn,eduPersonOrgUnitDn,l,supannEntiteAffectationPrincipale,supannCivilite,supannOrganisme,supannAffectation,eduPersonAffiliation,eduPersonPrimaryAffiliation,eduPersonOrgDN,eduPersonOrgUnitDN,eduPersonPrimaryOrgUnitDN,eduPersonScopedAffiliation,facsimileTelephoneNumber,employeeType,supannEtuId,employeeNumber by dn="cn=syncuser,ou=system,dc=id,dc=fr" write by self read by * none
+-
+add: olcAccess
+olcAccess: {3}to * by * none
+</code>
+execution
+<code>
+root@idm ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcAccessModId.ldif
+SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+modifying entry "olcDatabase={1}mdb,cn=config"
+</code>
+verification
+<code>
+[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "olcDatabase={1}mdb,cn=config" -LLL  olcAccess
+SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+dn: olcDatabase={1}mdb,cn=config
+olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
+ s auth by * none
+olcAccess: {1}to dn.subtree="dc=id,dc=fr" attrs=entry,objectclass,contextCSN
+ by dn="cn=syncuser,ou=system,dc=id,dc=fr" write
+olcAccess: {2}to dn.subtree="dc=id,dc=fr" attrs=cn,sn,uid,jpegphoto,supannLis
+ teRouge,RoomNumber,postalAddress,LabeledURI,memberuid,member,mail,description
+ ,entry,objectclass,ou,manager,secretary,title,description,mailLocalAddress,ed
+ uPersonPrimaryOrgUnitDn,eduPersonOrgUnitDn,l,supannEntiteAffectationPrincipal
+ e,supannCivilite,supannOrganisme,supannAffectation,eduPersonAffiliation,eduPe
+ rsonPrimaryAffiliation,eduPersonOrgDN,eduPersonOrgUnitDN,eduPersonPrimaryOrgU
+ nitDN,eduPersonScopedAffiliation,facsimileTelephoneNumber,employeeType,supann
+ EtuId,employeeNumber by dn="cn=syncuser,ou=system,dc=id,dc=fr" write by self r
+ ead by * none
+olcAccess: {3}to * by * none
+</code>
+si necessité de detruite une regle, exemple de ldif qui supprime la regle 3 :
+<code>
+[root@idm ~]# cat olcAccessDelId.ldif
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+delete: olcAccess
+olcAccess: {3}
 </code>
 ===== LSC project synchro =====
@@ Line 668: / Line 738: @@
 Ici , on fait une exclusion des objectclass et attributs non indispensables a un annuaire pages blanches via le <dataset> objectclass :
+=== compte de synchro ===
+on crée un compte qui pourra réaliser les synchro (acces en ecriture sur les sous-branches)
+<code>
+[root@idm ~]# cat syncuser.ldif
+dn: cn=syncuser,ou=system,dc=id,dc=fr
+objectclass: inetOrgPerson
+cn: syncuser
+sn: sync
+uid: syncuser
+userpassword: {SSHA}l4UjRTkoPJ3IBE95paVKB8Rk8s530bBO
+ou: system
+[root@idm ~]# ldapadd -D 'cn=admin,dc=id,dc=fr' -W -x -f syncuser.ldif
+Enter LDAP Password:
+adding new entry "cn=syncuser,ou=system,dc=id,dc=fr"
+</code>
+si perte de mot de passe et necessité de refaire l'entrée => ldapdelete :
+<code>
+[root@idm ~]#  ldapdelete -H ldap://idm.tem-tsp.eu -D "cn=admin,dc=id,dc=fr" -W -x  cn=syncuser,ou=system,dc=id,dc=fr
+Enter LDAP Password:
+</code>
 === creation du repertoire de travail ===
@@ Line 678: / Line 775: @@
 [root@idm lsc]# cp lsc.xml ldap-mte2id
 [root@idm lsc]# cd ldap-mte2id
+</code>
+==== lsc logic ====
+https://lsc-project.org/documentation/2.1/basics
+==== lsc.xml ====
+exemple de configuration d'une synchro ldap 2 ldap
+{{:docpublic:systemes:ldap:lsc.xml|}}
+==== execution lsc ====
+<code>
+[root@idm ldap-mte2id]# lsc -s user --config /etc/lsc/ldap-mte2id/
+:27:22,073 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback-test.xml]
+:27:22,073 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Found resource [logback.xml] at [file:/etc/lsc/ldap-mte2id/logback.xml]
+:27:22,074 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs multiple times on the classpath.
+...
+avr. 03 20:27:22 - INFO  - Reflections took 68 ms to scan 1 urls, producing 56 keys and 117 values
+avr. 03 20:27:22 - INFO  - Logging configuration successfully loaded from /etc/lsc/ldap-mte2id/logback.xml
+avr. 03 20:27:22 - INFO  - LSC configuration successfully loaded from /etc/lsc/ldap-mte2id/
+avr. 03 20:27:22 - INFO  - Connecting to LDAP server ldap://localhost:389/dc=id,dc=fr as cn=syncid,ou=system,dc=idm,dc=fr
+avr. 03 20:27:22 - INFO  - Connecting to LDAP server ldap://ldapmte.idm.fr:389/dc=mte,dc=fr as cn=syncuser,ou=System,dc=mte,dc=fr
+avr. 03 20:27:22 - INFO  - Starting sync for user
+avr. 03 20:27:24 - INFO  - # Adding new object eduPersonPrincipalName=proc@tm-tp.eu,ou=people,ou=mte,dc=id,dc=fr for user
+# Mon Apr 03 20:27:24 UTC 2017
+dn: eduPersonPrincipalName=proc@tm-tp.eu,ou=people,ou=mte,dc=id,dc=fr
+changetype: add
+supannListeRouge: FALSE
+...
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: supannPerson
+objectClass: eduPerson
+objectClass: organizationalPerson
+objectClass: labeledURIObject
+supanncivilite: M.
+...
+sn: PROC
+avr. 03 20:27:24 - INFO  - All entries: 1, to modify entries: 1, successfully modified entries: 1, errors: 0
+</code>
+log ldap associés
+<code>
+Apr  3 20:27:22 idm slapd[4786]: conn=1207 fd=25 ACCEPT from IP=127.0.0.1:35778 (IP=0.0.0.0:389)
+Apr  3 20:27:22 idm slapd[4786]: conn=1207 op=0 BIND dn="cn=syncuser,ou=system,dc=id,dc=fr" method=128
+Apr  3 20:27:22 idm slapd[4786]: conn=1207 op=0 BIND dn="cn=syncuser,ou=system,dc=id,dc=fr" mech=SIMPLE ssf=0
+Apr  3 20:27:22 idm slapd[4786]: conn=1207 op=0 RESULT tag=97 err=0 text=
+Apr  3 20:27:23 idm slapd[4786]: conn=1207 op=1 SRCH base="ou=people,ou=mte,dc=id,dc=fr" scope=2 deref=0 filter="(&(objectClass=inetOrgPerson)(eduPersonPrincipalName=proc@tm-tp.eu))"
+Apr  3 20:27:23 idm slapd[4786]: conn=1207 op=1 SRCH attr=description cn sn userPassword objectClass uid mail departmentNumber employeeType givenName telephoneNumber mobile LabeledURI postalAddress title jpegphoto edupersonAffiliation eduPersonPrincipalName supanncivilite supannListeRouge supannEntiteAffectation
+Apr  3 20:27:23 idm slapd[4786]: <= mdb_equality_candidates: (eduPersonPrincipalName) not indexed
+Apr  3 20:27:23 idm slapd[4786]: conn=1207 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
+Apr  3 20:27:24 idm slapd[4786]: conn=1207 op=2 ADD dn="eduPersonPrincipalName=proc@tm-tp.eu,ou=people,ou=mte,dc=id,dc=fr"
+Apr  3 20:27:24 idm slapd[4786]: conn=1207 op=2 RESULT tag=105 err=0 text=
+Apr  3 20:27:24 idm slapd[4786]: conn=1207 op=3 UNBIND
+Apr  3 20:27:24 idm slapd[4786]: conn=1207 fd=25 closed
 </code>

docpublic/systemes/ldap/ldapolc.1491126866.txt.gz · Last modified: 2017/04/02 09:54 by procacci@tem-tsp.eu

Show page Old revisions

[unknown link type]Back to top