===== openldap Centos8 =====
==== contexte ====
RedHat (RHEL8) ne fournit plus openldap-servers :
* https://access.redhat.com/solutions/2440481
==== Packages el8 openldap-servers ====
* https://www.worteks.com/fr/2019/06/07/paquets-openldap-ltb-pour-redhat-entreprise-linux-8/
* https://ltb-project.org/documentation/openldap-rpm
==== ref docs ====
* https://www.digitalocean.com/community/tutorials/how-to-configure-openldap-and-perform-administrative-ldap-tasks
==== repo LTB openldap-servers ====
vi /etc/yum.repos.d/ltb-project.repo
[root@ldapex ~]# cat /etc/yum.repos.d/ltb-project.repo
[ltb-project]
name=LTB project packages
baseurl=https://ltb-project.org/rpm/$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project
[root@ldapex ~]# yum update
LTB project packages 37 kB/s | 40 kB 00:01
[root@ldapex ~]# rpm --import https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project
==== install ====
[root@ldapex ~]# yum install openldap-ltb
Dernière vérification de l’expiration des métadonnées effectuée il y a 0:01:34 le jeu. 09 janv. 2020 21:40:13 CET.
Dépendances résolues.
===================================================================================================================================
Paquet Architecture Version Dépôt Taille
===================================================================================================================================
Installing:
openldap-ltb x86_64 2.4.48-2.el8 ltb-project 2.9 M
Installation des dépendances:
libtool-ltdl x86_64 2.4.6-25.el8 BaseOS 58 k
berkeleydb-ltb x86_64 4.6.21.NC-4.el8.patch4 ltb-project 5.7 M
Résumé de la transaction
===================================================================================================================================
Installer 3 Paquets
Taille totale des téléchargements : 8.6 M
Taille des paquets installés : 38 M
Installé:
openldap-ltb-2.4.48-2.el8.x86_64 libtool-ltdl-2.4.6-25.el8.x86_64 berkeleydb-ltb-4.6.21.NC-4.el8.patch4.x86_64
toute l'installation openldap-servers est dans /usr/local/openldap !
==== etat initial ====
[root@ldapex ~]# systemctl status slapd.service
● slapd.service - OpenLDAP LTB startup script
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: https://ltb-project.org/documentation
===== OLC config dynamique ====
https://ltb-project.org/documentation/general/migrate_slapd_conf_cn_config
[root@ldapfr8 ~]# mkdir /usr/local/openldap/etc/openldap/slapd.d
[root@ldapfr8 ~]# cp /usr/local/openldap/etc/openldap/slapd.conf /usr/local/openldap/etc/openldap/slapd.conf.dist
[root@ldapfr8 ~]# vim /usr/local/openldap/etc/openldap/slapd.conf
[root@ldapfr8 ~]# ls -l /usr/local/openldap/var/openldap-data
-rw-r--r-- 1 ldap ldap 924 29 août 20:52 DB_CONFIG
-rw------- 1 ldap ldap 845 29 août 20:52 DB_CONFIG.example
[root@ldapfr8 ~]# vim /usr/local/openldap/etc/openldap/slapd.conf
[root@ldapfr8 ~]# slaptest -f /usr/local/openldap/etc/openldap/slapd.conf -F /usr/local/openldap/etc/openldap/slapd.d -d 256
5e1796ed mdb_db_open: database "dc=int,dc=fr" cannot be opened: No such file or directory (2). Restore from backup!
5e1796ed backend_startup_one (type=mdb, suffix="dc=int,dc=fr"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)
[root@ldapfr8 ~]# chown -R ldap.ldap /usr/local/openldap/etc/openldap/slapd.d
==== cn=config acces ====
necessité de declarer les acces a cn=config pour que l'acces peercred -Y EXTERNAL en ldapi fonctionne
https://serverfault.com/questions/938235/openldap-cn-config-no-such-object-32
il faut donc ajouter au slapd.conf l'acces du compte system root: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth au cn=config
et on en profite aussi pour declarer la databsqe monitor pour le futur monitoring .
## JP enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * read
##JP enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact=cn=manager,dc=int,dc=fr read
by * none
resultat olc :
[root@ldap8 ~]# ls -ltr /usr/local/openldap/etc/openldap/slapd.d/cn\=config
# ls -ltr /usr/local/openldap/etc/openldap/slapd.d/cn\=config
total 108
-rw------- 1 ldap ldap 86116 10 janv. 18:28 'cn=schema.ldif'
drwxr-x--- 2 ldap ldap 4096 10 janv. 18:28 'cn=schema'
-rw------- 1 ldap ldap 689 10 janv. 18:28 'olcDatabase={2}monitor.ldif'
-rw------- 1 ldap ldap 846 10 janv. 18:28 'olcDatabase={1}mdb.ldif'
-rw------- 1 ldap ldap 596 10 janv. 18:28 'olcDatabase={-1}frontend.ldif'
-rw------- 1 ldap ldap 663 10 janv. 18:28 'olcDatabase={0}config.ldif'
mise a jour du chemin de conf dans /usr/local/openldap/etc/openldap/slapd-cli.conf
[root@ldapfr8 ~]# vim /usr/local/openldap/etc/openldap/slapd-cli.conf
[root@ldapfr8 ~]# grep SLAPD_CONF_DIR /usr/local/openldap/etc/openldap/slapd-cli.conf
SLAPD_CONF_DIR="$SLAPD_PATH/etc/openldap/slapd.d"
==== start initial ====
[root@ldapfr8 ~]# systemctl start slapd.service
[root@ldapfr8 ~]# systemctl status slapd.service
● slapd.service - OpenLDAP LTB startup script
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2020-01-09 22:19:11 CET; 2s ago
Docs: https://ltb-project.org/documentation
Process: 922 ExecStart=/usr/local/openldap/sbin/slapd-cli start (code=exited, status=0/SUCCESS)
Main PID: 954 (slapd)
Tasks: 2 (limit: 26213)
Memory: 5.0M
CGroup: /system.slice/slapd.service
└─954 /usr/local/openldap/libexec/slapd -h ldap://*:389 ldaps://*:636 ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -F /usr/loca>
janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [INFO] Using /usr/local/openldap/etc/openldap/slapd-cli.conf for configura>
janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [INFO] Create LDAPI socket dir /var/run/slapd
janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [INFO] Launching OpenLDAP configuration test...
janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [OK] OpenLDAP configuration test successful
janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [INFO] No db_recover done
janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [INFO] Launching OpenLDAP...
janv. 09 22:19:10 ldapfr8 slapd-cli[922]: slapd-cli: [OK] File descriptor limit set to 1024
janv. 09 22:19:10 ldapfr8 slapd[953]: @(#) $OpenLDAP: slapd 2.4.48 (Aug 29 2019 14:52:08) $
clement@kptn-rhel8.example.com:/home/clement/build/BUILD/openldap-2.4.48/servers/>
janv. 09 22:19:11 ldapfr8 slapd-cli[922]: slapd-cli: [OK] OpenLDAP started
janv. 09 22:19:11 ldapfr8 systemd[1]: Started OpenLDAP LTB startup script.
Database mdb
[root@ldapfr8 ~]# ls -ltr /usr/local/openldap/var/openldap-data
total 24
-rw------- 1 ldap ldap 845 29 août 20:52 DB_CONFIG.example
-rw-r--r-- 1 ldap ldap 924 29 août 20:52 DB_CONFIG
-rw------- 1 ldap ldap 8192 9 janv. 22:19 lock.mdb
-rw------- 1 ldap ldap 12288 9 janv. 22:19 data.mdb
==== config initiale ====
il n'y a que le schema Core par default
[root@ldap8 ~]# ls -ltr /usr/local/openldap/etc/openldap/slapd.d/cn\=config/cn\=schema
total 16
-rw------- 1 ldap ldap 15546 10 janv. 12:21 'cn={0}core.ldif'
le RootDSE contient bien notre base MDB initiale
[root@ldap8 ~]# ldapsearch -H ldap:// -x -s base -b "" -LLL "+"
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=int,dc=fr
monitorContext: cn=Monitor
...
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema
interrogation du context de configuration de base cn=config via une connexion SASL (-Y) et sur une socket unix (ldapi) avec affichage des DN seulement (pas les attributs, retirer dn pour details) )
:!: ldapi ici tourne sous la socket ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi cf slapd-cli.conf et ps auwx ci-dessous :!:
[root@ldap8 openldap]# ps auwx | grep slapd
ldap 1971 0.0 0.8 1281088 4268 ? Ssl 18:28 0:00 /usr/local/openldap/libexec/slapd -h ldap://*:389 ldaps://*:636 ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -F /usr/local/openldap/etc/openldap/slapd.d -u ldap -g ldap -l local4
root 1983 0.0 0.1 221840 716 pts/0 S+ 18:34 0:00 grep --color=auto slapd
[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=config" -LLL -Q dn
dn: cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}mdb,cn=config
dn: olcDatabase={2}monitor,cn=config
=== parametres globaux ===
parametres globaux du service openldap qui s'appliques a tous les sous contexts / DIT
[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=config" -LLL -Q -s base
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /usr/local/openldap/etc/openldap/slapd.conf
olcConfigDir: /usr/local/openldap/etc/openldap/slapd.d
olcArgsFile: /usr/local/openldap/var/run/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcListenerThreads: 1
olcLocalSSF: 71
olcLogLevel: 0
olcPidFile: /usr/local/openldap/var/run/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCRLCheck: none
olcTLSVerifyClient: never
olcTLSProtocolMin: 0.0
olcToolThreads: 1
olcWriteTimeout: 0
=== compte ldap admin ===
compte admin ldap de base
[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" olcSuffix olcRootDN olcRootPW -LLL -Q
dn: olcDatabase={0}config,cn=config
olcRootDN: cn=config
dn: olcDatabase={1}mdb,cn=config
olcSuffix: dc=int,dc=fr
olcRootDN: cn=manager,dc=int,dc=fr
olcRootPW: {SSHA}SECRETSEZzjM1yPZj30m9vsRSECRET/0
==== schemas ====
ajouts de schemas via slapd.conf et conversion en dynamique cn=config
include /usr/local/openldap/etc/openldap/schema/corba.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/duaconf.schema
include /usr/local/openldap/etc/openldap/schema/dyngroup.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/java.schema
include /usr/local/openldap/etc/openldap/schema/misc.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/openldap.schema
include /usr/local/openldap/etc/openldap/schema/ppolicy.schema
include /usr/local/openldap/etc/openldap/schema/collective.schema
include /usr/local/openldap/etc/openldap/schema/supann-2019-02-05.schema
include /usr/local/openldap/etc/openldap/schema/eduperson-200412.schema
include /usr/local/openldap/etc/openldap/schema/schac-20090326-1.4.0.schema
include /usr/local/openldap/etc/openldap/schema/samba.schema
include /usr/local/openldap/etc/openldap/schema/autofs.schema
resultat apres stop slapd , conversion via
/usr/local/openldap/sbin/slaptest -f /usr/local/openldap/etc/openldap/slapd.conf -F /usr/local/openldap/etc/openldap/slapd.d
puis start slapd
[root@ldap8 openldap]# ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -b "cn=schema,cn=config" -s one -Q -LLL dn
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}corba,cn=schema,cn=config
dn: cn={2}cosine,cn=schema,cn=config
dn: cn={3}duaconf,cn=schema,cn=config
dn: cn={4}dyngroup,cn=schema,cn=config
dn: cn={5}inetorgperson,cn=schema,cn=config
dn: cn={6}java,cn=schema,cn=config
dn: cn={7}misc,cn=schema,cn=config
dn: cn={8}nis,cn=schema,cn=config
dn: cn={9}openldap,cn=schema,cn=config
dn: cn={10}ppolicy,cn=schema,cn=config
dn: cn={11}collective,cn=schema,cn=config
dn: cn={12}supann-2019-02-05,cn=schema,cn=config
dn: cn={13}eduperson-200412,cn=schema,cn=config
dn: cn={14}schac-20090326-1,cn=schema,cn=config
dn: cn={15}samba,cn=schema,cn=config
dn: cn={16}autofs,cn=schema,cn=config
==== mdb racine tree ====
Fichier ldif racine de l'arborescence
# cat /root/Ldifs/root-tree-int.ldif
dn: dc=int,dc=fr
dc: int
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: int.fr
=== ldapadd racine ===
[root@ldap8 openldap]# ldapadd -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL -f /root/Ldifs/root-tree-int.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "dc=int,dc=fr"
===== import initial / restore =====
s'il s'agit d'une migration, il est necessaire de recuperer un contenu d'annuaire existant, depuis un export ldif de l'existant, on import ce dernier dans notre nouvelle instance, pas besoin de la racine ci-dessus qui au contraire va genrer un conflit si deja existancte (sinon la retirer du ldif d'import )
==== reconstruction de base ====
on part de rien et on reconstruit tout notre annauire a base d'un script (utile si operation repetée)
vider les fichiers DB apres avoir arreter slapd :!: ceci detruit tout l'annuaire :!: :
[root@ldap8 var]# systemctl stop slapd.service
[root@ldap8 var]# rm openldap-data/*
rm : supprimer 'openldap-data/data.mdb' du type fichier ? y
rm : supprimer 'openldap-data/lock.mdb' du type fichier ? y
reconstruction de la configuration dynamique (OLC) depuis un slapd.conf
[root@ldap8 openldap]# ./olcgene.sh
5e2af9bf /usr/local/openldap/etc/openldap/slapd.conf: line 127: rootdn is always granted unlimited privileges.
config file testing succeeded
Job for slapd.service failed because the control process exited with error code.
See "systemctl status slapd.service" and "journalctl -xe" for details.
[root@ldap8 openldap]# time /usr/local/openldap/sbin/slapadd -l /root/jour-2020-01-21.ldif -f /usr/local/openldap/etc/openldap/slapd.conf -b "dc=int,dc=fr"
5e2af79d /usr/local/openldap/etc/openldap/slapd.conf: line 127: rootdn is always granted unlimited privileges.
.#################### 100.00% eta none elapsed 08s spd 20.1 M/s
Closing DB...
real 0m8,837s
user 0m2,902s
sys 0m4,095s
[root@ldap8 openldap]#
==== admin de config ====
creation d'un compte administrateur de configuration independant le la database d'exemple
* ref: https://gos.si/blog/installing-openldap-on-debian-squeeze-with-olc/
passage par slapd.conf
database config
rootdn "cn=admin,cn=config"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}SECRETZzjM1yPZj30m9vSECRET