===== Annuaire openldap OLC + LSC =====
===== references =====
* https://www.digitalocean.com/community/tutorials/how-to-configure-openldap-and-perform-administrative-ldap-tasks
* http://www.openldap.org/doc/admin24/slapdconf2.html
* http://vaab.blog.kal.fr/2010/03/06/how-to-add-a-schema-in-openldap-24/
* https://wiki.debian.org/LDAP/OpenLDAPSetup
* http://www.jouvinio.net/wiki/index.php/OpenLDAP_Installation#Fichier_de_configuration
* http://electron-swamp.blogspot.fr/2014/04/initializing-openldap-database-with.html
* https://www.vincentliefooghe.net/content/openldap-changer-moteur-backend
* http://www.zytrax.com/books/ldap/ch6/slapd-config.html
* https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/s2-ldap-configuration.html
==== package server et client =====
yum install openldap-servers openldap-clients
systemctl start slapd.service
===== config de base =====
==== arboresence ====
/etc/openldap/slapd.d/ contient la configuration online/dynamique :
[root@idm ~]# ls -l /etc/openldap/slapd.d/cn\=config
total 24
drwxr-x--- 2 ldap ldap 4096 16 mars 17:29 cn=schema
-rw------- 1 ldap ldap 378 16 mars 17:29 cn=schema.ldif
-rw------- 1 ldap ldap 513 16 mars 17:29 olcDatabase={0}config.ldif
-rw------- 1 ldap ldap 443 16 mars 17:29 olcDatabase={-1}frontend.ldif
-rw------- 1 ldap ldap 562 16 mars 17:29 olcDatabase={1}monitor.ldif
-rw------- 1 ldap ldap 609 16 mars 17:29 olcDatabase={2}hdb.ldif
les schemas ldap sont dans /etc/openldap/slapd.d/cn=config/cn=schema/
il n'y a que core par defaut
[root@idm ~]# ls -l /etc/openldap/slapd.d/cn\=config/cn\=schema/
total 16
-rw------- 1 ldap ldap 15578 16 mars 17:29 cn={0}core.ldif
==== rootDSE ====
Racine du serveur openldap
[root@idm ~]# ldapsearch -H ldap:// -x -s base -b "" -LLL "+"
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
monitorContext: cn=Monitor
namingContexts: dc=my-domain,dc=com
interrogation du context de configuration de base cn=config via une connexion SASL (-Y) et sur une socket unix (ldapi) avec affichage des DN seulement (pas les attribtus, retirer dn pour details) )
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q dn
dn: cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}monitor,cn=config
dn: olcDatabase={2}hdb,cn=config
==== parametres globaux ====
parametres globaux du service openldap qui s'appliques a tous les sous contexts / DIT
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q -s base
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
==== compte ldap admin ====
compte admin ldap de base
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" olcSuffix olcRootDN olcRootPW -LLL -Q
dn: olcDatabase={2}hdb,cn=config
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
==== schemas ====
de base un seul schema "core" avec le package centos openldap-servers
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=schema,cn=config" -s one -Q -LLL dn
dn: cn={0}core,cn=schema,cn=config
ajout de schemas
[root@idm ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=schema,cn=config" -s one -Q -LLL dn
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
==== conversion de schema en ldif ====
quand on ne dispose pas de la definition ldif du schema il faut le generer , cf
* https://www.lisenet.com/2015/convert-openldap-schema-to-ldif/
* http://richard.brunooo.fr/logiciels/?doc=Openldap
[root@idm schema]# cat schema_conv.conf
include ./core.schema
include ./eduperson-200412.schema
include ./schac-20090326-1.4.0.schema
include ./supann_2009.schema
bien que deja disponible en ldif, on a integré "core.schema" car il contient le défition de telephoneNumber utilisé dans supann_2009 .
[root@idm schema]# slaptest -f ./schema_conv.conf -F /tmp/ldif
[root@idm schema]# ls /tmp/ldif/cn\=config/cn\=schema
cn={0}core.ldif cn={1}eduperson-200412.ldif cn={2}schac-20090326-1.ldif
cn={0}eduperson-200412.ldif cn={1}schac-20090326-1.ldif cn={3}supann_2009.ldif
on edit dans le repertoire temporaire le fichier ldif du schema a integrer en ajoutant cn=schema,cn=config sur la premiere ligne du dn + retrait du numero d'ordre {0} , idem dans l'attribut cn
exemple :
dn: cn=schac-20090326-1,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schac-20090326-1
et on retire tous les attributs operationnels en fin de fichier (structuralObjectClass: entryUUID *Timestamp ...)
il ne reste plus qu'a recopier ce fichier modifié dans l'arborescence des schema et l'integré a la config .
cp /tmp/ldif/cn\=config/cn\=schema/cn\=\{1\}schac-20090326-1.ldif /etc/openldap/schema/
[root@idm cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cn\=\{1\}schac-20090326-1.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=schac-20090326-1,cn=schema,cn=config"
puis idem avec nis.ldif, inetorgperson.ldif, misc.ldif, supann_2009.ldif, schac-20090326-1.ldif, eduperson-200412.ldif
[root@idm cn=schema]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=schema,cn=config" -s one -Q -LLL dn
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}misc,cn=schema,cn=config
dn: cn={4}ppolicy,cn=schema,cn=config
dn: cn={5}inetorgperson,cn=schema,cn=config
dn: cn={6}supann_2009,cn=schema,cn=config
dn: cn={7}eduperson-200412,cn=schema,cn=config
dn: cn={8}schac-20090326-1,cn=schema,cn=config
==== databases ====
liste de database par defaut , la database frontend est une pseudo database qui permet de definir des parametres globaux a toutes les databases (sauf override)
The special frontend database is always numbered "{-1}" and the config database is always numbered "{0}".
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q "olcDatabase=*" dn
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}monitor,cn=config
dn: olcDatabase={2}hdb,cn=config
La database d'exemple
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "olcDatabase={2}hdb,cn=config" -LLL -Q -s base
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
définition de l'acces root (local user) a tout par defaut :
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "olcDatabase={0}config,cn=config" -LLL -Q
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" manage by * none
===== ldapvi =====
il est pratique (mais risqué ...) d'utiliser directement ldapvi pour editer la config .
[root@idm ~]# yum install ldapvi
===== admin de config =====
creation d'un compte administrateur de configuration independant le la datatase d'exemple
ref: https://gos.si/blog/installing-openldap-on-debian-squeeze-with-olc/
==== password ====
generation d'un mot de passe chiffré
[root@idm ~]# slappasswd
New password: unpassldap
Re-enter new password: unpassldap
{SSHA}zyYFZtFh6PjWSFykUdrFFjAlRtzf6vii
==== rootDN ====
[root@idm ~]# cat rootDNConfig.ldif
# uncomment this part, if there is no olcRootDN present
# use replace instead of add, if you want to change the root dn
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}zyYFZtFh6PjWSFykUdrFFjAlRtzf6vii
==== ajout rootDN ====
ajout de cette entrée
[root@idm ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f rootDNConfig.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
modifying entry "olcDatabase={0}config,cn=config"
verification de notre ajout
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "olcDatabase={0}config,cn=config" -LLL olcRootDN olcRootPW
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={0}config,cn=config
olcRootDN: cn=admin,cn=config
olcRootPW: {SSHA}zyYFZtFh6PjWSFykUdrFFjAlRtzf6vii
verification d'une requete ldap sur la config avec notre nouvel administrateur
[root@idm ~]# ldapsearch -b cn=config -D cn=admin,cn=config -W olcRootDN=* olcRootDN -LLL
Enter LDAP Password:
dn: olcDatabase={0}config,cn=config
olcRootDN: cn=admin,cn=config
dn: olcDatabase={2}hdb,cn=config
olcRootDN: cn=Manager,dc=my-domain,dc=com
===== firewall ====
[root@idm ~]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" port port=389 protocol=tcp log prefix="389" accept'
success
[root@idm ~]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" port port=636 protocol=tcp log prefix="636" accept'
success
[root@idm ~]# firewall-cmd --reload
success
[root@idm ~]# firewall-cmd --list-all
===== Access ACL =====
par defaut il y a ce type de control d'acces :
[root@idm ~]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcAccess -LLL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" manage by * none
dn: olcDatabase={1}monitor,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
donc un acces complet a l'utilisateur system (root gid=0) au cn=config et {1}monitor,cn=config , pas de control sur {2}hdb,cn=config
ouvrons l'acces a notre admin "maison" cn=admin,cn=config
[root@idm ~]# cat olcAdminConfigAccess.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn="cn=admin,cn=config" write by * none
[root@idm ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f olcAdminConfigAccess.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
maintenant notre cn=admin,cn=config à acces à la branche de configuration
[root@idm ~]# ldapsearch -H ldap://idm.int-evry.fr -b cn=config -D cn=admin,cn=config -W olcRootDN=* olcAccess -LLL
Enter LDAP Password:
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" manage by dn="cn=admin,cn=config" write by * none
dn: olcDatabase={2}hdb,cn=config
==== remote config access ====
ref: https://gauvain.pocentek.net/docs/cn-config-admin/
de base il y a pas d'ouverture globale/remote au cn=config, l'heritage de ldap database frontend est vide :
[root@idm ~]# ldapsearch -Y EXTERNAL -H ldapi:/// -b "olcDatabase={-1}frontend,cn=config" -LLL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
il est donc possible aussi d'ajouter cet acces globalement (frontend = metabase dont herites les autres) :
[root@idm ~]# cat olcRemoteFrontendAccess.ldif
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber= 0,cn=peercred,cn=external,cn=auth" manage by dn="cn=admin,cn=config" write by * none
[root@idm ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f olcRemoteFrontendAccess.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
==== acces Apache Directory Studio ====
Maintenant un acces avec un browser ldap (apache Directory Studio ici) permet de visuliser l'ensemble graphiquement :
{{:docpublic:systemes:ldap:2017-03-28-apachedirectorystudio-olc-openldap.png?300|}}
==== TLS access ====
afin de chiffrer les echanges ldap il faut ajouter au serveur un certificat (autosigné ou depuis une CA, ici Digicert)
[root@idm ~]# cat olcTLS.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/certs/star_domain_fr.crt
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/private/star_digicert_domain_fr.key
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/tls/certs/DigiCertCA.crt
[root@idm ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f olcTLS.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
Parametré le systeme (centos 7 ici) pour qu'il lance slapd avec ecoute sur TLS (ajout de "ldaps:")
[root@idm ~]# grep ldaps /etc/sysconfig/slapd
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
test ldapsearch en startTLS (zz)
# ldapsearch -x -LLL -H ldap://idm.domain.fr -ZZ -b cn=config -D cn=admin,cn=config -W
===== MDB database =====
par defaut il est preferable maintenant de passer a une database de type mbd (bdb et hdb devenant prochainement deprecated)
* http://www.openldap.org/pub/hyc/mdm-slides.pdf
* http://www.openldap.org/pub/hyc/mdm-paper.pdf
* https://blogs.mindspew-age.com/2012/06/11/overlays-mdb-openldap-fun/
* http://www.openldap.org/lists/openldap-technical/201312/msg00177.html
==== definition de la base ====
[root@idm ~]# cat olcMDBdatabase1.ldif
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap/id
olcSuffix: dc=id,dc=fr
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * none
olcLastMod: TRUE
olcMonitoring: TRUE
olcRootDN: cn=admin,dc=id,dc=fr
olcRootPW: {SSHA}GjYMfSqAcBMf3h3A28b08RG1qAckkYT4
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
Preparation de l'arboresence de stockage
[root@idm ~]# mkdir /var/lib/ldap/id
[root@idm ~]# chown ldap:ldap /var/lib/ldap/id
creation
[root@idm ~]# ldapadd -D 'cn=admin,cn=config' -W -x -f olcMDBdatabase1.ldif
Enter LDAP Password:
adding new entry "olcDatabase={1}mdb,cn=config"
notre nouvelle base a bien été intégrée
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q "olcDatabase=*" dn
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}mdb,cn=config
dn: olcDatabase={2}monitor,cn=config
dn: olcDatabase={3}hdb,cn=config
[root@idm ~]# ls -ltr /var/lib/ldap/id/
total 16
-rw------- 1 ldap ldap 8192 1 avril 16:57 lock.mdb
-rw------- 1 ldap ldap 12288 1 avril 16:57 data.mdb
==== integration de l'arboresence racine ====
[root@idm ~]# cat root-id.ldif
# id
dn: dc=id,dc=fr
dc: id
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: id.fr
[root@idm ~]# ldapadd -D 'cn=admin,dc=id,dc=fr' -W -x -f root-id.ldif
Enter LDAP Password:
adding new entry "dc=id,dc=fr"
verification
[root@idm ~]# ldapsearch -H ldap://idm.int-evry.fr -b dc=id,dc=fr -D cn=admin,dc=id,dc=fr -W objectclass=* -LLL
Enter LDAP Password:
dn: dc=id,dc=fr
dc: id
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: id.fr
==== integration des branches ====
creation de sous branches de notre annuaire , system, mte, mte avec des ou=people dessous:
[root@idm ~]# cat system-idm-ous.ldif.wiki
dn: ou=system,dc=id,dc=fr
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: system
dn: ou=mte,dc=id,dc=fr
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: dsi-mte
dn: ou=people,ou=mte,dc=id,dc=fr
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: people
dn: ou=mtp,dc=id,dc=fr
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: dsi-mtp
dn: ou=people,ou=mtp,dc=id,dc=fr
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: people
[root@idm ~]# ldapadd -D 'cn=admin,dc=id,dc=fr' -W -x -f system-idm-ous.ldif
Enter LDAP Password:
adding new entry "ou=system,dc=id,dc=fr"
adding new entry "ou=mte,dc=id,dc=fr"
adding new entry "ou=people,ou=mte,dc=id,dc=fr"
adding new entry "ou=mtp,dc=id,dc=fr"
adding new entry "ou=people,ou=mtp,dc=id,dc=fr"
==== ACL specifiques a cette database ====
nous donnons des acces bien precis a chaques arboresences et attributs avec anticipation de l'usage d'un user de synchronisation privilegé (acces write pour cn=syncuser cf lsc apres)
Fichier ldif
[root@idm ~]# cat olcAccessModId.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
-
add: olcAccess
olcAccess: {1}to dn.subtree="dc=id,dc=fr" attrs=entry,objectclass,contextCSN by dn="cn=syncuser,ou=system,dc=id,dc=fr" write
-
add: olcAccess
olcAccess: {2}to dn.subtree="dc=id,dc=fr" attrs=cn,sn,uid,jpegphoto,supannListeRouge,RoomNumber,postalAddress,LabeledURI,memberuid,member,mail,description,entry,objectclass,ou,manager,secretary,title,description,mailLocalAddress,eduPersonPrimaryOrgUnitDn,eduPersonOrgUnitDn,l,supannEntiteAffectationPrincipale,supannCivilite,supannOrganisme,supannAffectation,eduPersonAffiliation,eduPersonPrimaryAffiliation,eduPersonOrgDN,eduPersonOrgUnitDN,eduPersonPrimaryOrgUnitDN,eduPersonScopedAffiliation,facsimileTelephoneNumber,employeeType,supannEtuId,employeeNumber by dn="cn=syncuser,ou=system,dc=id,dc=fr" write by self read by * none
-
add: olcAccess
olcAccess: {3}to * by * none
execution
root@idm ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcAccessModId.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"
verification
[root@idm ~]# ldapsearch -H ldapi:// -Y EXTERNAL -b "olcDatabase={1}mdb,cn=config" -LLL olcAccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by * none
olcAccess: {1}to dn.subtree="dc=id,dc=fr" attrs=entry,objectclass,contextCSN
by dn="cn=syncuser,ou=system,dc=id,dc=fr" write
olcAccess: {2}to dn.subtree="dc=id,dc=fr" attrs=cn,sn,uid,jpegphoto,supannLis
teRouge,RoomNumber,postalAddress,LabeledURI,memberuid,member,mail,description
,entry,objectclass,ou,manager,secretary,title,description,mailLocalAddress,ed
uPersonPrimaryOrgUnitDn,eduPersonOrgUnitDn,l,supannEntiteAffectationPrincipal
e,supannCivilite,supannOrganisme,supannAffectation,eduPersonAffiliation,eduPe
rsonPrimaryAffiliation,eduPersonOrgDN,eduPersonOrgUnitDN,eduPersonPrimaryOrgU
nitDN,eduPersonScopedAffiliation,facsimileTelephoneNumber,employeeType,supann
EtuId,employeeNumber by dn="cn=syncuser,ou=system,dc=id,dc=fr" write by self r
ead by * none
olcAccess: {3}to * by * none
si necessité de detruite une regle, exemple de ldif qui supprime la regle 3 :
[root@idm ~]# cat olcAccessDelId.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {3}
===== LSC project synchro =====
==== installation et bases ====
definition du repository pour installation via yum
[root@idm ~]# cat /etc/yum.repos.d/lsc-project.repo
[lsc-project]
name=LSC project packages
baseurl=http://lsc-project.org/rpm/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project
import de la clé
[root@idm ~]# rpm --import http://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project
installation
[root@idm ~]# yum install lsc
aille totale des téléchargements : 32 M
Taille d'installation : 36 M
Is this ok [y/d/N]: y
Installé :
lsc.noarch 0:2.1.4-0.el5
Terminé !
verification de la presence de java
[root@idm ~]# rpm -q java-1.8.0-openjdk
java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64
[root@idm ~]# java -version
openjdk version "1.8.0_121"
OpenJDK Runtime Environment (build 1.8.0_121-b13)
OpenJDK 64-Bit Server VM (build 25.121-b13, mixed mode)
==== Config LSC synchro ldap2ldap ====
le principe ici est de synchroniser des annuaires ldap vers un annuaire mutualisé assurant la fusion des annuaires d'etablissements dans des sous branches propres a l'etablissement .
Ici , on fait une exclusion des objectclass et attributs non indispensables a un annuaire pages blanches via le objectclass :
=== compte de synchro ===
on crée un compte qui pourra réaliser les synchro (acces en ecriture sur les sous-branches)
[root@idm ~]# cat syncuser.ldif
dn: cn=syncuser,ou=system,dc=id,dc=fr
objectclass: inetOrgPerson
cn: syncuser
sn: sync
uid: syncuser
userpassword: {SSHA}l4UjRTkoPJ3IBE95paVKB8Rk8s530bBO
ou: system
[root@idm ~]# ldapadd -D 'cn=admin,dc=id,dc=fr' -W -x -f syncuser.ldif
Enter LDAP Password:
adding new entry "cn=syncuser,ou=system,dc=id,dc=fr"
si perte de mot de passe et necessité de refaire l'entrée => ldapdelete :
[root@idm ~]# ldapdelete -H ldap://idm.tem-tsp.eu -D "cn=admin,dc=id,dc=fr" -W -x cn=syncuser,ou=system,dc=id,dc=fr
Enter LDAP Password:
=== creation du repertoire de travail ===
nous allons creer une arborescence de travail par entité a integrer , exempk;e ici l'entite mte
[root@idm ~]# cd /etc/lsc/
[root@idm lsc]# mkdir ldap-mte2id
[root@idm lsc]# cp lsc.xml ldap-mte2id
[root@idm lsc]# cd ldap-mte2id
==== lsc logic ====
https://lsc-project.org/documentation/2.1/basics
==== lsc.xml ====
exemple de configuration d'une synchro ldap 2 ldap
{{:docpublic:systemes:ldap:lsc.xml|}}
==== execution lsc ====
[root@idm ldap-mte2id]# lsc -s user --config /etc/lsc/ldap-mte2id/
20:27:22,073 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback-test.xml]
20:27:22,073 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Found resource [logback.xml] at [file:/etc/lsc/ldap-mte2id/logback.xml]
20:27:22,074 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs multiple times on the classpath.
...
avr. 03 20:27:22 - INFO - Reflections took 68 ms to scan 1 urls, producing 56 keys and 117 values
avr. 03 20:27:22 - INFO - Logging configuration successfully loaded from /etc/lsc/ldap-mte2id/logback.xml
avr. 03 20:27:22 - INFO - LSC configuration successfully loaded from /etc/lsc/ldap-mte2id/
avr. 03 20:27:22 - INFO - Connecting to LDAP server ldap://localhost:389/dc=id,dc=fr as cn=syncid,ou=system,dc=idm,dc=fr
avr. 03 20:27:22 - INFO - Connecting to LDAP server ldap://ldapmte.idm.fr:389/dc=mte,dc=fr as cn=syncuser,ou=System,dc=mte,dc=fr
avr. 03 20:27:22 - INFO - Starting sync for user
avr. 03 20:27:24 - INFO - # Adding new object eduPersonPrincipalName=proc@tm-tp.eu,ou=people,ou=mte,dc=id,dc=fr for user
# Mon Apr 03 20:27:24 UTC 2017
dn: eduPersonPrincipalName=proc@tm-tp.eu,ou=people,ou=mte,dc=id,dc=fr
changetype: add
supannListeRouge: FALSE
...
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: supannPerson
objectClass: eduPerson
objectClass: organizationalPerson
objectClass: labeledURIObject
supanncivilite: M.
...
sn: PROC
avr. 03 20:27:24 - INFO - All entries: 1, to modify entries: 1, successfully modified entries: 1, errors: 0
log ldap associés
Apr 3 20:27:22 idm slapd[4786]: conn=1207 fd=25 ACCEPT from IP=127.0.0.1:35778 (IP=0.0.0.0:389)
Apr 3 20:27:22 idm slapd[4786]: conn=1207 op=0 BIND dn="cn=syncuser,ou=system,dc=id,dc=fr" method=128
Apr 3 20:27:22 idm slapd[4786]: conn=1207 op=0 BIND dn="cn=syncuser,ou=system,dc=id,dc=fr" mech=SIMPLE ssf=0
Apr 3 20:27:22 idm slapd[4786]: conn=1207 op=0 RESULT tag=97 err=0 text=
Apr 3 20:27:23 idm slapd[4786]: conn=1207 op=1 SRCH base="ou=people,ou=mte,dc=id,dc=fr" scope=2 deref=0 filter="(&(objectClass=inetOrgPerson)(eduPersonPrincipalName=proc@tm-tp.eu))"
Apr 3 20:27:23 idm slapd[4786]: conn=1207 op=1 SRCH attr=description cn sn userPassword objectClass uid mail departmentNumber employeeType givenName telephoneNumber mobile LabeledURI postalAddress title jpegphoto edupersonAffiliation eduPersonPrincipalName supanncivilite supannListeRouge supannEntiteAffectation
Apr 3 20:27:23 idm slapd[4786]: <= mdb_equality_candidates: (eduPersonPrincipalName) not indexed
Apr 3 20:27:23 idm slapd[4786]: conn=1207 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Apr 3 20:27:24 idm slapd[4786]: conn=1207 op=2 ADD dn="eduPersonPrincipalName=proc@tm-tp.eu,ou=people,ou=mte,dc=id,dc=fr"
Apr 3 20:27:24 idm slapd[4786]: conn=1207 op=2 RESULT tag=105 err=0 text=
Apr 3 20:27:24 idm slapd[4786]: conn=1207 op=3 UNBIND
Apr 3 20:27:24 idm slapd[4786]: conn=1207 fd=25 closed