Ldap: Difference between revisions

From Halfface
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
=setup ldap server=
=Install ldap server.=
Just followed.
  dnf install 389*
http://www.linuxrackers.com/doku.php?id=389_directory_server_setup_using_centos6_rhel6
=Configure ldap.=
==add user==
  dscreate interactive
ldapadd -x -W -f users_groups.ldif -c
=ldapsearch examples=
==change password==
ldappasswd -x -W -S uid=user,ou=People,dc=halfface,dc=se -ZZ
 
==Install ldap server.==
  yum' -y install openldap openldap-clients openldap-devel openldap-servers
 
==Configure ldap.==
/etc/openldap/ldap.conf
URI ldap://ldap.halfface.se/
BASE dc=halfface,dc=se
 
==Configure ldap.==
/etc/openldap/slapd.conf
include        /etc/openldap/schema/redhat/autofs.schema
database bdb
suffix "dc=halfface,dc=se"
rootdn "uid=root,dc=halfface,dc=se"
rootpw secret
 
==Change rootpw to output from the following command.==
slappasswd
rootpw {SSHA}0BO9AGrX8
 
==Copy database defaults.==
  cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
 
===To generate ldif to feed your ldap database.===
 
Change varables to suite your domain.
/usr/share/openldap/migration/migrate_common.ph
 
Convert local users to ldap users.
/usr/share/openldap/migration/migrate_passwd.pl /temp/user /temp/user.ldif
 
Import users.
ldapadd -x -D "cn=Manager,dc=halfface,dc=se" -w secret -f /temp/user.ldif -c
 
Example ldif to add user.
dn: uid=bjorklun,ou=people,dc=halfface,dc=se
uid: bjorklun
cn: Andreas Bjorklund
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$encryptedpasswordheretowork
shadowLastChange: 13080
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/bjorklun
gecos: Andreas Bjorklund
 
==Adding local groups.==
cat /etc/group | sort -k3 -t : -n | tail -22 | head -20 > /temp/group
/usr/share/openldap/migration/migrate_group.pl /temp/group /temp/group.ldif
ldapadd -x -D "uid=root,dc=halfface,dc=se" -w secretpassword -f /temp/group.ldif -v
 
===Adding passwd and group.===
dn: ou=people,dc=halfface,dc=se
objectclass: organizationalUnit
ou: people
dn: ou=group,dc=halfface,dc=se
objectclass: organizationalUnit
ou: group
 
Organization Units.
dn: ou=Friends,dc=halfface,dc=se
ou: Friends
objectClass: top
objectClass: organizationalUnit
description: Members of Friends
dn: ou=Work,dc=halfface,dc=se
ou: Work
objectClass: top
objectClass: organizationalUnit
description: Members of Work
 
ldap attribute.
dn: dc=halfface,dc=se
dc: halfface
description: Root LDAP entry for halfface.se
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
 
dn: ou=People, dc=halfface,dc=se
ou: People
description: All people in organisation
objectClass: organizationalUnit
 
dn: dc=halfface,dc=se
objectclass: dcObject
objectclass: organization
o: halfface
dc: halfface
dn: cn=Manager,dc=halfface,dc=se
objectclass: organizationalRole
cn: Manager
 
ldapadd -x -D "cn=Manager,dc=halfface,dc=se" -w secret -f /tmp/newentry -v
 
ldapsearch -x -b 'dc=halfface,dc=se' '(objectclass=*)'
 
==Configure client.==
authconfig --enableshadow --enablemd5 --enableldap --enableldapauth --ldapserver=ldap.halfface.se --ldapbasedn=dc=halfface,dc=se --disableldaptls --disablekrb5 --disablesmbauth --disablehesiod --update
 
==Configure client. /etc/sysconfig/autofs==
# Other common LDAP nameing
#
DEFAULT_MAP_OBJECT_CLASS="automountMap"
DEFAULT_ENTRY_OBJECT_CLASS="automount"
DEFAULT_MAP_ATTRIBUTE="ou"
DEFAULT_ENTRY_ATTRIBUTE="cn"
DEFAULT_VALUE_ATTRIBUTE="automountInformation"
  #
 
==ldapsearch examples.==
Search for user bjorklun.
ldapsearch -x uid=bjorklun
 
Search for specified field.
ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com ifxGlobalUniqueId
 
Look for the auto.master structure.
ldapsearch -x -s subtree -b 'ou=auto.master,dc=halfface,dc=se' 'objectclass=automount'
 
Search ad for ldap information.
ldapsearch -LLL -x -h ad.ongame.com -W -p 3268 -b DC=ongame,DC=com -D 'ONGAME\username' '(&(objectClass=person)(cn=User Name))'
 
Search without checking cert
tail /etc/openldap/ldap.conf
HOST ldap.halfface.se
TLS_REQCERT ALLOW
ldapsearch -x -b dc=halfface,dc=se -H ldaps://ldap.halfface.se '(&(objectclass=posixAccount)(uid=handsomeuser))'
 
Base64 decode. No line wrap.
Base64 decode. No line wrap.
  ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n //g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | less -ISRM
  ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n //g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | less -ISRM
 
search for numbers higher than 42435.
# search for numbers higher than 42435.
  ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com "uidNumber>=42435"
  ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com "uidNumber>=42435"
# search for next suitable gid. Look for good matching number. For some reason I get some low numbers in my test.
search for next suitable gid. Look for good matching number. For some reason I get some low numbers in my test.
  ldapsearch -LLL -l 5 -o nettimeout=5 -x -b "dc=example,dc=net" -h ldap.example.com  "uidNumber>=68000" uidNumber | grep uidNumber | awk '{print $2}' | sort -n | less
  ldapsearch -LLL -l 5 -o nettimeout=5 -x -b "dc=example,dc=net" -h ldap.example.com  "uidNumber>=68000" uidNumber | grep uidNumber | awk '{print $2}' | sort -n | less
 
Wild card search.
# Wild card search.
  ldapsearch -o ldif-wrap=no -H ldap://ldap.int.redbridge.se:389 -x -D "uid=$USERNAME,cn=users,cn=accounts,dc=redbridge,dc=se" -w $COMPANY_PASSWORD -b "dc=redbridge,dc=se" -s sub -a always '(&(objectClass=*)(cn=*kompetensportalen*))'
  ldapsearch -o ldif-wrap=no -H ldap://ldap.int.redbridge.se:389 -x -D "uid=$USERNAME,cn=users,cn=accounts,dc=redbridge,dc=se" -w $COMPANY_PASSWORD -b "dc=redbridge,dc=se" -s sub -a always '(&(objectClass=*)(cn=*kompetensportalen*))'
=matching=
=matching=
Match user belonging to one of the groups.
Match user belonging to one of the groups.
Line 161: Line 17:
Match user belonging to both groups.
Match user belonging to both groups.
  (&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))
  (&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))
=Naming=
cd                domain component
dit                directory information tree
dn                entry distinguished name
dsa                directory server, more technically referred to as a Directory Server Agent, a Directory System Agent.
entry              consists of three primary components: a distinguished name, a collection of attributes, and a collection of object classes.
leaf entries      entries that do not have any children
rdn                relative distinguished names.
root dse          is sometimes called the “null DN” and references a special type of entry called the root DSE which provides information about the content and capabilities of the directory server.
X.500              the original Directory Access Protocol, for which LDAP is a much more lightweight version
SupportedExtension A supported extension is a mechanism for identifying the Extended Request supported by the Directory Server.
SupportedControl  An LDAP control is an element that may be included in an LDAP Message. If it is included in a request message, it can be used to provide additional information about the way that the operation should be processed.
Object Classes    Object classes are schema elements that specify collections of attribute types that may be related to a particular type of object, process, or other entity
Structural.        Indicates the attributes that the entry may have and where each entry may occur in the DIT.
Auxiliary.        Indicates the attributes that the entry may have.
Abstract.          Indicates a "partial" specification in the object class hierarchy; only structural and auxiliary subclasses may appear as entries in the directory.
=objectclass=
nsView            This object class is used for a view entry in the directory tree.
organizationalUnit object class defines entries that represent organizational units,
[[Category:Applications]]
[[Category:Applications]]
[[Category:Unix]]
[[Category:Unix]]

Revision as of 09:38, 27 November 2022

Install ldap server.

dnf install 389*

Configure ldap.

dscreate interactive

ldapsearch examples

Base64 decode. No line wrap.

ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n //g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | less -ISRM

search for numbers higher than 42435.

ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com "uidNumber>=42435"

search for next suitable gid. Look for good matching number. For some reason I get some low numbers in my test.

ldapsearch -LLL -l 5 -o nettimeout=5 -x -b "dc=example,dc=net" -h ldap.example.com  "uidNumber>=68000" uidNumber | grep uidNumber | awk '{print $2}' | sort -n | less

Wild card search.

ldapsearch -o ldif-wrap=no -H ldap://ldap.int.redbridge.se:389 -x -D "uid=$USERNAME,cn=users,cn=accounts,dc=redbridge,dc=se" -w $COMPANY_PASSWORD -b "dc=redbridge,dc=se" -s sub -a always '(&(objectClass=*)(cn=*kompetensportalen*))'

matching

Match user belonging to one of the groups.

(|(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))

Match user belonging to both groups.

(&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))