Ldap

From Halfface
Revision as of 06:17, 15 August 2022 by Ekaanbj (talk | contribs) (→‎Naming)
Jump to navigation Jump to search

setup ldap server

Just followed.

http://www.linuxrackers.com/doku.php?id=389_directory_server_setup_using_centos6_rhel6

add user

ldapadd -x -W -f users_groups.ldif -c

change password

ldappasswd -x -W -S uid=user,ou=People,dc=halfface,dc=se -ZZ

Install ldap server.

yum' -y install openldap openldap-clients openldap-devel openldap-servers

Configure ldap.

/etc/openldap/ldap.conf

URI ldap://ldap.halfface.se/
BASE dc=halfface,dc=se

Configure ldap.

/etc/openldap/slapd.conf

include         /etc/openldap/schema/redhat/autofs.schema
database bdb
suffix "dc=halfface,dc=se"
rootdn "uid=root,dc=halfface,dc=se"
rootpw secret

Change rootpw to output from the following command.

slappasswd

rootpw {SSHA}0BO9AGrX8

Copy database defaults.

 cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

To generate ldif to feed your ldap database.

Change varables to suite your domain.

/usr/share/openldap/migration/migrate_common.ph

Convert local users to ldap users.

/usr/share/openldap/migration/migrate_passwd.pl /temp/user /temp/user.ldif

Import users.

ldapadd -x -D "cn=Manager,dc=halfface,dc=se" -w secret -f /temp/user.ldif -c

Example ldif to add user.

dn: uid=bjorklun,ou=people,dc=halfface,dc=se
uid: bjorklun
cn: Andreas Bjorklund
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$encryptedpasswordheretowork
shadowLastChange: 13080
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/bjorklun
gecos: Andreas Bjorklund

Adding local groups.

cat /etc/group | sort -k3 -t : -n | tail -22 | head -20 > /temp/group
/usr/share/openldap/migration/migrate_group.pl /temp/group /temp/group.ldif
ldapadd -x -D "uid=root,dc=halfface,dc=se" -w secretpassword -f /temp/group.ldif -v

Adding passwd and group.

dn: ou=people,dc=halfface,dc=se
objectclass: organizationalUnit
ou: people

dn: ou=group,dc=halfface,dc=se
objectclass: organizationalUnit
ou: group

Organization Units.

dn: ou=Friends,dc=halfface,dc=se
ou: Friends
objectClass: top
objectClass: organizationalUnit
description: Members of Friends

dn: ou=Work,dc=halfface,dc=se
ou: Work
objectClass: top
objectClass: organizationalUnit
description: Members of Work

ldap attribute.

dn: dc=halfface,dc=se
dc: halfface
description: Root LDAP entry for halfface.se
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
dn: ou=People, dc=halfface,dc=se
ou: People
description: All people in organisation
objectClass: organizationalUnit
dn: dc=halfface,dc=se
objectclass: dcObject
objectclass: organization
o: halfface
dc: halfface

dn: cn=Manager,dc=halfface,dc=se
objectclass: organizationalRole
cn: Manager
ldapadd -x -D "cn=Manager,dc=halfface,dc=se" -w secret -f /tmp/newentry -v
ldapsearch -x -b 'dc=halfface,dc=se' '(objectclass=*)'

Configure client.

authconfig --enableshadow --enablemd5 --enableldap --enableldapauth --ldapserver=ldap.halfface.se --ldapbasedn=dc=halfface,dc=se --disableldaptls --disablekrb5 --disablesmbauth --disablehesiod --update

Configure client. /etc/sysconfig/autofs

# Other common LDAP nameing
#
DEFAULT_MAP_OBJECT_CLASS="automountMap"
DEFAULT_ENTRY_OBJECT_CLASS="automount"
DEFAULT_MAP_ATTRIBUTE="ou"
DEFAULT_ENTRY_ATTRIBUTE="cn"
DEFAULT_VALUE_ATTRIBUTE="automountInformation"
#

ldapsearch examples.

Search for user bjorklun.

ldapsearch -x uid=bjorklun

Search for specified field.

ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com ifxGlobalUniqueId

Look for the auto.master structure.

ldapsearch -x -s subtree -b 'ou=auto.master,dc=halfface,dc=se' 'objectclass=automount'

Search ad for ldap information.

ldapsearch -LLL -x -h ad.ongame.com -W -p 3268 -b DC=ongame,DC=com -D 'ONGAME\username' '(&(objectClass=person)(cn=User Name))'

Search without checking cert

tail /etc/openldap/ldap.conf
HOST ldap.halfface.se
TLS_REQCERT ALLOW
ldapsearch -x -b dc=halfface,dc=se -H ldaps://ldap.halfface.se '(&(objectclass=posixAccount)(uid=handsomeuser))'

Base64 decode. No line wrap.

ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n //g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | less -ISRM
  1. search for numbers higher than 42435.
ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com "uidNumber>=42435"
  1. search for next suitable gid. Look for good matching number. For some reason I get some low numbers in my test.
ldapsearch -LLL -l 5 -o nettimeout=5 -x -b "dc=example,dc=net" -h ldap.example.com  "uidNumber>=68000" uidNumber | grep uidNumber | awk '{print $2}' | sort -n | less

matching

Match user belonging to one of the groups.

(|(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))

Match user belonging to both groups.

(&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))

Naming

dit                directory information tree
dn                 entry distinguished name
dsa                directory server, more technically referred to as a Directory Server Agent, a Directory System Agent.
entry              consists of three primary components: a distinguished name, a collection of attributes, and a collection of object classes.
rdn                relative distinguished names.
X.500              the original Directory Access Protocol, for which LDAP is a much more lightweight version