Ldap
Jump to navigation
Jump to search
setup ldap server
Just followed.
http://www.linuxrackers.com/doku.php?id=389_directory_server_setup_using_centos6_rhel6
add user
ldapadd -x -W -f users_groups.ldif -c
change password
ldappasswd -x -W -S uid=user,ou=People,dc=halfface,dc=se -ZZ
Install ldap server.
yum' -y install openldap openldap-clients openldap-devel openldap-servers
Configure ldap.
/etc/openldap/ldap.conf
URI ldap://ldap.halfface.se/ BASE dc=halfface,dc=se
Configure ldap.
/etc/openldap/slapd.conf
include /etc/openldap/schema/redhat/autofs.schema database bdb suffix "dc=halfface,dc=se" rootdn "uid=root,dc=halfface,dc=se" rootpw secret
Change rootpw to output from the following command.
slappasswd
rootpw {SSHA}0BO9AGrX8
Copy database defaults.
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
To generate ldif to feed your ldap database.
Change varables to suite your domain.
/usr/share/openldap/migration/migrate_common.ph
Convert local users to ldap users.
/usr/share/openldap/migration/migrate_passwd.pl /temp/user /temp/user.ldif
Import users.
ldapadd -x -D "cn=Manager,dc=halfface,dc=se" -w secret -f /temp/user.ldif -c
Example ldif to add user.
dn: uid=bjorklun,ou=people,dc=halfface,dc=se uid: bjorklun cn: Andreas Bjorklund objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$1$encryptedpasswordheretowork shadowLastChange: 13080 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 501 gidNumber: 501 homeDirectory: /home/bjorklun gecos: Andreas Bjorklund
Adding local groups.
cat /etc/group | sort -k3 -t : -n | tail -22 | head -20 > /temp/group /usr/share/openldap/migration/migrate_group.pl /temp/group /temp/group.ldif ldapadd -x -D "uid=root,dc=halfface,dc=se" -w secretpassword -f /temp/group.ldif -v
Adding passwd and group.
dn: ou=people,dc=halfface,dc=se objectclass: organizationalUnit ou: people dn: ou=group,dc=halfface,dc=se objectclass: organizationalUnit ou: group
Organization Units.
dn: ou=Friends,dc=halfface,dc=se ou: Friends objectClass: top objectClass: organizationalUnit description: Members of Friends dn: ou=Work,dc=halfface,dc=se ou: Work objectClass: top objectClass: organizationalUnit description: Members of Work
ldap attribute.
dn: dc=halfface,dc=se dc: halfface description: Root LDAP entry for halfface.se objectClass: dcObject objectClass: organizationalUnit ou: rootobject
dn: ou=People, dc=halfface,dc=se ou: People description: All people in organisation objectClass: organizationalUnit
dn: dc=halfface,dc=se objectclass: dcObject objectclass: organization o: halfface dc: halfface dn: cn=Manager,dc=halfface,dc=se objectclass: organizationalRole cn: Manager
ldapadd -x -D "cn=Manager,dc=halfface,dc=se" -w secret -f /tmp/newentry -v
ldapsearch -x -b 'dc=halfface,dc=se' '(objectclass=*)'
Configure client.
authconfig --enableshadow --enablemd5 --enableldap --enableldapauth --ldapserver=ldap.halfface.se --ldapbasedn=dc=halfface,dc=se --disableldaptls --disablekrb5 --disablesmbauth --disablehesiod --update
Configure client. /etc/sysconfig/autofs
# Other common LDAP nameing # DEFAULT_MAP_OBJECT_CLASS="automountMap" DEFAULT_ENTRY_OBJECT_CLASS="automount" DEFAULT_MAP_ATTRIBUTE="ou" DEFAULT_ENTRY_ATTRIBUTE="cn" DEFAULT_VALUE_ATTRIBUTE="automountInformation" #
ldapsearch examples.
Search for user bjorklun.
ldapsearch -x uid=bjorklun
Search for specified field.
ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com ifxGlobalUniqueId
Look for the auto.master structure.
ldapsearch -x -s subtree -b 'ou=auto.master,dc=halfface,dc=se' 'objectclass=automount'
Search ad for ldap information.
ldapsearch -LLL -x -h ad.ongame.com -W -p 3268 -b DC=ongame,DC=com -D 'ONGAME\username' '(&(objectClass=person)(cn=User Name))'
Search without checking cert
tail /etc/openldap/ldap.conf HOST ldap.halfface.se TLS_REQCERT ALLOW ldapsearch -x -b dc=halfface,dc=se -H ldaps://ldap.halfface.se '(&(objectclass=posixAccount)(uid=handsomeuser))'
Base64 decode. No line wrap.
ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n //g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | less -ISRM
- search for numbers higher than 42435.
ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com "uidNumber>=42435"
- search for next suitable gid. Look for good matching number. For some reason I get some low numbers in my test.
ldapsearch -LLL -l 5 -o nettimeout=5 -x -b "dc=example,dc=net" -h ldap.example.com "uidNumber>=68000" uidNumber | grep uidNumber | awk '{print $2}' | sort -n | less
matching
Match user belonging to one of the groups.
(|(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))
Match user belonging to both groups.
(&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))
Naming
cd domain component dit directory information tree dn entry distinguished name dsa directory server, more technically referred to as a Directory Server Agent, a Directory System Agent. entry consists of three primary components: a distinguished name, a collection of attributes, and a collection of object classes. leaf entries entries that do not have any children rdn relative distinguished names. root dse is sometimes called the “null DN” and references a special type of entry called the root DSE which provides information about the content and capabilities of the directory server. X.500 the original Directory Access Protocol, for which LDAP is a much more lightweight version SupportedExtension A supported extension is a mechanism for identifying the Extended Request supported by the Directory Server. SupportedControl An LDAP control is an element that may be included in an LDAP Message. If it is included in a request message, it can be used to provide additional information about the way that the operation should be processed.
Object Classes Object classes are schema elements that specify collections of attribute types that may be related to a particular type of object, process, or other entity