Ldap

From Halfface
Revision as of 08:30, 15 August 2022 by Ekaanbj (talk | contribs) (→‎Naming)
Jump to navigation Jump to search

setup ldap server

Just followed.

http://www.linuxrackers.com/doku.php?id=389_directory_server_setup_using_centos6_rhel6

add user

ldapadd -x -W -f users_groups.ldif -c

change password

ldappasswd -x -W -S uid=user,ou=People,dc=halfface,dc=se -ZZ

Install ldap server.

yum' -y install openldap openldap-clients openldap-devel openldap-servers

Configure ldap.

/etc/openldap/ldap.conf

URI ldap://ldap.halfface.se/
BASE dc=halfface,dc=se

Configure ldap.

/etc/openldap/slapd.conf

include         /etc/openldap/schema/redhat/autofs.schema
database bdb
suffix "dc=halfface,dc=se"
rootdn "uid=root,dc=halfface,dc=se"
rootpw secret

Change rootpw to output from the following command.

slappasswd

rootpw {SSHA}0BO9AGrX8

Copy database defaults.

 cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

To generate ldif to feed your ldap database.

Change varables to suite your domain.

/usr/share/openldap/migration/migrate_common.ph

Convert local users to ldap users.

/usr/share/openldap/migration/migrate_passwd.pl /temp/user /temp/user.ldif

Import users.

ldapadd -x -D "cn=Manager,dc=halfface,dc=se" -w secret -f /temp/user.ldif -c

Example ldif to add user.

dn: uid=bjorklun,ou=people,dc=halfface,dc=se
uid: bjorklun
cn: Andreas Bjorklund
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$encryptedpasswordheretowork
shadowLastChange: 13080
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/bjorklun
gecos: Andreas Bjorklund

Adding local groups.

cat /etc/group | sort -k3 -t : -n | tail -22 | head -20 > /temp/group
/usr/share/openldap/migration/migrate_group.pl /temp/group /temp/group.ldif
ldapadd -x -D "uid=root,dc=halfface,dc=se" -w secretpassword -f /temp/group.ldif -v

Adding passwd and group.

dn: ou=people,dc=halfface,dc=se
objectclass: organizationalUnit
ou: people

dn: ou=group,dc=halfface,dc=se
objectclass: organizationalUnit
ou: group

Organization Units.

dn: ou=Friends,dc=halfface,dc=se
ou: Friends
objectClass: top
objectClass: organizationalUnit
description: Members of Friends

dn: ou=Work,dc=halfface,dc=se
ou: Work
objectClass: top
objectClass: organizationalUnit
description: Members of Work

ldap attribute.

dn: dc=halfface,dc=se
dc: halfface
description: Root LDAP entry for halfface.se
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
dn: ou=People, dc=halfface,dc=se
ou: People
description: All people in organisation
objectClass: organizationalUnit
dn: dc=halfface,dc=se
objectclass: dcObject
objectclass: organization
o: halfface
dc: halfface

dn: cn=Manager,dc=halfface,dc=se
objectclass: organizationalRole
cn: Manager
ldapadd -x -D "cn=Manager,dc=halfface,dc=se" -w secret -f /tmp/newentry -v
ldapsearch -x -b 'dc=halfface,dc=se' '(objectclass=*)'

Configure client.

authconfig --enableshadow --enablemd5 --enableldap --enableldapauth --ldapserver=ldap.halfface.se --ldapbasedn=dc=halfface,dc=se --disableldaptls --disablekrb5 --disablesmbauth --disablehesiod --update

Configure client. /etc/sysconfig/autofs

# Other common LDAP nameing
#
DEFAULT_MAP_OBJECT_CLASS="automountMap"
DEFAULT_ENTRY_OBJECT_CLASS="automount"
DEFAULT_MAP_ATTRIBUTE="ou"
DEFAULT_ENTRY_ATTRIBUTE="cn"
DEFAULT_VALUE_ATTRIBUTE="automountInformation"
#

ldapsearch examples.

Search for user bjorklun.

ldapsearch -x uid=bjorklun

Search for specified field.

ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com ifxGlobalUniqueId

Look for the auto.master structure.

ldapsearch -x -s subtree -b 'ou=auto.master,dc=halfface,dc=se' 'objectclass=automount'

Search ad for ldap information.

ldapsearch -LLL -x -h ad.ongame.com -W -p 3268 -b DC=ongame,DC=com -D 'ONGAME\username' '(&(objectClass=person)(cn=User Name))'

Search without checking cert

tail /etc/openldap/ldap.conf
HOST ldap.halfface.se
TLS_REQCERT ALLOW
ldapsearch -x -b dc=halfface,dc=se -H ldaps://ldap.halfface.se '(&(objectclass=posixAccount)(uid=handsomeuser))'

Base64 decode. No line wrap.

ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n //g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | less -ISRM
  1. search for numbers higher than 42435.
ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com "uidNumber>=42435"
  1. search for next suitable gid. Look for good matching number. For some reason I get some low numbers in my test.
ldapsearch -LLL -l 5 -o nettimeout=5 -x -b "dc=example,dc=net" -h ldap.example.com  "uidNumber>=68000" uidNumber | grep uidNumber | awk '{print $2}' | sort -n | less

matching

Match user belonging to one of the groups.

(|(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))

Match user belonging to both groups.

(&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))

Naming

cd                 domain component
dit                directory information tree
dn                 entry distinguished name
dsa                directory server, more technically referred to as a Directory Server Agent, a Directory System Agent.
entry              consists of three primary components: a distinguished name, a collection of attributes, and a collection of object classes.
leaf entries       entries that do not have any children
rdn                relative distinguished names.
root dse           is sometimes called the “null DN” and references a special type of entry called the root DSE which provides information about the content and capabilities of the directory server.
X.500              the original Directory Access Protocol, for which LDAP is a much more lightweight version

SupportedExtension  A supported extension is a mechanism for identifying the Extended Request supported by the Directory Server.
SupportedControl    An LDAP control is an element that may be included in an LDAP Message. If it is included in a request message, it can be used to provide additional information about the way that the operation should be processed.
Object Classes     Object classes are schema elements that specify collections of attribute types that may be related to a particular type of object, process, or other entity