Commit 342c3e5e authored by pedrolab's avatar pedrolab

ldap: refactor toc

parent 85576b09
# openLDAP
http://www.zytrax.com/books/ldap/ \
http://www.openldap.org/doc/admin24/ \
https://oav.net/mirrors/LDAP-ObjectClasses.html \
<!-- START doctoc generated TOC please keep comment here to allow auto update --> <!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --> <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents** **Table of Contents**
- [openLDAP](#openldap) - [Install and configure](#install-and-configure)
- [Install openLDAP server](#install-openldap-server) - [Install openLDAP server](#install-openldap-server)
- [Basic config](#basic-config) - [Basic config](#basic-config)
- [Post install config](#post-install-config) - [Post install config](#post-install-config)
- [unique uid and mail attributes](#unique-uid-and-mail-attributes) - [Unique uid and mail attributes](#unique-uid-and-mail-attributes)
- [Group membership and integrity](#group-membership-and-integrity) - [Group membership and integrity](#group-membership-and-integrity)
- [add user and service group](#add-user-and-service-group) - [Add user and service group](#add-user-and-service-group)
- [password policy](#password-policy) - [Password policy](#password-policy)
- [Load the module](#load-the-module) - [Load the module](#load-the-module)
- [Configure the overlay](#configure-the-overlay) - [Configure the overlay](#configure-the-overlay)
- [Define password policies](#define-password-policies) - [Define password policies](#define-password-policies)
- [Warning](#warning) - [Warning](#warning)
- [olcPasswordHash: {SSHA512}](#olcpasswordhash-ssha512) - [olcPasswordHash: {SSHA512}](#olcpasswordhash-ssha512)
- [LDAPS and Let's encrypt certs](#ldaps-and-lets-encrypt-certs) - [LDAPS and Let's encrypt certs](#ldaps-and-lets-encrypt-certs)
- [Force TLS](#force-tls) - [Force TLS](#force-tls)
- [nobody user for ldap bind](#nobody-user-for-ldap-bind) - [nobody user for ldap bind](#nobody-user-for-ldap-bind)
- [usage](#usage) - [Usage](#usage)
- [Show config](#show-config) - [Show config](#show-config)
- [Change ldap admin config password](#change-ldap-admin-config-password) - [Change ldap admin config password](#change-ldap-admin-config-password)
- [Delete members from a group using ldif](#delete-members-from-a-group-using-ldif) - [Delete members from a group using ldif](#delete-members-from-a-group-using-ldif)
- [apache directory](#apache-directory) - [Apache Directory](#apache-directory)
- [useful connections to create with apache directory](#useful-connections-to-create-with-apache-directory) - [Useful connections to create with apache directory](#useful-connections-to-create-with-apache-directory)
<!-- END doctoc generated TOC please keep comment here to allow auto update --> <!-- END doctoc generated TOC please keep comment here to allow auto update -->
# openLDAP # Install and configure
http://www.zytrax.com/books/ldap/ \
http://www.openldap.org/doc/admin24/ \
https://oav.net/mirrors/LDAP-ObjectClasses.html \
## Install openLDAP server ## Install openLDAP server
...@@ -69,7 +71,7 @@ We import configuration directly into the DIT (Directory Information Tree) using ...@@ -69,7 +71,7 @@ We import configuration directly into the DIT (Directory Information Tree) using
mkdir /etc/ldap/ldif mkdir /etc/ldap/ldif
# unique uid and mail attributes # Unique uid and mail attributes
We want to avoid duplicate user ids. LDAP will accept uid=david,ou=group1 and uid=david,ou=group2 because they represent two different entries in the DIT. However, this may lead to uid confusion. We also wish the mail attribute to be unique for similar reasons. We want to avoid duplicate user ids. LDAP will accept uid=david,ou=group1 and uid=david,ou=group2 because they represent two different entries in the DIT. However, this may lead to uid confusion. We also wish the mail attribute to be unique for similar reasons.
...@@ -100,9 +102,9 @@ And now we import the config ...@@ -100,9 +102,9 @@ And now we import the config
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/unique.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/unique.ldif
## Group membership and integrity # Group membership and integrity
We want to use groups of users to make permission assignment easier.
We want to use groups of users to make permission assignment easier.
Edit `/etc/ldap/ldif/memberof.ldif` Edit `/etc/ldap/ldif/memberof.ldif`
...@@ -167,7 +169,7 @@ And import the configuration ...@@ -167,7 +169,7 @@ And import the configuration
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/refint-2.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/refint-2.ldif
## add user and service group # Add user and service group
Edit `/etc/ldap/ldif/add-user-group.ldif` Edit `/etc/ldap/ldif/add-user-group.ldif`
...@@ -195,7 +197,7 @@ And import the configuration ...@@ -195,7 +197,7 @@ And import the configuration
ldapadd -x -D 'cn=admin,dc=example,dc=com' -W -H ldapi:/// -f /etc/ldap/ldif/add-service-group.ldif ldapadd -x -D 'cn=admin,dc=example,dc=com' -W -H ldapi:/// -f /etc/ldap/ldif/add-service-group.ldif
## password policy # Password policy
http://www.zytrax.com/books/ldap/ch6/ppolicy.html \ http://www.zytrax.com/books/ldap/ch6/ppolicy.html \
We can define many password policies. We can define many password policies.
...@@ -203,7 +205,7 @@ Password policy schema is not part of the default schema. We need to import it. ...@@ -203,7 +205,7 @@ Password policy schema is not part of the default schema. We need to import it.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
### Load the module ## Load the module
Edit `/etc/ldap/ldif/pwdpolicy-1.ldif` Edit `/etc/ldap/ldif/pwdpolicy-1.ldif`
...@@ -218,7 +220,7 @@ And import the config ...@@ -218,7 +220,7 @@ And import the config
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/pwdpolicy-1.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/pwdpolicy-1.ldif
### Configure the overlay ## Configure the overlay
Edit `/etc/ldap/ldif/pwdpolicy-2.ldif` Edit `/etc/ldap/ldif/pwdpolicy-2.ldif`
...@@ -239,7 +241,7 @@ And import the config ...@@ -239,7 +241,7 @@ And import the config
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/pwdpolicy-2.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/pwdpolicy-2.ldif
### Define password policies ## Define password policies
Edit `/etc/ldap/ldif/pwdpolicy-3.ldif` Edit `/etc/ldap/ldif/pwdpolicy-3.ldif`
...@@ -326,7 +328,7 @@ olcPasswordHash: {SSHA512} ...@@ -326,7 +328,7 @@ olcPasswordHash: {SSHA512}
`ldapadd -Y EXTERNAL -H ldapi:/// -f ./default_hash.ldif` `ldapadd -Y EXTERNAL -H ldapi:/// -f ./default_hash.ldif`
## LDAPS and Let's encrypt certs # LDAPS and Let's encrypt certs
*Use a guide to install letsencrypt certificates before continuing this guide* *Use a guide to install letsencrypt certificates before continuing this guide*
...@@ -390,7 +392,7 @@ Import modification ...@@ -390,7 +392,7 @@ Import modification
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/tls.ldif ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/tls.ldif
``` ```
### Force TLS ## Force TLS
Important: Important:
...@@ -452,7 +454,7 @@ And import the configuration ...@@ -452,7 +454,7 @@ And import the configuration
ldapadd -x -D 'cn=admin,dc=example,dc=com' -W -H ldapi:/// -f /etc/ldap/ldif/add-user-group.ldif ldapadd -x -D 'cn=admin,dc=example,dc=com' -W -H ldapi:/// -f /etc/ldap/ldif/add-user-group.ldif
# usage # Usage
## Show config ## Show config
...@@ -491,11 +493,11 @@ Import configuration ...@@ -491,11 +493,11 @@ Import configuration
ldapmodify -x -W -D "uid=my-user,dc=commonscloud,dc=coop" -f /tmp/member_test.ldif ldapmodify -x -W -D "uid=my-user,dc=commonscloud,dc=coop" -f /tmp/member_test.ldif
# apache directory # Apache Directory
To edit LDAP entries with a [GUI](https://en.wikipedia.org/wiki/Graphical_user_interface) use [Apache Directory](https://directory.apache.org/) To edit LDAP entries with a [GUI](https://en.wikipedia.org/wiki/Graphical_user_interface) use [Apache Directory](https://directory.apache.org/)
## useful connections to create with apache directory ## Useful connections to create with apache directory
- tree view - tree view
- config view. Check that Base DN points change to cn=config. If you already configured the new connection go to `Properties -> Browser -> Options -> Base DN: cn=config` - config view. Check that Base DN points change to cn=config. If you already configured the new connection go to `Properties -> Browser -> Options -> Base DN: cn=config`
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment