Commit a2dc0d3a authored by pedrolab's avatar pedrolab

ldap: update structure

parent c1682776
......@@ -12,17 +12,17 @@ https://oav.net/mirrors/LDAP-ObjectClasses.html \
- [Install openLDAP server](#install-openldap-server)
- [Basic config](#basic-config)
- [Post install config](#post-install-config)
- [Unique uid and mail attributes](#unique-uid-and-mail-attributes)
- [Group membership and integrity](#group-membership-and-integrity)
- [Add user and service group](#add-user-and-service-group)
- [Password policy](#password-policy)
- [Load the module](#load-the-module)
- [Configure the overlay](#configure-the-overlay)
- [Define password policies](#define-password-policies)
- [Warning](#warning)
- [olcPasswordHash: {SSHA512}](#olcpasswordhash-ssha512)
- [LDAPS and Let's encrypt certs](#ldaps-and-lets-encrypt-certs)
- [Force TLS](#force-tls)
- [Unique uid and mail attributes](#unique-uid-and-mail-attributes)
- [Group membership and integrity](#group-membership-and-integrity)
- [Add user and service group](#add-user-and-service-group)
- [Password policy](#password-policy)
- [Load the module](#load-the-module)
- [Configure the overlay](#configure-the-overlay)
- [Define password policies](#define-password-policies)
- [Warning about certain password policies](#warning-about-certain-password-policies)
- [olcPasswordHash: {SSHA512}](#olcpasswordhash-ssha512)
- [LDAPS and Let's encrypt certs](#ldaps-and-lets-encrypt-certs)
- [Force TLS](#force-tls)
- [Backup and Restore](#backup-and-restore)
- [Dump databases](#dump-databases)
- [Restore databases](#restore-databases)
......@@ -78,7 +78,7 @@ We import configuration directly into the DIT (Directory Information Tree) using
mkdir /etc/ldap/ldif
# Unique uid and mail attributes
## Unique uid and mail attributes
We want to avoid duplicate user ids. LDAP will accept uid=david,ou=group1 and uid=david,ou=group2 because they represent two different entries in the DIT. However, this may lead to uid confusion. We also wish the mail attribute to be unique for similar reasons.
......@@ -109,7 +109,7 @@ And now we import the config
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/unique.ldif
# Group membership and integrity
## Group membership and integrity
We want to use groups of users to make permission assignment easier.
......@@ -176,7 +176,7 @@ And import the configuration
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/refint-2.ldif
# Add user and service group
## Add user and service group
Edit `/etc/ldap/ldif/add-user-group.ldif`
......@@ -204,15 +204,17 @@ And import the configuration
ldapadd -x -D 'cn=admin,dc=example,dc=com' -W -H ldapi:/// -f /etc/ldap/ldif/add-service-group.ldif
# Password policy
http://www.zytrax.com/books/ldap/ch6/ppolicy.html \
## Password policy
http://www.zytrax.com/books/ldap/ch6/ppolicy.html
We can define many password policies.
Password policy schema is not part of the default schema. We need to import it.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
## Load the module
### Load the module
Edit `/etc/ldap/ldif/pwdpolicy-1.ldif`
......@@ -227,7 +229,7 @@ And import the config
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/pwdpolicy-1.ldif
## Configure the overlay
### Configure the overlay
Edit `/etc/ldap/ldif/pwdpolicy-2.ldif`
......@@ -248,7 +250,7 @@ And import the config
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/pwdpolicy-2.ldif
## Define password policies
### Define password policies
Edit `/etc/ldap/ldif/pwdpolicy-3.ldif`
......@@ -292,7 +294,7 @@ We import this ldif into the dc=example,dc=com tree, so we do it as the admin of
ldapadd -D "cn=admin,dc=example,dc=com" -W -f /etc/ldap/ldif/pwdpolicy-3.ldif
### Warning
#### Warning about certain password policies
After a year, I've got a problem with `pwdMaxAge: 31536000`
......@@ -305,7 +307,7 @@ However I cannot add `pwdPolicySubentry: "cn=user,ou=pwpolicies,dc=example,dc=co
Until I find a solution I have changed `pwdMaxAge: 0` for everyone.
## olcPasswordHash: {SSHA512}
### olcPasswordHash: {SSHA512}
In the ppolicy config we set `olcPPolicyHashCleartext: TRUE`
......@@ -335,7 +337,7 @@ olcPasswordHash: {SSHA512}
`ldapadd -Y EXTERNAL -H ldapi:/// -f ./default_hash.ldif`
# LDAPS and Let's encrypt certs
## LDAPS and Let's encrypt certs
*Use a guide to install letsencrypt certificates before continuing this guide*
......@@ -399,7 +401,7 @@ Import modification
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/tls.ldif
```
## Force TLS
### Force TLS
Important:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment