OpenLDAP (Ubuntu 14 04): Unterschied zwischen den Versionen
(→Links) |
|||
(116 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 10: | Zeile 10: | ||
<pre> | <pre> | ||
sudo apt-get install slapd ldap-utils | sudo apt-get install slapd ldap-utils | ||
</pre> | |||
Folgendes Paket wird für das ''Samba''-Schema benötigt: | |||
<pre> | |||
sudo apt-get install samba-doc | |||
</pre> | |||
Folgendes Paket wird für die Migration der Benutzerkonten benötigt: | |||
<pre> | |||
sudo apt-get install smbldap-tools | |||
</pre> | </pre> | ||
<pre> | <pre> | ||
sudo nano /etc/ldap/schema/schema_convert.conf | sudo nano /etc/ldap/schema/schema_convert.conf | ||
</pre> | |||
<pre> | |||
include /etc/ldap/schema/core.schema | |||
include /etc/ldap/schema/collective.schema | |||
include /etc/ldap/schema/corba.schema | |||
include /etc/ldap/schema/cosine.schema | |||
include /etc/ldap/schema/duaconf.schema | |||
include /etc/ldap/schema/dyngroup.schema | |||
include /etc/ldap/schema/inetorgperson.schema | |||
include /etc/ldap/schema/java.schema | |||
include /etc/ldap/schema/misc.schema | |||
include /etc/ldap/schema/nis.schema | |||
include /etc/ldap/schema/openldap.schema | |||
include /etc/ldap/schema/ppolicy.schema | |||
include /etc/ldap/schema/ldapns.schema | |||
include /etc/ldap/schema/pmi.schema | |||
include /etc/ldap/schema/samba.schema | |||
</pre> | |||
=== Samba Schema kopieren === | |||
<pre> | |||
sudo cp /usr/share/doc/samba/examples/LDAP/samba.schema.gz /etc/ldap/schema | |||
sudo gzip -d /etc/ldap/schema/samba.schema.gz | |||
</pre> | |||
=== Konvertieren ins ''LDIF''-Format === | |||
<pre> | |||
sudo -i | |||
</pre> | |||
Zuerst ein temporäres Verzeichnis erstellen: | |||
<pre> | |||
mkdir /tmp/ldif_output | |||
</pre> | |||
<pre> | |||
cd /etc/ldap/schema | |||
slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 | |||
cd /tmp/ldif_output/cn\=config/cn\=schema/ | |||
</pre> | |||
[[Datei:Mod_ldif.sh]] | |||
<pre> | |||
sudo mv /etc/ldap/schema/*.ldif <backup dir> | |||
sudo cp <temp dir>/*.ldif /etc/ldap/schema/ | |||
</pre> | |||
[[Datei:Add_backend.sh]] | |||
== Konfiguration == | |||
<pre> | |||
cd /etc/ldap/ | |||
</pre> | |||
<pre> | |||
slappasswd | |||
</pre> | |||
=== /etc/ldap/db.ldif === | |||
<pre> | |||
nano /etc/ldap/db.ldif | |||
</pre> | |||
Die Datei ''/etc/ldap/db.ldif'' mit folgenden Inhalt befüllen (2x ''Domänen'' und 2x ''Passwort'' ersetzen): | |||
<pre> | |||
########################################################### | |||
# DEFAULT DATABASE MODIFICATION | |||
########################################################### | |||
# Modify directory database | |||
dn: olcDatabase={1}hdb,cn=config | |||
changeType: modify | |||
delete: olcSuffix | |||
dn: olcDatabase={1}hdb,cn=config | |||
changeType: modify | |||
add: olcSuffix | |||
olcSuffix: dc=kirner,dc=or,dc=at | |||
dn: olcDatabase={1}hdb,cn=config | |||
changeType: modify | |||
delete: olcRootDN | |||
dn: olcDatabase={1}hdb,cn=config | |||
changeType: modify | |||
add: olcRootDN | |||
olcRootDN: cn=admin,dc=kirner,dc=or,dc=at | |||
dn: olcDatabase={1}hdb,cn=config | |||
changeType: modify | |||
delete: olcRootPW | |||
dn: olcDatabase={1}hdb,cn=config | |||
changeType: modify | |||
add: olcRootPW | |||
olcRootPW: {SSHA}<dx0sCgNBPlx98eRYnun1QBNfrWUR6qM1> | |||
dn: olcDatabase={1}hdb,cn=config | |||
changeType: modify | |||
delete: olcDbIndex | |||
dn: olcDatabase={1}hdb,cn=config | |||
changeType: modify | |||
add: olcDbIndex | |||
olcDbIndex: uid pres,eq | |||
dn: olcDatabase={1}hdb,cn=config | |||
changeType: modify | |||
add: olcDbIndex | |||
olcDbIndex: cn,sn,mail pres,eq,approx,sub | |||
dn: olcDatabase={1}hdb,cn=config | |||
changeType: modify | |||
add: olcDbIndex | |||
olcDbIndex: objectClass eq | |||
########################################################### | |||
# REMOTE CONFIGURATION DEFAULTS | |||
########################################################### | |||
# Some defaults need to be added in order to allow remote | |||
# access by DN cn=admin,cn=config to the LDAP config | |||
# database. Otherwise only local root will | |||
# administrative access. | |||
dn: olcDatabase={0}config,cn=config | |||
changetype: modify | |||
add: olcRootDN | |||
olcRootDN: cn=admin,cn=config | |||
dn: olcDatabase={0}config,cn=config | |||
changetype: modify | |||
add: olcRootPW | |||
olcRootPW: {SSHA}<dx0sCgNBPlx98eRYnun1QBNfrWUR6qM1> | |||
</pre> | |||
<pre> | |||
ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif | |||
</pre> | |||
=== /etc/ldap/base.ldif === | |||
<pre> | |||
nano /etc/ldap/base.ldif | |||
</pre> | |||
Die Datei ''/etc/ldap/base.ldif'' mit folgenden Inhalt befüllen (auch hier wieder alle ''Domänen'' anpassen und das Passwort ersetzen): | |||
<pre> | |||
# Tree root | |||
dn: dc=kirner,dc=or,dc=at | |||
objectClass: dcObject | |||
objectClass: organization | |||
o: kirner.or.at | |||
dc: kirner | |||
description: Tree root | |||
# LDAP admin | |||
dn: cn=admin,dc=kirner,dc=or,dc=at | |||
objectClass: simpleSecurityObject | |||
objectClass: organizationalRole | |||
cn: admin | |||
userPassword: {SSHA}<dx0sCgNBPlx98eRYnun1QBNfrWUR6qM1> | |||
description: LDAP administrator | |||
</pre> | |||
<pre> | |||
ldapadd -x -D cn=admin,dc=kirner,dc=or,dc=at -W -f base.ldif | |||
</pre> | |||
=== Testen der bisherigen Konfiguration === | |||
<pre> | |||
ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb | |||
ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W | |||
</pre> | |||
<pre> | |||
ldapsearch -xLLL -b dc=kirner,dc=or,dc=at | |||
</pre> | |||
== Benutzeraccounts nach LDAP migrieren == | |||
=== /etc/ldap/init.ldif === | |||
<pre> | |||
sudo nano /etc/ldap/init.ldif | |||
</pre> | |||
<pre> | |||
dn: ou=Users,dc=kirner,dc=or,dc=at | |||
objectClass: organizationalUnit | |||
ou: Users | |||
dn: ou=Groups,dc=kirner,dc=or,dc=at | |||
objectClass: organizationalUnit | |||
ou: Groups | |||
dn: ou=Computers,dc=kirner,dc=or,dc=at | |||
objectClass: organizationalUnit | |||
ou: Computers | |||
dn: ou=Idmap,dc=kirner,dc=or,dc=at | |||
objectClass: organizationalUnit | |||
ou: Idmap | |||
</pre> | |||
<pre> | |||
sudo ldapadd -x -h localhost -W -D cn=admin,dc=kirner,dc=or,dc=at -f init.ldif | |||
</pre> | |||
<pre> | |||
cd /etc/smbldap-tools | |||
sudo zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > smbldap.conf | |||
sudo cat /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf > smbldap_bind.conf | |||
sudo chmod 0644 smbldap.conf | |||
sudo chmod 0600 smbldap_bind.conf | |||
</pre> | |||
<pre> | |||
sudo nano /etc/smbldap-tools/smbldap.conf | |||
</pre> | |||
[[Datei:Smbldap.conf]] | |||
=== /etc/smbldap-tools/smbldap_bind.conf === | |||
{{note|Wichtig ist ''Manager'' durch ''admin'' zu ersetzen.}} | |||
<pre> | |||
sudo nano /etc/smbldap-tools/smbldap_bind.conf | |||
</pre> | |||
<pre> | |||
############################ | |||
# Credential Configuration # | |||
############################ | |||
# Notes: you can specify two differents configuration if you use a | |||
# master ldap for writing access and a slave ldap server for reading access | |||
# By default, we will use the same DN (so it will work for standard Samba | |||
# release) | |||
slaveDN="cn=admin,dc=kirner,dc=or,dc=at" | |||
slavePw="<password>" | |||
masterDN="cn=admin,dc=kirner,dc=or,dc=at" | |||
masterPw="<password>" | |||
</pre> | |||
=== /etc/passwd === | |||
<pre> | |||
cd /root | |||
sudo zcat /usr/share/doc/smbldap-tools/examples/migration_scripts/smbldap-migrate-unix-accounts.gz > smbldap-migrate-unix-accounts | |||
sudo chmod u+x smbldap-migrate-unix-accounts | |||
sudo cp /etc/passwd passwd.users | |||
sudo nano passwd.users | |||
</pre> | |||
Danach alle Benutzer entfernen, die nicht übertragen werden sollen (z.B. ''root''). | |||
<pre> | |||
./smbldap-migrate-unix-accounts -P passwd.users -S /etc/shadow -v | |||
</pre> | |||
=== /etc/group === | |||
<pre> | |||
sudo zcat /usr/share/doc/smbldap-tools/examples/migration_scripts/smbldap-migrate-unix-groups.gz > smbldap-migrate-unix-groups | |||
sudo chmod u+x smbldap-migrate-unix-groups | |||
sudo cp /etc/group group.import | |||
sudo nano group.import | |||
</pre> | |||
Danach alle Gruppen entfernen, die nicht übertragen werden sollen (z.B. root). | |||
<pre> | |||
./smbldap-migrate-unix-groups -G group.import -v | |||
</pre> | |||
=== Migration testen === | |||
<pre> | |||
ldapsearch -x -D cn=admin,dc=kirner,dc=or,dc=at -W -b dc=kirner,dc=or,dc=at | |||
</pre> | |||
== Verwendung von SASL == | |||
<pre> | |||
sudo nano /etc/ldap/sasl-digestmd5.ldif | |||
</pre> | |||
<pre> | |||
########################################################### | |||
# DEFAULTS MODIFICATION for SASL DIGEST-MD5 | |||
########################################################### | |||
# Some of the defaults need to be modified in order to allow | |||
# SASL supported access to the LDAP config. | |||
# The LDAP administrator will need to tell the slapd server | |||
# how to map an authentication request DN to a user's | |||
# authentication DN. This is done by adding one or more | |||
# olcAuthzRegexp attributes to the cn=config backend. | |||
# This attribute takes two arguments: | |||
# | |||
# olcAuthzRegexp <search pattern> <replacement pattern> | |||
# | |||
# Please note, that more than one attribute can be specified. | |||
# The LDAP server will serve them sequentially. | |||
dn: cn=config | |||
changetype: modify | |||
add: olcAuthzRegexp | |||
olcAuthzRegexp: uid=root,cn=[^,]*,cn=auth cn=admin,dc=kirner,dc=or,dc=at | |||
dn: cn=config | |||
changetype: modify | |||
add: olcAuthzRegexp | |||
olcAuthzRegexp: uid=([^,]*),cn=[^,]*,cn=auth uid=$1,ou=Users,dc=kirner,dc=or,dc=at | |||
# set the correct authentication policy | |||
dn: cn=config | |||
changetype: modify | |||
add: olcAuthzPolicy | |||
olcAuthzPolicy: to | |||
# User passwords have to stored as cleartext within the | |||
# LDAP directory | |||
dn: olcDatabase={-1}frontend,cn=config | |||
changetype: modify | |||
add: olcPasswordHash | |||
olcPasswordHash: {CLEARTEXT} | |||
</pre> | |||
Datei ins Backend einfügen: | |||
<pre> | |||
sudo ldapadd -x -D cn=admin,cn=config -W -f /etc/ldap/sasl-digestmd5.ldif | |||
</pre> | |||
Danach ''slapd'' neu starten: | |||
<pre> | |||
sudo service slapd restart | |||
</pre> | |||
=== Passwörter ändern === | |||
Die Passwörter müssen danach im Klartext hinterlegt werden. Das kann durch den Benutzer selbst mittels folgenden Befehl erfolgen: | |||
<pre> | |||
sudo ldappasswd -x -D uid=martin,ou=Users,dc=kirner,dc=or,dc=at -W -s <new password> uid=martin,ou=Users,dc=kirner,dc=or,dc=at | |||
</pre> | |||
Die Änderung des Benutzerpasswortes kann auch durch den Administrator erfolgen: | |||
<pre> | |||
sudo ldappasswd -x -D cn=admin,dc=kirner,dc=or,dc=at -W -s <new password> uid=martin,ou=Users,dc=kirner,dc=or,dc=at | |||
</pre> | |||
Letztlich muss noch das Passwort des Administrators selbst geändert werden: | |||
<pre> | |||
sudo ldappasswd -x -D cn=admin,dc=kirner,dc=or,dc=at -W -S cn=admin,dc=kirner,dc=or,dc=at | |||
</pre> | |||
=== ''SASL''-Zugriff testen === | |||
Abfrage als ''normaler'' Benutzer: | |||
<pre> | |||
ldapsearch -b dc=kirner,dc=or,dc=at | |||
</pre> | |||
Abfrage als Benutzer ''root'': | |||
<pre> | |||
sudo ldapsearch -b ou=Users,dc=kirner,dc=or,dc=at -LLL uid=martin | |||
</pre> | |||
== Absichern mit TLS/SSL == | |||
<pre> | |||
sudo apt-get install gnutls-bin | |||
</pre> | |||
<pre> | |||
sudo mkdir /var/ssl | |||
cd /var/ssl | |||
</pre> | |||
<pre> | |||
sudo nano /var/ssl/ca.cfg | |||
</pre> | |||
<pre> | |||
cn = kirner | |||
ca | |||
cert_signing_key | |||
</pre> | |||
=== CA-Zertifikat erstellen === | |||
<pre> | |||
sudo sh -c "certtool --generate-privkey > cakey.pem" | |||
sudo certtool --generate-self-signed --load-privkey cakey.pem --template ca.cfg --outfile cacert.pem | |||
</pre> | |||
=== Privater Schlüssel für Server-Zertifikat erstellen === | |||
<pre> | |||
sudo sh -c "certtool --generate-privkey > ldap_slapd_key.pem" | |||
</pre> | |||
=== Server-Zertifikat erstellen === | |||
<pre> | |||
sudo nano /var/ssl/slapd.cfg | |||
</pre> | |||
Folgenden Inhalt einfügen: | |||
<pre> | |||
organization = kirner | |||
cn = ldap.kirner.or.at | |||
tls_www_server | |||
encryption_key | |||
signing_key | |||
</pre> | |||
<pre> | |||
sudo certtool --generate-certificate --load-privkey ldap_slapd_key.pem --load-ca-certificate cacert.pem --load-ca-privkey cakey.pem --template slapd.cfg --outfile ldap_slapd_cert.pem | |||
</pre> | |||
=== Installation des LDAP-Server-Zertifikats === | |||
Zertifikate werden in das Verzeichnis ''/etc/ssl/certs'' installiert: | |||
<pre> | |||
sudo install -D -o openldap -g openldap -m 600 /var/ssl/ldap_slapd_key.pem /etc/ssl/private/ldap_slapd_key.pem | |||
sudo install -D -o openldap -g openldap -m 600 /var/ssl/ldap_slapd_cert.pem /etc/ssl/certs/ldap_slapd_cert.pem | |||
sudo install -D -o openldap -g openldap -m 600 /var/ssl/cacert.pem /etc/ssl/certs/ldap_slapd_cacert.pem | |||
</pre> | |||
=== Anpassung der Konfiguration === | |||
<pre> | |||
sudo nano /etc/ldap/tls.ldif | |||
</pre> | |||
<pre> | |||
########################################################### | |||
# CONFIGURATION for Support of TLS | |||
########################################################### | |||
# Add TLS supported access to user passwords for LDAP clients | |||
# to the LDAP config. | |||
dn: cn=config | |||
changetype: modify | |||
add: olcTLSCACertificateFile | |||
olcTLSCACertificateFile: /etc/ssl/certs/ldap_slapd_cacert.pem | |||
dn: cn=config | |||
changetype: modify | |||
add: olcTLSCertificateKeyFile | |||
olcTLSCertificateKeyFile: /etc/ssl/private/ldap_slapd_key.pem | |||
#dn: cn=config | |||
#changetype: modify | |||
#delete: olcTLSCertificateFile | |||
dn: cn=config | |||
changetype: modify | |||
add: olcTLSCertificateFile | |||
olcTLSCertificateFile: /etc/ssl/certs/ldap_slapd_cert.pem | |||
</pre> | |||
Datei ins Backend einfügen: | |||
<pre> | |||
sudo ldapadd -x -D cn=admin,cn=config -W -f /etc/ldap/tls.ldif | |||
</pre> | |||
<pre> | |||
sudo apt-get install ssl-cert | |||
</pre> | |||
Zertifikate den richtigen Nutzern und Gruppen zuweisen: | |||
<pre> | |||
sudo adduser openldap ssl-cert | |||
sudo chgrp ssl-cert /etc/ssl/private/ldap_slapd_key.pem | |||
sudo chmod g+r /etc/ssl/certs/ldap_slapd_cert.pem | |||
sudo chmod o-r /etc/ssl/certs/ldap_slapd_cert.pem | |||
</pre> | |||
<pre> | |||
sudo service slapd restart | |||
</pre> | |||
=== Testen === | |||
{{note|Domainname (URI) muss erreichbar sein - wenn notwendig in ''/etc/hosts'' eintragen.}} | |||
<pre> | |||
sudo nano /etc/ldap/ldap.conf | |||
</pre> | |||
Den Inhalt folgendermassen anpassen: | |||
<pre> | |||
# | |||
# LDAP Defaults | |||
# | |||
# See ldap.conf(5) for details | |||
# This file should be world readable but not world writable. | |||
BASE dc=kirner,dc=or,dc=at | |||
URI ldap://ldap.kirner.or.at | |||
ldap_version 3 | |||
ssl start_tls | |||
# TLS certificates (needed for GnuTLS) | |||
#TLS_CACERT /etc/ssl/certs/ca-certificates.crt | |||
# For self signed certificates | |||
TLS_CACERT /etc/ssl/certs/ldap_slapd_cacert.pem | |||
TLS_REQCERT allow | |||
</pre> | |||
<pre> | |||
sudo ldapsearch -xLLL -Z -W -D cn=admin,cn=config -b cn=config cn=config | |||
</pre> | |||
<pre> | |||
sudo ldapsearch -d 2 -xLLL -Z -W -D cn=admin,cn=config -b cn=config cn=config | |||
</pre> | |||
== Daten Sichern == | |||
<pre> | |||
sudo rm -r /var/lib/ldap.bak | |||
sudo cp -rp /var/lib/ldap/ /var/lib/ldap.bak | |||
sudo rm -r /etc/ldap/slapd.d.bak | |||
sudo cp -rp /etc/ldap/slapd.d /etc/ldap/slapd.d.bak | |||
</pre> | |||
== Probleme == | |||
<pre> | |||
root@VBox-16-4-Server:/etc/ldap# ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif | |||
SASL/EXTERNAL authentication started | |||
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth | |||
SASL SSF: 0 | |||
modifying entry "olcDatabase={1}hdb,cn=config" | |||
ldap_modify: No such object (32) | |||
matched DN: cn=config | |||
root@VBox-16-4-Server:/etc/ldap# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q "olcDatabase=*" dn | |||
dn: olcDatabase={-1}frontend,cn=config | |||
dn: olcDatabase={0}config,cn=config | |||
dn: olcDatabase={1}mdb,cn=config | |||
</pre> | </pre> | ||
Zeile 20: | Zeile 588: | ||
[https://wiki.ubuntuusers.de/OpenLDAP_ab_Precise/ https://wiki.ubuntuusers.de/OpenLDAP_ab_Precise/] | [https://wiki.ubuntuusers.de/OpenLDAP_ab_Precise/ https://wiki.ubuntuusers.de/OpenLDAP_ab_Precise/] | ||
[ | [https://help.ubuntu.com/lts/serverguide/openldap-server.html https://help.ubuntu.com/lts/serverguide/openldap-server.html] | ||
[http://linx-qh.de/openldap-server-auf-ubuntu-server-14-04-installieren-und-einrichten/ http://linx-qh.de/openldap-server-auf-ubuntu-server-14-04-installieren-und-einrichten/] | |||
[https://wiki.ubuntuusers.de/Archiv/OpenLDAP/#migration https://wiki.ubuntuusers.de/Archiv/OpenLDAP/#migration] | |||
Zurück zu [[Ubuntu]] | Zurück zu [[OpenLDAP (Linux)|OpenLDAP]] / [[Ubuntu]] |
Aktuelle Version vom 28. Juli 2016, 09:30 Uhr
Noch in Bearbeitung
Folgende Installationsanleitung erfordert in den meisten Fällen Rootrechte, daher wechseln wir fix zur root-Shell:
sudo -i
Installation
sudo apt-get install slapd ldap-utils
Folgendes Paket wird für das Samba-Schema benötigt:
sudo apt-get install samba-doc
Folgendes Paket wird für die Migration der Benutzerkonten benötigt:
sudo apt-get install smbldap-tools
sudo nano /etc/ldap/schema/schema_convert.conf
include /etc/ldap/schema/core.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/ldapns.schema include /etc/ldap/schema/pmi.schema include /etc/ldap/schema/samba.schema
Samba Schema kopieren
sudo cp /usr/share/doc/samba/examples/LDAP/samba.schema.gz /etc/ldap/schema sudo gzip -d /etc/ldap/schema/samba.schema.gz
Konvertieren ins LDIF-Format
sudo -i
Zuerst ein temporäres Verzeichnis erstellen:
mkdir /tmp/ldif_output
cd /etc/ldap/schema slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 cd /tmp/ldif_output/cn\=config/cn\=schema/
sudo mv /etc/ldap/schema/*.ldif <backup dir> sudo cp <temp dir>/*.ldif /etc/ldap/schema/
Konfiguration
cd /etc/ldap/
slappasswd
/etc/ldap/db.ldif
nano /etc/ldap/db.ldif
Die Datei /etc/ldap/db.ldif mit folgenden Inhalt befüllen (2x Domänen und 2x Passwort ersetzen):
########################################################### # DEFAULT DATABASE MODIFICATION ########################################################### # Modify directory database dn: olcDatabase={1}hdb,cn=config changeType: modify delete: olcSuffix dn: olcDatabase={1}hdb,cn=config changeType: modify add: olcSuffix olcSuffix: dc=kirner,dc=or,dc=at dn: olcDatabase={1}hdb,cn=config changeType: modify delete: olcRootDN dn: olcDatabase={1}hdb,cn=config changeType: modify add: olcRootDN olcRootDN: cn=admin,dc=kirner,dc=or,dc=at dn: olcDatabase={1}hdb,cn=config changeType: modify delete: olcRootPW dn: olcDatabase={1}hdb,cn=config changeType: modify add: olcRootPW olcRootPW: {SSHA}<dx0sCgNBPlx98eRYnun1QBNfrWUR6qM1> dn: olcDatabase={1}hdb,cn=config changeType: modify delete: olcDbIndex dn: olcDatabase={1}hdb,cn=config changeType: modify add: olcDbIndex olcDbIndex: uid pres,eq dn: olcDatabase={1}hdb,cn=config changeType: modify add: olcDbIndex olcDbIndex: cn,sn,mail pres,eq,approx,sub dn: olcDatabase={1}hdb,cn=config changeType: modify add: olcDbIndex olcDbIndex: objectClass eq ########################################################### # REMOTE CONFIGURATION DEFAULTS ########################################################### # Some defaults need to be added in order to allow remote # access by DN cn=admin,cn=config to the LDAP config # database. Otherwise only local root will # administrative access. dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootDN olcRootDN: cn=admin,cn=config dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}<dx0sCgNBPlx98eRYnun1QBNfrWUR6qM1>
ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif
/etc/ldap/base.ldif
nano /etc/ldap/base.ldif
Die Datei /etc/ldap/base.ldif mit folgenden Inhalt befüllen (auch hier wieder alle Domänen anpassen und das Passwort ersetzen):
# Tree root dn: dc=kirner,dc=or,dc=at objectClass: dcObject objectClass: organization o: kirner.or.at dc: kirner description: Tree root # LDAP admin dn: cn=admin,dc=kirner,dc=or,dc=at objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin userPassword: {SSHA}<dx0sCgNBPlx98eRYnun1QBNfrWUR6qM1> description: LDAP administrator
ldapadd -x -D cn=admin,dc=kirner,dc=or,dc=at -W -f base.ldif
Testen der bisherigen Konfiguration
ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W
ldapsearch -xLLL -b dc=kirner,dc=or,dc=at
Benutzeraccounts nach LDAP migrieren
/etc/ldap/init.ldif
sudo nano /etc/ldap/init.ldif
dn: ou=Users,dc=kirner,dc=or,dc=at objectClass: organizationalUnit ou: Users dn: ou=Groups,dc=kirner,dc=or,dc=at objectClass: organizationalUnit ou: Groups dn: ou=Computers,dc=kirner,dc=or,dc=at objectClass: organizationalUnit ou: Computers dn: ou=Idmap,dc=kirner,dc=or,dc=at objectClass: organizationalUnit ou: Idmap
sudo ldapadd -x -h localhost -W -D cn=admin,dc=kirner,dc=or,dc=at -f init.ldif
cd /etc/smbldap-tools sudo zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > smbldap.conf sudo cat /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf > smbldap_bind.conf sudo chmod 0644 smbldap.conf sudo chmod 0600 smbldap_bind.conf
sudo nano /etc/smbldap-tools/smbldap.conf
/etc/smbldap-tools/smbldap_bind.conf
Wichtig ist Manager durch admin zu ersetzen.
sudo nano /etc/smbldap-tools/smbldap_bind.conf
############################ # Credential Configuration # ############################ # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN="cn=admin,dc=kirner,dc=or,dc=at" slavePw="<password>" masterDN="cn=admin,dc=kirner,dc=or,dc=at" masterPw="<password>"
/etc/passwd
cd /root sudo zcat /usr/share/doc/smbldap-tools/examples/migration_scripts/smbldap-migrate-unix-accounts.gz > smbldap-migrate-unix-accounts sudo chmod u+x smbldap-migrate-unix-accounts sudo cp /etc/passwd passwd.users sudo nano passwd.users
Danach alle Benutzer entfernen, die nicht übertragen werden sollen (z.B. root).
./smbldap-migrate-unix-accounts -P passwd.users -S /etc/shadow -v
/etc/group
sudo zcat /usr/share/doc/smbldap-tools/examples/migration_scripts/smbldap-migrate-unix-groups.gz > smbldap-migrate-unix-groups sudo chmod u+x smbldap-migrate-unix-groups sudo cp /etc/group group.import sudo nano group.import
Danach alle Gruppen entfernen, die nicht übertragen werden sollen (z.B. root).
./smbldap-migrate-unix-groups -G group.import -v
Migration testen
ldapsearch -x -D cn=admin,dc=kirner,dc=or,dc=at -W -b dc=kirner,dc=or,dc=at
Verwendung von SASL
sudo nano /etc/ldap/sasl-digestmd5.ldif
########################################################### # DEFAULTS MODIFICATION for SASL DIGEST-MD5 ########################################################### # Some of the defaults need to be modified in order to allow # SASL supported access to the LDAP config. # The LDAP administrator will need to tell the slapd server # how to map an authentication request DN to a user's # authentication DN. This is done by adding one or more # olcAuthzRegexp attributes to the cn=config backend. # This attribute takes two arguments: # # olcAuthzRegexp <search pattern> <replacement pattern> # # Please note, that more than one attribute can be specified. # The LDAP server will serve them sequentially. dn: cn=config changetype: modify add: olcAuthzRegexp olcAuthzRegexp: uid=root,cn=[^,]*,cn=auth cn=admin,dc=kirner,dc=or,dc=at dn: cn=config changetype: modify add: olcAuthzRegexp olcAuthzRegexp: uid=([^,]*),cn=[^,]*,cn=auth uid=$1,ou=Users,dc=kirner,dc=or,dc=at # set the correct authentication policy dn: cn=config changetype: modify add: olcAuthzPolicy olcAuthzPolicy: to # User passwords have to stored as cleartext within the # LDAP directory dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: {CLEARTEXT}
Datei ins Backend einfügen:
sudo ldapadd -x -D cn=admin,cn=config -W -f /etc/ldap/sasl-digestmd5.ldif
Danach slapd neu starten:
sudo service slapd restart
Passwörter ändern
Die Passwörter müssen danach im Klartext hinterlegt werden. Das kann durch den Benutzer selbst mittels folgenden Befehl erfolgen:
sudo ldappasswd -x -D uid=martin,ou=Users,dc=kirner,dc=or,dc=at -W -s <new password> uid=martin,ou=Users,dc=kirner,dc=or,dc=at
Die Änderung des Benutzerpasswortes kann auch durch den Administrator erfolgen:
sudo ldappasswd -x -D cn=admin,dc=kirner,dc=or,dc=at -W -s <new password> uid=martin,ou=Users,dc=kirner,dc=or,dc=at
Letztlich muss noch das Passwort des Administrators selbst geändert werden:
sudo ldappasswd -x -D cn=admin,dc=kirner,dc=or,dc=at -W -S cn=admin,dc=kirner,dc=or,dc=at
SASL-Zugriff testen
Abfrage als normaler Benutzer:
ldapsearch -b dc=kirner,dc=or,dc=at
Abfrage als Benutzer root:
sudo ldapsearch -b ou=Users,dc=kirner,dc=or,dc=at -LLL uid=martin
Absichern mit TLS/SSL
sudo apt-get install gnutls-bin
sudo mkdir /var/ssl cd /var/ssl
sudo nano /var/ssl/ca.cfg
cn = kirner ca cert_signing_key
CA-Zertifikat erstellen
sudo sh -c "certtool --generate-privkey > cakey.pem" sudo certtool --generate-self-signed --load-privkey cakey.pem --template ca.cfg --outfile cacert.pem
Privater Schlüssel für Server-Zertifikat erstellen
sudo sh -c "certtool --generate-privkey > ldap_slapd_key.pem"
Server-Zertifikat erstellen
sudo nano /var/ssl/slapd.cfg
Folgenden Inhalt einfügen:
organization = kirner cn = ldap.kirner.or.at tls_www_server encryption_key signing_key
sudo certtool --generate-certificate --load-privkey ldap_slapd_key.pem --load-ca-certificate cacert.pem --load-ca-privkey cakey.pem --template slapd.cfg --outfile ldap_slapd_cert.pem
Installation des LDAP-Server-Zertifikats
Zertifikate werden in das Verzeichnis /etc/ssl/certs installiert:
sudo install -D -o openldap -g openldap -m 600 /var/ssl/ldap_slapd_key.pem /etc/ssl/private/ldap_slapd_key.pem sudo install -D -o openldap -g openldap -m 600 /var/ssl/ldap_slapd_cert.pem /etc/ssl/certs/ldap_slapd_cert.pem sudo install -D -o openldap -g openldap -m 600 /var/ssl/cacert.pem /etc/ssl/certs/ldap_slapd_cacert.pem
Anpassung der Konfiguration
sudo nano /etc/ldap/tls.ldif
########################################################### # CONFIGURATION for Support of TLS ########################################################### # Add TLS supported access to user passwords for LDAP clients # to the LDAP config. dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/ldap_slapd_cacert.pem dn: cn=config changetype: modify add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap_slapd_key.pem #dn: cn=config #changetype: modify #delete: olcTLSCertificateFile dn: cn=config changetype: modify add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap_slapd_cert.pem
Datei ins Backend einfügen:
sudo ldapadd -x -D cn=admin,cn=config -W -f /etc/ldap/tls.ldif
sudo apt-get install ssl-cert
Zertifikate den richtigen Nutzern und Gruppen zuweisen:
sudo adduser openldap ssl-cert sudo chgrp ssl-cert /etc/ssl/private/ldap_slapd_key.pem sudo chmod g+r /etc/ssl/certs/ldap_slapd_cert.pem sudo chmod o-r /etc/ssl/certs/ldap_slapd_cert.pem
sudo service slapd restart
Testen
Domainname (URI) muss erreichbar sein - wenn notwendig in /etc/hosts eintragen.
sudo nano /etc/ldap/ldap.conf
Den Inhalt folgendermassen anpassen:
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=kirner,dc=or,dc=at URI ldap://ldap.kirner.or.at ldap_version 3 ssl start_tls # TLS certificates (needed for GnuTLS) #TLS_CACERT /etc/ssl/certs/ca-certificates.crt # For self signed certificates TLS_CACERT /etc/ssl/certs/ldap_slapd_cacert.pem TLS_REQCERT allow
sudo ldapsearch -xLLL -Z -W -D cn=admin,cn=config -b cn=config cn=config
sudo ldapsearch -d 2 -xLLL -Z -W -D cn=admin,cn=config -b cn=config cn=config
Daten Sichern
sudo rm -r /var/lib/ldap.bak sudo cp -rp /var/lib/ldap/ /var/lib/ldap.bak sudo rm -r /etc/ldap/slapd.d.bak sudo cp -rp /etc/ldap/slapd.d /etc/ldap/slapd.d.bak
Probleme
root@VBox-16-4-Server:/etc/ldap# ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}hdb,cn=config" ldap_modify: No such object (32) matched DN: cn=config root@VBox-16-4-Server:/etc/ldap# ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q "olcDatabase=*" dn dn: olcDatabase={-1}frontend,cn=config dn: olcDatabase={0}config,cn=config dn: olcDatabase={1}mdb,cn=config
Links
https://wiki.ubuntuusers.de/OpenLDAP_ab_Precise/
https://help.ubuntu.com/lts/serverguide/openldap-server.html
http://linx-qh.de/openldap-server-auf-ubuntu-server-14-04-installieren-und-einrichten/