naos 2017/10/26 20:41

LDAP (Linux Directory Access Protocol)

testé sur Centos 7

# yum install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

# systemctl start slapd.service

# systemctl enable slapd.service

# netstat -antup | grep -i 389 (vérifier si le port est à l'écoute)

# slappasswd

{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (à conserver pour la suite de l'installation)

# nano “/etc/openldap/db.ldif”

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=DOMAIN,dc=TLD

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=MANAGER,dc=DOMAIN,dc=TLD

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

# cd /etc/openldap/

# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif

# nano monitor.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=MANAGER,dc=DOMAIN,dc=TLD" read by * none

# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif

# slaptest -u

doit se terminer par config file testing succeeded

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

# chown ldap:ldap /var/lib/ldap/*

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

# nano base.ldif

dn: dc=DOMAIN,dc=TLD
dc: DOMAIN 
objectClass: top
objectClass: domain

dn: cn=MANAGER ,dc=DOMAIN,dc=TLD
objectClass: organizationalRole
cn: MANAGER
description: LDAP Manager

dn: ou=People,dc=DOMAIN,dc=TLD
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=DOMAIN,dc=TLD
objectClass: organizationalUnit
ou: Group

# ldapadd -x -W -D “cn=MANAGER,dc=DOMAIN,dc=TLD” -f base.ldif

# nano john.ldif

dn: uid=john,ou=People,dc=DOMAIN,dc=TLD
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: john
uid: john
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/john 
loginShell: /bin/bash
gecos: John [Admin (at) NAME SERVER]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7

# ldapadd -x -W -D “cn=MANAGER,dc=DOMAIN,dc=TLD” -f john.ldif

# ldappasswd -s Maux2Pass -W -D “cn=MANAGER,dc=DOMAIN,dc=TLD” -x “uid=john,ou=People,dc=DOMAIN,dc=TLD”

# firewall-cmd –permanent –add-service=ldap

# firewall-cmd –reload

# nano /etc/rsyslog.conf

ajouter: local4.* /var/log/ldap.log

# systemctl restart rsyslog

# yum install -y openldap-clients nss-pam-ldapd

authconfig --enableldap --enableldapauth --ldapserver=192.168.0.15 --ldapbasedn="dc=DOMAIN,dc=TLD" --enablemkhomedir --update

# nano /etc/phpldapadmin/config.php

$servers->setValue('server','name','NAME LDAP Server');
$servers->setValue('server','host','192.168.0.15');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=DOMAIN,dc=TLD'));
$servers->setValue('login','bind_id','cn=MANAGER,dc=DOMAIN,dc=TLD');
$servers->setValue('login','attr','dn');
//$servers->setValue('login','attr','uid');

Si on veut vider LDAP:

# systemctl disable slapd

# systemctl stop slapd

# rm -rf /var/lib/ldap

# rm -rf /etc/openldap

# rm -rf /etc/ldap

# rm -rf /usr/lib/ldap

# userdel ldap

# yum remove openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

TLS

testé sur Debian 8 Jessie

Création d'une autorité de certification

# apt install openssl

# export PATH=$PATH:/usr/lib/ssl/misc

# mkdir /usr/lib/ssl/divers/ca

# cd /usr/lib/ssl/divers/ca

# CA.sh -newca

	Country code: FR
	cn: DOMAIN Root CA

# chmod -R go-rwx /usr/lib/ssl/divers/ca/

Création de la clé privée + certificat

# openssl req -new -nodes -keyout newreq.pem -out newreq.pem

# /usr/lib/ssl/misc/CA.sh -sign

# cat newreq.pem newcert.pem > new.pem

# mv newreq.pem ldap-key.pem

# mv newcert.pem ldap-cert.pem

# cp /usr/lib/ssl/divers/ca/demoCA/cacert.pem /etc/ssl/certs/

# chmod go+r /etc/ssl/certs/cacert.pem

# cp /usr/lib/ssl/divers/ca/*.pem /etc/ldap/ssl/

# chown -R root:openldap /etc/ldap/ssl

# chmod -R o-rwx /etc/ldap/ssl

# vim tls.ldif

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/ldap-cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap-key.pem

# ldapmodify -QY EXTERNAL -H ldapi:/// -f tls.ldif

	Si la commande vous renvoi une erreur vous pouvez éditer le fichier etc/ldap/slapd.d/cn=config.ldif en ajoutant ces lignes à la fin du fichier:
	olcTLSCACertificateFile: /etc/ldap/ssl/cacert.pem
	olcTLSCertificateFile: /etc/ldap/ssl/ldap-cert.pem
	olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap-key.pem
 
	Pour ne pas avoir d'erreur de checksum, il est nécessaire d'ajouter le nouveau checksum dans l'entête du fichier.
	# crc32 <(cat /etc/ldap/slapd.d/cn=config.ldif | tail -n +3)

# vim /etc/ldap/ldap.conf

#
# LDAP Defaults
#
 
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
 
BASE    dc=DOMAIN,dc=TLD
URI     ldaps://DOMAIN.TLD
 
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
 
# TLS certificates (needed for GnuTLS)
TLS_REQCERT 	demand
TLS_CACERT      /etc/ssl/certs/cacert.pem

# vim /etc/default/slapd

	modifier cette ligne:
SLAPD_SERVICES="ldap:///127.0.0.1:389 ldapi:/// ldaps:///"

# systemctl restart slapd

# systemctl status slapd

Tests

# netstat -tunlp | grep slapd

# ldapsearch -x

  • ldap.txt
  • Dernière modification: 2017/11/18 21:06
  • par naos