IPG Doc

User Tools

Site Tools

Trace:
administration:ldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
administration:ldap [2013/01/26 22:20] – created damiradministration:ldap [2013/01/26 22:44] (current) damir
Line 1: Line 1:
 ====== cn=config ====== ====== cn=config ======
-in LDAP all configurations can be registered inside a file /etc/openldap/slapd.con, or inside the DB itself, using the cn=config subtree. the version of openldap >=2.4 use by default the cn=config method, the slapd.conf system can be usedbut it must be considered abandoned. +in LDAP all configurations can be registered inside a file /etc/openldap/slapd.con, or inside the DB itself, using the cn=config subtree. The version of openldap >=2.4 use by default the cn=config method, the slapd.conf system can be used but it must be considered abandoned.\\ 
-once the slapd configuration move to cn=config all the information about the structure and/or permissions to access the DB must be managed using the cn=config sub-tree and the manager for this tree. +Once the slapd configuration is moved to cn=configall the information about the structure and/or permissions to access the DB must be managed using the cn=config sub-tree whit the manager defined for this tree.\\ 
-the manager can be defined as you like, but is common to use "cn=manager,cn=config" or "cn=admin,cn=config" as manager identification. +the manager can be defined as you like, but is common to use "cn=manager,cn=config" or "cn=admin,cn=config" as identification. 
-the passage to cn=config method means that all the variation to the configuration are activated using the standard ldap<modify/add/modrn/search/delete> commands we use to manage the principal DB (the one containing the users informations) and are active immediately, there's no need to stop/relaunch the slapd daemon.+the passage to cn=config method means that all the variation to the configuration are activated using the standard ldap<modify/add/modrn/search/delete> commands we use to manage the principal DB (the one containing the users/computers/groups/mounts/email informations) and are active immediately, there's no need to stop/relaunch the slapd daemon.
  
 ===== cn=config manager ===== ===== cn=config manager =====
-the cn=config manager is defined inside one of the files used by slapd to run the service: **/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif**. look inside and you should find 2 fields:+the cn=config manager is defined inside one of the files used by slapd to run the service: **/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif**. looking inside you should find 2 fields:
 <code> <code>
 olcRootDN: cn=manager,cn=config olcRootDN: cn=manager,cn=config
 olcRootPW: {SSHA}2c....... olcRootPW: {SSHA}2c.......
 </code> </code>
- as you probably imagined, they define the name of the manager and the password associated. +As you probably imagined, they define the name of the manager and the password associated. 
-in both cases you can change the values of these fields by writing directly inside the file but in this case you must relaunch the slapd servicebetter to configure these fields correctly before going in production. +in both cases you can change the values of these fields by writing directly inside the file but you must relaunch the slapd service, so it'better to configure these fields correctly before going in production.\\ 
-in case you need to change the password you can use the **slappasswd** commandthat generate an encrypted password that you passed on the command line or entered interactively.+In case you need to change the password you can use the **slappasswd** command that generate an encrypted password of what you passed on the command line or entered interactively.
  
-====== add a schema ====== +===== add a schema ===== 
-if you need to add a schema to the slapd configuration, you cannot just add a line, as it happens with the slapd.conf file. instead you must generate a ldif file that contain the schema you want to add and the you can add the schema to the DB in production. +if you need to add a schema to the slapd configuration, you cannot just add a line, as it happens with the slapd.conf file. Instead you must generate a .ldif file that contain the schema you want to add and only then you can add the schema to the DB in production.\\ 
-to generate the ldif file containing the schema you can use the same command used to generate the initial cn=config structure from the existing slapd.conf file, but as this means that a new cn=config structure will be created, **never** use the transform command inside the production slapd.d directory. +To generate the ldif file containing the schema you can use the same command used to generate the initial cn=config structure from the existing slapd.conf file, but as this means that a new cn=config structure will be created, **never** use the transform command inside the production slapd.d directory.\\ 
-It's for sure better that you create a new directory somewhere in the disc and move inside thi to create the new ldif and cn=config structure.+It's for sure better that you create a new directory somewhere in the disc and move inside this to create the new ldif and cn=config structure.
 <code> <code>
 mkdir /tmp/newschema mkdir /tmp/newschema
 cd /tmp/newschema cd /tmp/newschema
 cp /usr/share/doc/krb5-server-ldap-1.9/kerberos.schema . cp /usr/share/doc/krb5-server-ldap-1.9/kerberos.schema .
-echo >newschema <<EOF+echo >newschema.conf <<EOF
 # #
 include /etc/openldap/schema/kerberos.schema include /etc/openldap/schema/kerberos.schema
 EOF EOF
-slaptest -f schema.conf -F /tmp/newschema+ 
 +slaptest -f newschema.conf -F /tmp/newschema
 ls -R /tmp/newschema ls -R /tmp/newschema
 /tmp/newschema/: /tmp/newschema/:
Line 44: Line 45:
  
 </code> </code>
-With the line codes above we created the //.ldif// containing the information about the kerberos schema we want to add (the schema is provided by the //krb5-server-ldap// package on Centos 6.2. the ls -R command shows the structure created by the **slaptest** conversion utility, **the base directory, passed with the -F option MUST exist**.\\ +With the code lines above we created the //.ldif// file containing the information about the kerberos schema we want to add
-Once we have the needed //.ldif// file, we must edit it so it can be aded to an existing structure (the structure files created by slaptest are considered always as independent). +  * The schema is provided by the //krb5-server-ldap// package on Centos 6.2. 
-we do this by changing and deleting some lines contained in the .ldif file defining the schema we want to add:+  * The ls -R command shows the structure created by the **slaptest** conversion utility inside the /tmp/newschema, **the base directory, passed with the -F option MUST exist**.\\ 
 +Once we have the needed //.ldif// file, we must edit it so it can be added to an existing structure (the structure files created by slaptest are considered always as independent, so you must not misc existing files with new ones). 
 +We do this by changing some lines in the .ldif file the define the schema we want to add:
   - the line defining the record must be changed to remove any reference to the index position of the record   - the line defining the record must be changed to remove any reference to the index position of the record
-  - the lines defining the creation of the record mus be deleted from the file.+  - the lines defining the creation of the record must be deleted from the file.
 in our case, we changed the first 3 lines of the file "cn=config/cn=schema/cn={0}kerberos.ldif" from: in our case, we changed the first 3 lines of the file "cn=config/cn=schema/cn={0}kerberos.ldif" from:
 <code> <code>
Line 62: Line 65:
 </code> </code>
  
-then we deleted the last 7 lines of the files, containing:+then we deleted the last 7 lines of the files, from:
 <code> <code>
 entryUUID: ........ entryUUID: ........
Line 70: Line 73:
 modifiersName: cn=config modifiersName: cn=config
 modifyTimestamp: ...... modifyTimestamp: ......
-</> +</code
-and we inserted an empty line in place. remember that every .ldif file must contain an empty line to comlete the command.+to
 <code> <code>
 [empty line] [empty line]
-</.code>+</code> 
 +Remember that every .ldif file must contain an empty line to complete the command.
  
-once we did this we can add the new schema to the esisting structure of the ldap server we have in production using the command:+Once we do this we can add the new schema to the existing structure of the ldap server we have in production using the command:
 <code> <code>
 ldapadd -x -D "cn=manager,cn=config" -W -f /tmp/newschema/cn\=config/cn\=schema/cn\=\{0\}kerberos.ldif ldapadd -x -D "cn=manager,cn=config" -W -f /tmp/newschema/cn\=config/cn\=schema/cn\=\{0\}kerberos.ldif
Line 93: Line 97:
 add: olcAccess add: olcAccess
 olcAccess: {0} to attrs=sambaLMPassword,sambaNTPassword,sambaPwdMustChange,sambaPwdLastSet, olcAccess: {0} to attrs=sambaLMPassword,sambaNTPassword,sambaPwdMustChange,sambaPwdLastSet,
- shadowLastChange by dn.base="cn=manager,dc=kandou,dc=com" write by dn.base="uid=sambamanager, + shadowLastChange by dn.base="cn=manager,dc=....." write by dn.base="uid=sambamanager, 
- dc=kandou,dc=com" write by dn.base="uid=cangiani,ou=users,dc=kandou,dc=com" write by + dc=....." write by dn.base="uid=....,ou=...,dc=...." write by 
- dn.base="uid=damir,ou=users,dc=kandou,dc=com" write by anonymous auth by self write by * none+ dn.base="uid=....,ou=...,dc=...." write by anonymous auth by self write by * none
  
 </code> </code>
administration/ldap.1359238834.txt.gz · Last modified: 2013/01/26 22:20 by damir