IPG Doc

User Tools

Site Tools

Trace: osx
administration:ldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
administration:ldap [2013/01/26 22:28] damiradministration:ldap [2013/01/26 22:44] (current) damir
Line 1: Line 1:
 ====== cn=config ====== ====== cn=config ======
-in LDAP all configurations can be registered inside a file /etc/openldap/slapd.con, or inside the DB itself, using the cn=config subtree. the version of openldap >=2.4 use by default the cn=config method, the slapd.conf system can be usedbut it must be considered abandoned. +in LDAP all configurations can be registered inside a file /etc/openldap/slapd.con, or inside the DB itself, using the cn=config subtree. The version of openldap >=2.4 use by default the cn=config method, the slapd.conf system can be used but it must be considered abandoned.\\ 
-once the slapd configuration move to cn=config all the information about the structure and/or permissions to access the DB must be managed using the cn=config sub-tree and the manager for this tree. +Once the slapd configuration is moved to cn=configall the information about the structure and/or permissions to access the DB must be managed using the cn=config sub-tree whit the manager defined for this tree.\\ 
-the manager can be defined as you like, but is common to use "cn=manager,cn=config" or "cn=admin,cn=config" as manager identification. +the manager can be defined as you like, but is common to use "cn=manager,cn=config" or "cn=admin,cn=config" as identification. 
-the passage to cn=config method means that all the variation to the configuration are activated using the standard ldap<modify/add/modrn/search/delete> commands we use to manage the principal DB (the one containing the users informations) and are active immediately, there's no need to stop/relaunch the slapd daemon.+the passage to cn=config method means that all the variation to the configuration are activated using the standard ldap<modify/add/modrn/search/delete> commands we use to manage the principal DB (the one containing the users/computers/groups/mounts/email informations) and are active immediately, there's no need to stop/relaunch the slapd daemon.
  
 ===== cn=config manager ===== ===== cn=config manager =====
-the cn=config manager is defined inside one of the files used by slapd to run the service: **/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif**. look inside and you should find 2 fields:+the cn=config manager is defined inside one of the files used by slapd to run the service: **/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif**. looking inside you should find 2 fields:
 <code> <code>
 olcRootDN: cn=manager,cn=config olcRootDN: cn=manager,cn=config
 olcRootPW: {SSHA}2c....... olcRootPW: {SSHA}2c.......
 </code> </code>
- as you probably imagined, they define the name of the manager and the password associated. +As you probably imagined, they define the name of the manager and the password associated. 
-in both cases you can change the values of these fields by writing directly inside the file but in this case you must relaunch the slapd servicebetter to configure these fields correctly before going in production. +in both cases you can change the values of these fields by writing directly inside the file but you must relaunch the slapd service, so it'better to configure these fields correctly before going in production.\\ 
-in case you need to change the password you can use the **slappasswd** commandthat generate an encrypted password that you passed on the command line or entered interactively.+In case you need to change the password you can use the **slappasswd** command that generate an encrypted password of what you passed on the command line or entered interactively.
  
-====== add a schema ====== +===== add a schema ===== 
-if you need to add a schema to the slapd configuration, you cannot just add a line, as it happens with the slapd.conf file. instead you must generate a ldif file that contain the schema you want to add and the you can add the schema to the DB in production. +if you need to add a schema to the slapd configuration, you cannot just add a line, as it happens with the slapd.conf file. Instead you must generate a .ldif file that contain the schema you want to add and only then you can add the schema to the DB in production.\\ 
-to generate the ldif file containing the schema you can use the same command used to generate the initial cn=config structure from the existing slapd.conf file, but as this means that a new cn=config structure will be created, **never** use the transform command inside the production slapd.d directory. +To generate the ldif file containing the schema you can use the same command used to generate the initial cn=config structure from the existing slapd.conf file, but as this means that a new cn=config structure will be created, **never** use the transform command inside the production slapd.d directory.\\ 
-It's for sure better that you create a new directory somewhere in the disc and move inside thi to create the new ldif and cn=config structure.+It's for sure better that you create a new directory somewhere in the disc and move inside this to create the new ldif and cn=config structure.
 <code> <code>
 mkdir /tmp/newschema mkdir /tmp/newschema
Line 27: Line 27:
 include /etc/openldap/schema/kerberos.schema include /etc/openldap/schema/kerberos.schema
 EOF EOF
 +
 slaptest -f newschema.conf -F /tmp/newschema slaptest -f newschema.conf -F /tmp/newschema
 ls -R /tmp/newschema ls -R /tmp/newschema
Line 44: Line 45:
  
 </code> </code>
-With the line codes above we created the //.ldif// containing the information about the kerberos schema we want to add/+With the code lines above we created the //.ldif// file containing the information about the kerberos schema we want to add:
   * The schema is provided by the //krb5-server-ldap// package on Centos 6.2.   * The schema is provided by the //krb5-server-ldap// package on Centos 6.2.
-  * The ls -R command shows the structure created by the **slaptest** conversion utility, **the base directory, passed with the -F option MUST exist**.\\+  * The ls -R command shows the structure created by the **slaptest** conversion utility inside the /tmp/newschema, **the base directory, passed with the -F option MUST exist**.\\
 Once we have the needed //.ldif// file, we must edit it so it can be added to an existing structure (the structure files created by slaptest are considered always as independent, so you must not misc existing files with new ones). Once we have the needed //.ldif// file, we must edit it so it can be added to an existing structure (the structure files created by slaptest are considered always as independent, so you must not misc existing files with new ones).
 We do this by changing some lines in the .ldif file the define the schema we want to add: We do this by changing some lines in the .ldif file the define the schema we want to add:
Line 72: Line 73:
 modifiersName: cn=config modifiersName: cn=config
 modifyTimestamp: ...... modifyTimestamp: ......
-</>+</code>
 to to
 <code> <code>
 [empty line] [empty line]
-</.code>+</code>
 Remember that every .ldif file must contain an empty line to complete the command. Remember that every .ldif file must contain an empty line to complete the command.
  
administration/ldap.1359239330.txt.gz · Last modified: 2013/01/26 22:28 by damir