navigation
Home
admin
|
Openldap
October 18th, 2016
|
Table des matières | |
Modification des droits d'accès
Commandes
Modification de schémas propres à l'établissement
Création de schémas propres à l'établissement
Modifier le mot de passe de l'admin
Installation d'un serveur openldap sur Debian 7
Configuration d'un client openldap sur Debian 7
Installation d'un serveur openldap sur Centos 6.3
Configuration d'un client openldap sur Centos 6.3
Modification des droits d'accès | |
Exemple de fichier ldif :
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth
olcAccess: {1}to dn.subtree="ou=people,dc=domaine,dc=fr" attrs=objectClass,entry,mail,telephonenumber,roomnumber by * read
olcAccess: {2}to * by dn="cn=admin,dc=domaine,dc=fr" write by dn="cn=consultation,ou=adm,dc=domaine,dc=fr" read by * none
|
On peut se connecter en anonymous
Tout le monde peut accéder à certains attributs (objectClass,entry,mail,telephonenumber,roomnumber) en lecture
L'admin a accès à tt en écriture
Un compte de consultation a accès à tt en lecture
Sinon il n'y a pas d'accès
Prise en compte pas ldap
/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f fichier.ldif |
Vérification
ldapsearch -Y external -H ldapi:/// -LLL -b cn=config olcAccess |
Commandes | |
ldapadd
ldapadd -xvD cn=admin,dc=myorg,dc=fr -f zzz.ldif -y /root/adminpasswd |
Avec
/root/adminpasswd : fichier contenant le mot de passe de l'admin
zzz.ldif : ici la création d'une OU
dn: ou=people,dc=myorg,dc=fr
objectClass: organizationalUnit
ou: people |
ldapsearch
ldapsearch -xvD cn=admin,dc=myorg,dc=fr -y /root/adminpasswd -s sub -b 'ou=people,dc=myorg,dc=fr' 'cn=User Test' |
Avec
/root/adminpasswd : fichier contenant le mot de passe de l'admin
Vérification de l'organisation de la base :
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn |
Vérification des droits sur la base :
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcAccess |
ldapmodify
ldapmodify -xvD cn=admin,dc=myorg,dc=fr -y /root/adminpasswd -f modif.ldif |
Avec
/root/adminpasswd : fichier contenant le mot de passe de l'admin
et modif.ldif :
dn: cn=Machin Francois,OU=autres,OU=people,DC=myorg,DC=fr
changetype: modify
replace: userpassword
userpassword: {SSHA}kkLlfdmlfB1wpbKnmr8DAwhAUJzYWx0 |
Note préliminaire | |
"Historically OpenLDAP has been statically configured, that is, to make a change to the configuration the slapd.conf file was modified and slapd stopped and started. In the case of larger users this could take a considerable period of time and had become increasingly unacceptable as an operational method. OpenLDAP version 2.3 introduced an optional new feature whereby configuration may be performed at run-time using a DIT entry called cn=config. The feature is known by a varied and confusing number of terms including on-line configuration (OLC) (our favorite), zero down-time configuration, cn=config and slapd.d configuration. First, a number of points:
The feature is (at version 2.4) still optional which means that slapd.conf, while formally deprecated, will continue to work.
OpenLDAP has a history of being quite brutal about withdrawing support of older capabilities. This means that migration to on-line configuration (OLC, cn=config) should be contemplated as soon as practical. Better to do it when you don't need the new release than to be forced to take a new release because of a critical bug AND have to migrate to the new configration regime.
on-line configuration (OLC) uses a configuration DIT (with a hardcoded suffix of cn=config) to control the operational configuration. Conceptually by modifying entries in this DIT (using an LDAP Browser or LDIF files) immediate changes to slapd's operational behaviour are triggered without having to restart slapd as you would after making changes to slapd.conf."
Source : http://www.zytrax.com/books/ldap/ch6/slapd-config.html
Modification de schémas propres à l'établissement | |
Affichage des AttributeTypes d'un schéma
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -s sub -b cn=schema,cn=config "(cn={6}Etu-attributes)" [olcAttributeTypes] |
Ajout d'un AttributeTypes dans un schéma
# more add_attributetype
dn: cn={6}Etu-attributes,cn=schema,cn=config
changetype: modify
add: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.7135.1.3.93
NAME 'etuDateFinInscription'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) |
Modification de l'annuaire :
ldapmodify -Y EXTERNAL -H ldapi:/// -f add_attributetype |
Affichage d'un objectClass
ldapsearch -Y EXTERNAL -H ldapi:/// -s sub -b cn=schema,cn=config "(cn={7}Etu) [olcObjectClasses]" |
Modification d'un objectClass : ajout d'un AttributeTypes
# more mod_olcObjectClasses
dn: cn={7}Etu,cn=schema,cn=config
changetype: modify
replace: olcObjectClasses
olcObjectClasses: ( 1.3.6.1.4.1.7135.1.3.1 NAME 'Etu' DESC 'Etudiant' SUP inetOrgPerson STRUCTURAL MAY ( etuDateFinInscription $ etuDateNaissance $ etuVilleNaissance $ etuDepNaissance ) ) |
Modification de l'annuaire :
ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_olcObjectClasses |
Source : http://docs.oracle.com/cd/E19693-01/819-0995/bcatd/index.html
Lister les schémas
ldapsearch -Y EXTERNAL -H ldapi:/// -s sub -b cn=schema,cn=config |
Création de schémas propres à l'établissement | |
Création des attributetypes
On utilise un OID si possible officiel. cf https://services.renater.fr/documentation/supann/oids.
Le dernier chiffre est utilisé pour itéré les attributetypes et les objectClass créés :
attributetype ( 1.3.6.1.4.1.71xx.1.3.94
NAME 'etuDateNaissance'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) |
Création d'un objectClass
objectClass ( 1.3.6.1.4.1.71xx.1.3.1
NAME 'Etu'
DESC 'Etudiant'
SUP inetOrgPerson
STRUCTURAL
MAY ( etuDateNaissance $ etuVilleNaissance $ etuDepNaissance $ etuPaysNaissance )
) |
On suit ensuite le même processus qu'explique ci-dessous rubrique "Installation du schéma supann 2009".
Sources :
http://www.telecom-sudparis.eu/s2ia/user/procacci/ldap/Ldap_int.html
https://services.renater.fr/documentation/supann/oids
http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-DefineObjectsAndAttributes.html
Modifier le mot de passe de l'admin | |
Générer un mot de passe crypté :
slappasswd -h {SSHA}
[...] |
Créer un fichier ldif du type :
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}gdhsgdhshdghsghdghsd
|
L'exécuter :
ldapmodify -H ldapi:/// - Y external -f modif.ldif |
Installation d'un serveur openldap sur Debian 7 | |
Installation des packages
apt-get install ldap-utils slapd |
Voir la config
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn |
Installation du schéma supann 2009
Adding additional schemas to slapd requires the schema to be converted to LDIF format. Fortunately, the slapd program can be used to automate the conversion.
1. First, create a conversion schema_convert.conf file containing the following lines:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/supann_2009.schema
2. Next, create a temporary directory to hold the output:
mkdir /etc/ldap/schema/supann |
3. Now using slaptest convert the schema files to LDIF:
slaptest -f schema_convert.conf -F /etc/ldap/schema/supann |
Adjust the configuration file name and temporary directory names if yours are different. Also, it may be worthwhile to keep the ldif_output directory around in case you want to add additional schemas in the future.
4. Edit the /etc/ldap/schema/supann/cn=config/cn=schema/cn={14}supann_2009.ldif, changing the following attributes:
dn: cn=supann_2009,cn=schema,cn=config
....
cn: supann_2009 |
And remove the following lines from the bottom of the file:
structuralObjectClass: olcSchemaConfig
entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757
creatorsName: cn=config
createTimestamp: 20080826021140Z
entryCSN: 20080826021140.791425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080826021140Z |
The attribute values will vary, just be sure the attributes are removed.
5. Finally, using the ldapadd utility, add the new schema to the directory:
# ldapadd -Y external -H ldapi:/// -f /etc/ldap/schema/supann/cn=config/cn=schema/cn={14}supann_2009.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=supann_2009,cn=schema,cn=config" |
6. Verify:
# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: cn={4}supann_2009,cn=schema,cn=config
dn: olcBackend={0}hdb,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}hdb,cn=config
# ls /etc/ldap/slapd.d/cn=config/cn=schema/
cn={0}core.ldif cn={1}cosine.ldif cn={2}nis.ldif cn={3}inetorgperson.ldif cn={4}supann_2009.ldif |
Sources :
http://www.linuxquestions.org/questions/linux-server-73/how-to-add-a-new-schema-to-openldap-2-4-11-a-700452/#post3423916
http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-schemas
Installation des schémas eduPerson et eduOrg
Téléchargement ici du schéma puis installation comme ci-dessus.
Vérification des droits
# ldapsearch -Y external -H ldapi:/// -LLL -b cn=config olcAccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: cn={4}samba,cn=schema,cn=config
dn: cn={5}supann_2009,cn=schema,cn=config
dn: olcBackend={0}hdb,cn=config
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=domaine,dc=fr" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin" write by * read |
Configuration d'un client openldap sur Debian 7 | |
libnss-ldap
Le Name Service Switch (NSS) autorise le remplacement des traditionnels fichiers Unix de configuration (par exemple /etc/passwd, /etc/group, /etc/hosts) par une ou plusieurs bases de données centralisées.
Source : http://fr.wikipedia.org/wiki/Name_Service_Switch
Installation
apt-get install libnss-ldap |
Modification de /etc/nsswitch.conf
root@debian:~# cp /usr/share/doc/libnss-ldap/examples/nsswitch.ldap /etc/nsswitch.conf |
Modification de /etc/libnss-ldap.conf
root@debian:/etc# egrep -v '^#|^$' /etc/libnss-ldap.conf
host 192.168.0.3
base dc=mydeb,dc=org
ldap_version 3
rootbinddn cn=admin,dc=mydeb,dc=org |
Vérification
root@debian:~# getent passwd |
Une source intéressante d'informations : https://wiki.debian.org/fr/LDAP/NSS
libpam-ldap
Installation
apt-get install libpam-ldap |
Configuration
root@debian:~# more /etc/pam_ldap.conf |grep -v ^#
host 192.168.1.45
base dc=mydeb,dc=org
ldap_version 3
pam_password crypt |
Une source intéressante d'informations : https://wiki.debian.org/fr/LDAP/PAM
Installation d'un serveur openldap sur Centos 6.3 | |
Installation des packages
yum install openldap-servers
[...]
===================================================================================================
Package Arch Version Repository Size
===================================================================================================
Installing:
openldap-servers i686 2.4.23-32.el6_4.1 updates 2.0 M
Updating for dependencies:
openldap i686 2.4.23-32.el6_4.1 updates 267 k
[...]
|
Génération d'un mot de passe pour le compte root
"Slappasswd is used to generate an userPassword value suitable for use with ldapmodify(1), slapd.conf(5) rootpw configuration
directive or the slapd-config(5) olcRootPW configuration directive."
Source : man page
[root@serveur1 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}h3dTGCoacXbC6HlYyIoSnWcxXbwavP0Q |
Modification de la config de la BD du serveur
[root@serveur1 ~]# vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif |
Insérez au début de ce fichier le résultat de la commande slappasswd :
olcRootPW:{SSHA}h3dTGCoacXbC6HlYyIoSnWcxXbwavP0Q
olcTLSCertificateFile: /etc/pki/tls/certs/slapd_cert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapd_key.pem |
puis utilisez vi pour modifier le domaine par défaut :
:1,$s/dc=my-domain,dc=com/dc=my-dom,dc=fr/g |
Modification de la config des accès à la BD
[root@serveur1 ~]# vi /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif |
Comme précédemment, utilisez vi pour modifier le domaine par défaut :
:1,$s/dc=my-domain,dc=com/dc=my-dom,dc=fr/g |
Mise en place de la BD
[root@serveur1 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@serveur1 ~]# chown ldap:ldap /var/lib/ldap/DB_CONFIG |
Test de notre configuration
Ce test se fait à l'aide de la commande slaptest :
[root@serveur1 certs]# slaptest -u
config file testing succeeded |
Note : l'option "-u" permet de tester uniquement les fichiers de config et pas la BD qui, dans notre cas, n'est pas encore prête.
Installation de ldapsearch
Installation du package :
yum install openldap-clients |
Configuration de ldap.conf :
[root@serveur1 ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
URI ldap://127.0.0.1
BASE dc=my-dom,dc=fr
[root@serveur1 ~]# |
Démarrage du serveur et test
[root@serveur1 cn=config]#service slapd start
/var/lib/ldap/alock is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.006 is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.004 is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.001 is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.003 is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.005 is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.002 is not owned by "ldap" [WARNING]
Starting slapd: [ OK ] |
Pour corriger ces messages d'erreur, je donne les droits sur ces fichiers à l'utilisateur ldap :
[root@serveur1 ~]# chown -R ldap:ldap /var/lib/ldap/ |
et je relance le serveur :
[root@serveur1 ~]# /etc/init.d/slapd restart
Arrêt de slapd : [ OK ]
Démarrage de slapd : [ OK ] |
On peut tester :
[root@serveur1 cn=config]# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=my-dom,dc=fr> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1 |
En cas de soucis, on peut rajouter du debug :
[root@serveur1 ~]# ldapsearch -d1 -h localhost |
Insertion de données dans la BD
Création du fichier de données :
[root@serveur1 ~]# cat /tmp/base.ldif
dn: dc=my-dom,dc=fr
dc: my-dom
objectClass: top
objectClass: domain
dn: ou=Users,dc=my-dom,dc=fr
ou: Users
objectClass: top
objectClass: organizationalUnit
dn: ou=Groups,dc=my-dom,dc=fr
ou: Groups
objectClass: top
objectClass: organizationalUnit |
et insertion :
[root@serveur1 ~]#ldapadd -x -W -D cn=Manager,dc=my-dom,dc=fr -f /tmp/base.ldif |
Vérification :
[root@serveur1 ~]# ldapsearch -x -b 'dc=my-dom,dc=fr'
# extended LDIF
#
# LDAPv3
# base <dc=my-dom,dc=fr> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# my-dom.fr
dn: dc=my-dom,dc=fr
dc: my-dom
objectClass: top
objectClass: domain
# Users, my-dom.fr
dn: ou=Users,dc=my-dom,dc=fr
ou: Users
objectClass: top
objectClass: organizationalUnit
# Groups, my-dom.fr
dn: ou=Groups,dc=my-dom,dc=fr
ou: Groups
objectClass: top
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3 |
Insertion d'un utilisateur :
[root@serveur1 ~]# cat /tmp/u1.ldif
dn: uid=u1,ou=Users,dc=my-dom,dc=fr
uid: u1
cn: u1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: password
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/u1
[root@serveur1 ~]# ldapadd -x -W -D cn=Manager,dc=my-dom,dc=fr -f /tmp/u1.ldif |
Recherche dans la BD
[root@serveur1 ~]# ldapsearch -x -v -W -D 'cn=manager,dc=my-dom,dc=fr' -b 'dc=my-dom,dc=fr' "uid=u1" |
Ajout dans la BD
Création d'un fichier contenant les ajouts à effectuer
[root@dell ~]# cat /tmp/modify.ldif
dn: uid=u2,ou=Users,dc=my-dom,dc=fr
changetype: modify
add: description
description: test |
Modification de la BD
[root@dell ~]# ldapmodify -x -W -D 'cn=manager,dc=my-dom,dc=fr' -f /tmp/modify.ldif
Enter LDAP Password:
modifying entry "uid=u2,ou=Users,dc=my-dom,dc=fr" |
Vérification
[root@dell ~]# ldapsearch -x -v -W -D 'cn=manager,dc=my-dom,dc=fr' -b 'dc=my-dom,dc=fr' "uid=u2"
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
filter: uid=u2
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=my-dom,dc=fr> with scope subtree
# filter: uid=u2
# requesting: ALL
#
# u2, Users, my-dom.fr
dn: uid=u2,ou=Users,dc=my-dom,dc=fr
uid: u2
cn: u2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: cGFzc3dvcmQ=
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /home/u2
description: test
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1 |
Modification dans la BD
Création d'un fichier contenant les modifications à effectuer
[root@dell ~]# cat /tmp/modify.ldif
dn: uid=u2,ou=Users,dc=my-dom,dc=fr
changetype: modify
replace: description
description: newtest |
Modification de la BD
[root@dell ~]# ldapmodify -x -W -D 'cn=manager,dc=my-dom,dc=fr' -f /tmp/modify.ldif
Enter LDAP Password:
modifying entry "uid=u2,ou=Users,dc=my-dom,dc=fr" |
Vérification
[root@dell ~]# ldapsearch -x -v -W -D 'cn=manager,dc=my-dom,dc=fr' -b 'dc=my-dom,dc=fr' "uid=u2"
Enter LDAP Password:
filter: uid=u2
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=my-dom,dc=fr> with scope subtree
# filter: uid=u2
# requesting: ALL
#
# u2, Users, my-dom.fr
dn: uid=u2,ou=Users,dc=my-dom,dc=fr
uid: u2
cn: u2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: cGFzc3dvcmQ=
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /home/u2
description: newtest
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1 |
Suppression dans la BD
Création d'un fichier contenant les modifications à effectuer
[root@dell ~]# cat /tmp/modify.ldif
dn: uid=u2,ou=Users,dc=my-dom,dc=fr
changetype: modify
delete: description |
Modification de la BD
[root@dell ~]# ldapmodify -x -W -D 'cn=manager,dc=my-dom,dc=fr' -f /tmp/modify.ldif
Enter LDAP Password:
modifying entry "uid=u2,ou=Users,dc=my-dom,dc=fr" |
Vérification
[root@dell ~]# ldapsearch -x -v -W -D 'cn=manager,dc=my-dom,dc=fr' -b 'dc=my-dom,dc=fr' "uid=u2"
Enter LDAP Password:
filter: uid=u2
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=my-dom,dc=fr> with scope subtree
# filter: uid=u2
# requesting: ALL
#
# u2, Users, my-dom.fr
dn: uid=u2,ou=Users,dc=my-dom,dc=fr
uid: u2
cn: u2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: cGFzc3dvcmQ=
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /home/u2
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1 |
Configuration d'un client openldap sur Centos 6.3 | |
Au préalable, il peut être judicieux d'installer autofs
cf http://perso.univ-lemans.fr/~brichard/logiciels/?doc=autofs
Installation des paquets
yum install openldap-clients nss-pam-ldapd |
Configuration
[X] Utiliser LDAP
[X] Utiliser des mots de passe MD5
[X] Utiliser des mots de passe masqués
[X] Utiliser l'authentification LDAP
[X] Une autorisation locale est suffisante
Configuration de ldap.conf doit ressembler à ça :
[root@serveur1 ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
URI ldap://192.168.1.90/
BASE dc=my-dom,dc=fr
port 389 |
Lancement
/etc/init.d/nscd restart
/etc/init.d/nslcd restart |
|
|
Dernières modifs
|
---|
VNC (November 22nd, 2020) Editeurs (October 20th, 2016) Awk (October 18th, 2016) Claws Mail (October 18th, 2016) Cups (October 18th, 2016) Gimp (October 18th, 2016) Git (October 18th, 2016) |
Contact
|
---|
Pour m'envoyer un mail, Pour me laisser un commentaire :richard.brunooo chez gmail.com | |
|
|