2010-03-25 Ldap

Un article de Cenabumiki.

• Le portnawak fut composé de deux parties : partie théorique, partie pratique (installation serveur LDAP, manipulations, etc)

• Voici le support PDF de la partie théorique (par Nicolas G.)

• Voilà le contenu du TP de Nicolas pour ce Portnawak LDAP (en Creative Commons)

----

|---------------------|
|      SERVEUR        |
|---------------------|

apt-get install slapd

apt-get install ldap-utils

mv /etc/ldap/slapd.conf 

/etc/init.d/slapd stop

/etc/ldap/slapd.conf ->

basedn = dc=prenom,dc=fr

rootdn    "cn=admin,dc=prenom,dc=fr"

rootpw    {SSHA}... => slappasswd

- racine -

Créer un fichier racine.ldif :

dn: dc=nico,dc=fr

objectClass: domain

dc: nico

L'ajouter :

root@serv:/etc/ldap# ldapadd -h localhost -D 'cn=admin,dc=nico,dc=fr' -x -W -f /root/ldap/racine.ldif

Enter LDAP Password:

adding new entry "dc=nico,dc=fr"

- people -

Créer un fichier people.ldif :

dn: ou=people,dc=nico,dc=fr

ou: people

objectClass: top

objectClass: organizationalUnit

L'ajouter :

root@serv:/etc/ldap# ldapadd -h localhost -D 'cn=admin,dc=nico,dc=fr' -x -W -f /root/ldap/people.ldif

Enter LDAP Password:

adding new entry "ou=people,dc=nico,dc=fr"

- groups -

Créer un fichier group.ldif :

dn: ou=group,dc=nico,dc=fr

ou: group

objectClass: top

objectClass: organizationalUnit

root@serv:/etc/ldap# ldapadd -h localhost -D 'cn=admin,dc=nico,dc=fr' -x -W -f /root/ldap/group.ldif

Enter LDAP Password: adding new entry "ou=group,dc=nico,dc=fr"

- compte système & upg -

Créer un fichier user.ldif :

dn: uid=ngreneche,ou=people,dc=nico,dc=fr

uid: ngreneche

cn: Nicolas GRENECHE

givenName: Nicolas

sn: GRENECHE

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword: {SSHA}XXXX

loginShell: /bin/bash

uidNumber: 2000

gidNumber: 2000

homeDirectory: /home/nfs/ngreneche

gecos: Nicolas GRENECHE

dn: cn=ngreneche,ou=group,dc=nico,dc=fr

objectClass: posixGroup

cn: ngreneche

gidNumber: 2000

root@serv:/etc/ldap# ldapadd -h localhost -D 'cn=admin,dc=nico,dc=fr' -x -W -f /root/ldap/groupposix.ldif

Enter LDAP Password:

adding new entry "cn=ngreneche,ou=people,dc=nico,dc=fr"

adding new entry "cn=ngreneche,ou=group,dc=nico,dc=fr"

- Tests -

root@serv:/etc/ldap# ldapsearch -x -h localhost -b 'dc=nico,dc=fr'

root@serv:/etc/ldap# ldapsearch -x -h localhost -b 'dc=nico,dc=fr' -D 'uid=ngreneche,ou=people,dc=nico,dc=fr' -W

- Passage en SSL -

mkdir /etc/ldap/ssl

cd /etc/ldap/ssl

openssl genrsa -out server.key 1024

openssl req -new -x509 -days 365 -key server.key -out server.crt

chown -R openldap:openldap ../ssl

chmod 444 server.crt

chmod 400 server.key

/etc/ldap/slapd.conf :

TLSCertificateFile /etc/ldap/ssl/server.crt

TLSCertificateKeyFile /etc/ldap/ssl/server.key

/etc/default/slapd :

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

debug :

root@serv:/etc/ldap/ssl# slapd -d 16383 -g openldap -u openldap -f /etc/ldap/slapd.conf

|---------------------| | CLIENT | |---------------------|

apt-get install ldap-utils

ldapsearch -x -H ldap://srvldap -b 'dc=nico,dc=fr'

- Activation de SSL -

/etc/ldap/ldap.conf :

BASE dc=nico,dc=fr

URI ldaps://srvldap.univ-orleans.fr:636

TLS_CACERT /etc/ldap/ssl/server.crt

ldapsearch -x

- Reco users -

root@nico-desktop:~# apt-get install libnss-ldap nscd

root@nico-desktop:~# ln -s /etc/ldap/ldap.conf /etc/libnss-ldap.conf

root@nico-desktop:~# rm /etc/ldap.conf

root@nico-desktop:~# ln -s /etc/ldap/ldap.conf /etc/ldap.conf

Dans /etc/nsswitch.conf :

passwd: files ldap

group: files ldap

shadow: files ldap

Dans /etc/ldap/ldap.conf :

ldap_version 3

scope sub

pam_login_attribute uid

nss_base_passwd ou=people,dc=nico,dc=fr

nss_base_shadow ou=people,dc=nico,dc=fr

nss_base_group ou=group,dc=nico,dc=fr

nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,games,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,root,sshd,statd,sync,sys,syslog,uucp,www-data

getent passwd

id ngreneche

su ngreneche

- Auth users -

root@nico-desktop:~# apt-get install libpam-ldap libpam-cracklib'

root@nico-desktop:~# auth-client-config -a -p ldap_example

|---------------------| | SERVEUR | |---------------------|

- Retirer le service LDAP en clair -

/etc/default/slapd :

retirer méthode ldap:///

- Activer les comptes -'

root@srvldap:~# ln -s /etc/ldap/ldap.conf /etc/libnss-ldap.conf

root@srvldap:~# rm /etc/ldap.conf

root@srvldap:~# ln -s /etc/ldap/ldap.conf /etc/ldap.conf

/etc/ldap/ldap.conf :

BASE dc=nico,dc=fr

URI ldaps://srvldap.univ-orleans.fr:636

TLS_CACERT /etc/ldap/ssl/server.crt

scope sub

ldap_version 3

pam_login_attribute uid

nss_base_passwd ou=people,dc=nico,dc=fr nss_base_shadow ou=people,dc=nico,dc=fr nss_base_group ou=group,dc=nico,dc=fr

- Pas d'auth des users LDAP -

- Montage NFS -

root@srvldap:~# apt-get install nfs-kernel-server

mkdir /ext/nfs/ngreneche

chown ngreneche:ngreneche /ext/nfs/ngreneche

/etc/exports :

/ext/nfs client-hostname(rw,sync,no_subtree_check)

root@srvldap:~# /etc/init.d/nfs-kernel-server restart

|---------------------| | CLIENT | |---------------------|

mkdir /home/nfs

root@nico-desktop:~# apt-get install autofs

/etc/auto.master :

/home/nfs /etc/auto.home

/etc/auto.home :

* -fstype=nfs,soft srvldap.univ-orleans.fr:/ext/nfs/&

root@nico-desktop:~# /etc/init.d/autofs restart

su - ngreneche