OpenLdap no Debian Squeeze

leonardoamorim

Como configurar o OpenLDAP e migrar os dados dos arquivos /etc/passwd e /etc/group e trabalhar com arquivos ldifs no Debian Squeeze.

[ Hits: 24.189 ]

Por: Leonardo Afonso Amorim em 21/05/2011

0 0

Denuncie Favoritos Indicar Impressora

Instalação e configuração do OpenLDAP

OpenLdap no Debian Squeeze:

# aptitude install libldap-2.4-2 slapd ldap-utils

Vamos gerar a senha de admin:

# slappasswd
{SSHA}Kw4HqksjDnbutR6Re1+8HdSvhdPMnYFo

Anote a senha para inserir na diretiva roopw que estará no arquivo /etc/ldap/slapd.conf

Monte o arquivo slapd.conf conforme abaixo:

# vim /etc/ldap/slapd.conf

include      /etc/ldap/schema/core.schema
include      /etc/ldap/schema/cosine.schema
include      /etc/ldap/schema/nis.schema
include      /etc/ldap/schema/inetorgperson.schema

allow      bind_v2
pidfile      /var/run/slapd/slapd.pid
argsfile   /var/run/slapd/slapd.args
loglevel   none
modulepath   /usr/lib/ldap
moduleload   back_bdb

sizelimit 500
tool-threads 1

backend      bdb
database   bdb

suffix      "dc=leonardoamorim,dc=com,dc=br"
rootdn      "cn=admin,dc=leonardoamorim,dc=com,dc=br"
rootpw       {SSHA}Kw4HqksjDnbutR6Re1+8HdSvhdPMnYFo

directory   "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

index      objectClass eq
lastmod      on
checkpoint   512 30

access   to   attrs=userPassword,shadowLastChange
         by dn="cn=admin,dc=leonardoamorim,dc=com,dc=br" write
    by anonymous auth
    by self write
    by * none

access to dn.base="" by * read

access to *
   by dn="cn=admin,dc=leonardoamorim,dc=com,dc=br" write
   by * read

Salve o arquivo.

Gerando a estrutura para levantar o servidor OpenLDAP:

# /etc/init.d/slapd stop
# cd /etc/ldap
# cp -r slapd.d slapd.d.backup
# rm -r slapd.d
# mkdir slapd.d
# slaptest -f slapd.conf -F slapd.d
# chown -R openldap:openldap slapd.d
# /etc/init.d/slapd start

Como usar a ferramenta migrationtools:

# aptitude install migrationtools
# vim /usr/share/migrationtools/migrate_common.ph

Procure as seguintes diretivas e as deixe exatamente assim:

$DEFAULT_MAIL_DOMAIN = "leonardoamorim.com.br";
$DEFAULT_BASE = "dc=leonardoamorim,dc=com,dc=br";

Salve o arquivo.

# cd /usr/share/migrationtools/
# ./migrate_passwd.pl /etc/passwd /etc/ldap/users.ldif
# ./migrate_group.pl /etc/group /etc/ldap/groups.ldif
# ./migrate_base.pl > /etc/ldap/base.ldif

O seu arquivo base.ldif deve estar assim:

dn: dc=leonardoamorim,dc=com,dc=br
dc: leonardoamorim
objectClass: top
objectClass: domain

dn: ou=Hosts,dc=leonardoamorim,dc=com,dc=br
ou: Hosts
objectClass: top
objectClass: organizationalUnit

dn: ou=Rpc,dc=leonardoamorim,dc=com,dc=br
ou: Rpc
objectClass: top
objectClass: organizationalUnit

dn: ou=Services,dc=leonardoamorim,dc=com,dc=br
ou: Services
objectClass: top
objectClass: organizationalUnit

dn: nisMapName=netgroup.byuser,dc=leonardoamorim,dc=com,dc=br
nismapname: netgroup.byuser
objectClass: top
objectClass: nisMap

dn: ou=Mounts,dc=leonardoamorim,dc=com,dc=br
ou: Mounts
objectClass: top
objectClass: organizationalUnit

dn: ou=Networks,dc=leonardoamorim,dc=com,dc=br
ou: Networks
objectClass: top
objectClass: organizationalUnit

dn: ou=People,dc=leonardoamorim,dc=com,dc=br
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=leonardoamorim,dc=com,dc=br
ou: Group
objectClass: top
objectClass: organizationalUnit

dn: ou=Netgroup,dc=leonardoamorim,dc=com,dc=br
ou: Netgroup
objectClass: top
objectClass: organizationalUnit

dn: ou=Protocols,dc=leonardoamorim,dc=com,dc=br
ou: Protocols
objectClass: top
objectClass: organizationalUnit

dn: ou=Aliases,dc=leonardoamorim,dc=com,dc=br
ou: Aliases
objectClass: top
objectClass: organizationalUnit

dn: nisMapName=netgroup.byhost,dc=leonardoamorim,dc=com,dc=br
nismapname: netgroup.byhost
objectClass: top
objectClass: nisMap

Inserindo o conteúdo dos ldifs na base de dados OpenLDAP:

# ldapadd -x -D cn=admin,dc=leonardoamorim,dc=com,dc=br -f /etc/ldap/base.ldif -W
# ldapadd -x -D cn=admin,dc=leonardoamorim,dc=com,dc=br -f /etc/ldap/groups.ldif -W
# ldapadd -x -D cn=admin,dc=leonardoamorim,dc=com,dc=br -f /etc/ldap/users.ldif -W
# ldapsearch -x -b dc=leonardoamorim,dc=com,dc=br uidNumber=1000

dn: uid=leo,ou=People,dc=leonardoamorim,dc=com,dc=br
uid: leo
cn: Leonardo Afonso Amorim
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/leo
gecos: Leonardo Afonso Amorim,,,

Como modificar dados através do comando ldapmodify:

# vim /root/loginShell.ldif

dn: uid=leo,ou=People,dc=leonardoamorim,dc=com,dc=br
changetype: modify
replace: loginShell
loginShell: /bin/false

Salve o arquivo.

# ldapmodify -x -D cn=admin,dc=leonardoamorim,dc=com,dc=br -f /root/loginShell.ldif -W

modifying entry "uid=leo,ou=People,dc=leonardoamorim,dc=com,dc=br"

# ldapsearch -x -b dc=leonardoamorim,dc=com,dc=br uidNumber=1000

dn: uid=leo,ou=People,dc=leonardoamorim,dc=com,dc=br
uid: leo
cn: Leonardo Afonso Amorim
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 99999
shadowWarning: 7
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/leo
gecos: Leonardo Afonso Amorim,,,
loginShell: /bin/false

Volte ao normal:

# vim /root/loginShell.ldif

dn: uid=leo,ou=People,dc=leonardoamorim,dc=com,dc=br
changetype: modify
replace: loginShell
loginShell: /bin/bash

# ldapmodify -x -D cn=admin,dc=leonardoamorim,dc=com,dc=br -f /root/loginShell.ldif -W

modifying entry "uid=leo,ou=People,dc=leonardoamorim,dc=com,dc=br"

Backup e restore no OpenLDAP:

# slapcat
# slapcat -l /root/backup.ldif
# cp /root/backup.ldif /root/backup.ldif.copia
# ldapdelete -x -D cn=admin,dc=leonardoamorim,dc=com,dc=br -W dc=leonardoamorim,dc=com,dc=br

Páginas do artigo

1. Instalação e configuração do OpenLDAP

Outros artigos deste autor

O mundo a um clique e um "Eu" fora de nós

Afinal, será que ser hacker, realmente, é o que a mídia divulga?

Cego guiando cego

Configurar uma rede doméstica e compartilhar ADSL no Slackware

Gerenciando módulos no Linux

Leitura recomendada

Personalizando o servidor centralizador de logs com rotate, script e crontab

Instalação Minimalista do Void Linux

Instalação avançada do Debian com Btrfs + timeshift-autosnap-apt + Zram + home encriptado (UEFI/GPT)

Arch + Repositórios do Manjaro - Monarch

Configuração manual dos ponteiros do mouse

Comentários

[1] Comentário enviado por victormredes em 07/10/2011 - 09:18h

# rm -r slapd.d
# mkdir slapd.d

depois dessa parte, ae tem o:

# slaptest -f slapd.conf -F slapd.d

ae da esse erro:

sed: não foi possível ler /etc/ldap/slapd.d/cn=config.ldif: Arquivo ou dire.. n encontrado.

sabe o pq?? abrass

1 0

[2] Comentário enviado por angkor em 25/10/2011 - 15:03h

Opa, boa tarde a todos,
Estou com o mesmo problema que o victormredes. Alguem sabe o motivo?
O autor do tópico tem alguma ideia?

Obrigado

0 0

[3] Comentário enviado por mexicodelas em 27/02/2013 - 01:21h

Olá Leonardo,

Parabéns pelo tuto, entretanto, já fiz e refiz o tuto mas quanto executo o comando:

ldapadd -x -D cn=admin,dc=leonardoamorim,dc=com,dc=br -f /etc/ldap/base.ldif -W

o sistema fica pensando ... pensando e retorna:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

O que pode ser?

o retorno do slapcat:

dn:
objectClass: top
objectClass: dcObject
objectClass: organization
o: nodomain
dc: nodomain
structuralObjectClass: organization
entryUUID: 29d4f012-14d6-1032-9c39-b3fabd3f360d
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20130227030436Z
entryCSN: 20130227030436.791020Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20130227030436Z

dn:
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9MlNlNFdEYmk2Z1NNRm5Na2liVHhTbzhkcjlVendBV1o=
structuralObjectClass: organizationalRole
entryUUID: 29d5ea80-14d6-1032-9c3a-b3fabd3f360d
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20130227030436Z
entryCSN: 20130227030436.797445Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20130227030436Z

0 0

[4] Comentário enviado por alexandremc em 11/01/2016 - 19:26h

Obrigado pelo tutorial.

Estou com problemas no ldapmodify, tenho um usuário cobaia

Quando tento fazer qualquer modificação recebo um erro semelhante a esse:
ldapmodify: unknown changetype "modify " (line 2, entry "uid=cobaia,ou=people,dc=ecom,dc=uff,dc=br")

Uso esse arquivo mudanca.ldif

#Arquivo mudanca.ldif
dn: uid=cobaia,ou=people,dc=ecom,dc=uff,dc=br
changetype: modify
replace: shadowLastChange
shadowLastChange: 0

ldapmodify -x -D cn=admin,dc=ecom,dc=uff,dc=br -f mudanca.ldif -W

Erro:
ldapmodify: unknown changetype "modify " (line 2, entry "uid=cobaia,ou=people,dc=ecom,dc=uff,dc=br")

ldapsearch -x -b dc=ecom,dc=uff,dc=br uid=cobaia

# extended LDIF
#
# LDAPv3
# base <dc=ecom,dc=uff,dc=br> with scope subtree
# filter: uid=cobaia
# requesting: ALL
#

# cobaia, people, ecom.uff.br
dn: uid=cobaia,ou=people,dc=ecom,dc=uff,dc=br
uid: cobaia
cn: Cobaia
homeDirectory: /home/cobaia
uidNumber: 10374
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: person
objectClass: top
gidNumber: 10002
gecos: Cobaia
sn: Cobaia
shadowLastChange: 16807
loginShell: /bin/sh

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

0 0