LDAP - Lightweight Directory Access Protocol
Runs one layer above TCP/IP stack.
Based on client server model.
Facilitates centralized user management. Eliminates user creation on each and every server.
The users and usre profiles can be created on the LDAP server and accessed from all the LDAP clients.
The directory is similar to a database, but tends contain descriptive, attribute based information.
The info in directory is read more often than it is written, hence, directory is tuned to give quick response to high volume lookup/search operations.
The data organization in LDAP is k/a LDAP Directory tree.
LDAP server daemon is k/a slapd.
slapd supports variety of backends - BDB (preferred) or LDBM.
BDB - utilises Berkley DB
LDBM - utilises Berkley DB or GDBM.
To import/export directory information between LDAP based directory servers, or to describe set of changes to be applied to the directory, file format k/a LDIF (LDAP Data Interchange Format) is used.
LDIF stored info in object hierarchies.
An LDIF entry looks like -
dn: o=TUDelft, c=NL
o: TUDelft
objectclass: organization
dn: cn=Luiz Malere, o=TUDelft, c=NL
cn: Luiz Malere
sn: Malere
mail: malere@yahoo.com
objectclass: person
Each entry is uniquely identified by a distinguished name. DN consists of name of entry plus the path of names tracing the entry back to the top of the directory hierarchy.
objectclass defines collection of attributes that can be used to define an entry. LDAP provides following basic object classes -
- Groups
- Locations
- Organizations
- People
An entry can belong to more than one objectclass.
Directory data is represented as attribute-value pairs. Any information has an associated descriptive attribute. Eg. Common Name attribute is used to store name of person - cn: Luiz Malere
For any entry, attributes may be mandatory or optional. objectclass is always mandatory for each entry.
yum install -y *openldap*
yum install -y migrationtools
Generate password -
# slappasswd
New password:
Re-enter new password:
{SSHA}Z0Sq1PkmhUXLuhAxScPFL0O39/wC9WI3
update Root DN and password in the ldap config files -
# vi /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}hdb.ldif
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=mangodb,dc=com
olcRootDN: cn=Manager,dc=mangodb,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: e9cae2f2-c701-1039-8ec8-bf8e0ce85fe5
creatorsName: cn=config
createTimestamp: 20200109080057Z
entryCSN: 20200109080057.878978Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20200109080057Z
olcRootPW: {SSHA}Z0Sq1PkmhUXLuhAxScPFL0O39/wC9WI3
# cat /etc/openldap/slapd.d/cn=config/olcDatabase\=\{1\}monitor.ldif
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=Manager,dc=mangodb,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: e9cade88-c701-1039-8ec7-bf8e0ce85fe5
creatorsName: cn=config
createTimestamp: 20200109080057Z
entryCSN: 20200109080057.878865Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20200109080057Z
commands to verify config and start ldap service -
# slaptest -u
# systemctl enable slapd.service
# systemctl start slapd.service
# systemctl status slapd.service
create a passwd file for user to be migrated to -
# grep user1 /etc/passwd > /etc/openldap/passwd.user1
Migrate the password file for user to LDIF using migrationtools perl script -
# /usr/share/migrationtools/migrate_passwd.pl /etc/openldap/passwd.user1 /etc/openldap/user1.ldif <<<< this generates an ldif with objectClass: account
dn: uid=user1,ou=People,dc=mangodb,dc=com
uid: user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$9HqyQ08Q$vBSV5ATYA.tTnTBY2IbZwWcuH2beGoz4qn.5mEnM92WeIXL8Pf/hw7sdVYRTC9GQSXRgIsBC062iSfvA6a8.z0
shadowLastChange: 18270
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/user1
However, I got error that this is not a recognized objectClass. So I update this ldif comprehensively to use objectClass person (this is just a hack deployment to understand bits and pieces of ldap in bits and pieces)
dn: cn=user1,ou=People,dc=mangodb,dc=com
cn: Manager
sn: user1
objectClass: person
userPassword: {crypt}$6$9HqyQ08Q$vBSV5ATYA.tTnTBY2IbZwWcuH2beGoz4qn.5mEnM92WeIXL8Pf/hw7sdVYRTC9GQSXRgIsBC062iSfvA6a8.z0
Create the domain ldif file
# vi /etc/openldap/mangodb.com.ldif
dn: dc=mangodb,dc=com
dc: mangodb
description: LDAP Admin
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
dn: ou=People,dc=mangodb,dc=com
ou: People
description: Users of mangodb
objectClass: organizationalUnit
Add entries to LDAP database
# ldapadd -x -D "cn=Manager,dc=mangodb,dc=com" -W -f /etc/openldap/mangodb.com.ldif
# ldapadd -x -D "cn=Manager,dc=mangodb,dc=com" -W -f /etc/openldap/user1.ldif
Now you can search on the ldap
# ldapsearch -x -b 'dc=mangodb,dc=com' '(objectClass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=mangodb,dc=com> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
#
# mangodb.com
dn: dc=mangodb,dc=com
dc: mangodb
description: LDAP Admin
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
# People, mangodb.com
dn: ou=People,dc=mangodb,dc=com
ou: People
description: Users of mangodb
objectClass: organizationalUnit
# user1, People, mangodb.com
dn: cn=user1,ou=People,dc=mangodb,dc=com
cn: Manager
cn: user1
sn: user1
objectClass: person
userPassword:: e2NyeXB0fSQ2JDlIcXlRMDhRJHZCU1Y1QVRZQS50VG5UQlkySWJad1djdUgyYmV
Hb3o0cW4uNW1Fbk05MldlSVhMOFBmL2h3N3NkVllSVEM5R1FTWFJnSXNCQzA2MmlTZnZBNmE4Lnow
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
No comments:
Post a Comment