[[lehrgaenge:linux:index|Linux]]
====== Open LDAP ======
07.11 -11.11.2011
Lehrer Herr Pampel
Teilnemer
Dominik Duszyca
Jörg Grosse
Gaulke Ronny
VMWare ändern
''**cc=/usr/bin/gcc-4.1 vmware-config.pl**''
IpAdresse holen
dhclient eth0
Freemind tool:
VIM Tips:
Esc :set list (macht leerzeichen käntlich)
DIT = Directory Information Tree (Baum)
DSE = Directory Service Entry (Auskunft)
DSA = Directory Service Agent
DN = Distinguished Name
RDN = Relative Distinguished Name
Schlüssel integrieren
''**apt-key add debian.key**''
Open-LDAP installieren
''**aptitude install slapd**''
Passwort= radler
''**aptitude install ldap-utils**''
/etc/ldap/schema/core.schema
''**ldapsearch -x -b dc=nodomain**''
''**ldapsearch -x -b dc=nodomain -LLL**''
''**grep -r -A 10 "'organization'" /etc/ldap/schema/core.schema --color**''
''**ldapsearch -xW -D cn=admin,dc=nodomain -b dc=nodomain -LLL**''
''**ldapsearch -xW -D cn=admin,dc=nodomain -b dc=nodomain -LLL +**''
''**ldapsearch -xW -D cn=admin,dc=nodomain -b dc=nodomain -LLL cn=admin**''
''**vi users.ldif**''
dn: ou=users,dc=nodomain
objectClass: organizationalUnit
ou: users
''**ldapadd -xW -D cn=admin,dc=nodomain -f users.ldif**''
''**ldapsearch -xW -D cn=admin,dc=nodomain -b dc=nodomain -LLL ou=users**''
''**ldapsearch -x -b dc=nodomain -LLL '(objectClass=organizationalUnit)'**''
Oder suche:
''**ldapsearch -x -b dc=nodomain -LLL '(|(objectClass=organizationalUnit)(objectClass=person))'**''
''server1:~# **ldapmodify -xWD cn=admin,dc=nodomain **''
Enter LDAP Password:
dn: cn=Hubenthal,ou=users,dc=nodomain
changetype: modify
replace: description
description: Erster User
modifying entry "cn=Hubenthal,ou=users,dc=nodomain"
''server1:~# **ldapadd -xWD cn=admin,dc=nodomain **''
Enter LDAP Password:
dn:cn=Meyer,ou=users,dc=nodomain
objectClass: person
cn: Meyer
sn: Meyer
adding new entry "cn=Meyer,ou=users,dc=nodomain"
''server1:~# **ldapdelete -xWD cn=admin,dc=nodomain **''
Enter LDAP Password:
cn=Meyer,ou=users,dc=nodomain
''server1:~# **ldapmodrdn -xWD cn=admin,dc=nodomain**''
Enter LDAP Password:
cn=Meyer,ou=users,dc=nodomain
cn=Horst Meyer
server1:~# ldapsearch -x -b dc=nodomain -LLL '(cn=Meyer)'
dn: cn=Horst Meyer,ou=users,dc=nodomain
objectClass: person
cn: Meyer
cn: Horst Meyer
sn: Meye
''**aptitude install ldapvi screen multitail ccze**''
''server1:~# **cat .ldapvirc **''
profile default
host: ldapi:///
user: cn=admin,dc=nodomain
password: radler
base: dc=nodomain
ldif: yes
profile site
host: ldapi:///
user: cn=ldapadmin,dc=local,dc=site
password: radler
base: dc=local,dc=site
ldif: yes
''**ldapvi --profile site**''
''server1:~# **ldapcompare -x "cn=Ralf Schmidt,ou=users,dc=nodomain" sn:schmidt**''
TRUE
''**ldapsearch -x -b -s base +|less**''
''**ldapsearch -x -b 'cn=subschema' -s base objectClasses**''
''**ldapsearch -x -b 'cn=subschema' -s base objectClasses|grep organizationalUnit**''
''**slapadd -n2 -l /root/openldap24/kapitel/2.3/ldapmaster/ldif/struktur.ldif**''
''**aptitude install phpldapadmin**''
dn: uid=eripley,ou=xeno,ou=forschung,dc=local,dc=site
87 ldapvi-key: 10
88 objectClass: posixAccount
89 objectClass: inetOrgPerson
90 uid: eripley
91 uidNumber: 907
92 gidNumber: 100
93 description: Mitarbeiterin Ellen Ripley, Klon 2, Abteilung Forschung, Unterabteilung Xeno
94 sn: Ripley
95 mail: eripley@xeno.forschung.local.site
96 telephoneNumber: 0800-xenoforschung-907
97 homeDirectory: /home/eripley
98 loginShell: /bin/bash
99 userPassword: {SSHA}e25UieR1GG2EJBZDWHGWW8Ys2N7aEzmH
100 cn: Ellen Ripley 2
===== Backup =====
LDAP Sichern:
''**slapcat -b dc=local,dc=site -l /var/backups/local.site.ldif**''
stoppen:
''**/etc/init.d/slapd stop**''
Einspielen:
''**slapadd -b dc=local,dc=site -l /var/backups/local.site.ldif**''
Rechte änder:
''**chown -R openldap.openldap /var/lib/ldap2/**''
starten:
''**/etc/init.d/slapd start**''
''**aptitude install libnss-ldapd**''
common-auth:
auth [success=1 default=ignore] pam_unix.so
auth required pam_ldap.so use_first_pass
auth required pam_permit.so
common-account:
account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so
account required pam_permit.so
common-session:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix.so
common-password:
password [success=1 default=ignore] pam_unix.so
password required pam_ldap.so nullok obscure md5
password required pam_permit.so
''**aptitude install ntp**''
server 192.168.20.150 iburst minpoll 4 maxpoll 4
''**/etc/init.d/ntp restart**''
''**watch -n1 ntpq -p**''
overlays:
moduleload back_hdb
moduleload accesslog
database hdb
sufffix "cn=logs"
rootdn "cn=logs"
rootpw {SSHA}b5xyvtd5svAUWkFc++XhGtmp4fe/1IHJ
direktory /var/lib/ldaplog
index reqStart,reqEnd,reqMod,reqResult eq
overlay accesslog
logdb cn=logs
logops writes session
logpurge 08:00 00:30
Replikation:
auf Provider in
/etc/ldap/slapd.conf
moduleload syncprov
overlay syncprov
auf Consumer in
/etc/ldap/slapd.conf
moduleload syncprov
overlay syncprov
(nach rootpw)
syncrepl rid=01
provider=ldap://192.168.3.4
type=refreshAndPersist
searchbase="dc=local,dc=site"
bindmethod=simple
binddn="cn=ldapadmin,dc=local,dc=site"
credentials="radler"
Schreibbarer Consumer (Buch Seite 195):
auf Consumer in
/etc/ldap/slapd.con
moduleload back_ldap
overlay chain
chain-uri "ldap://192.168.3.4"
chain-idassert-bind bindmethod=simple
binddn="cn=ldapadmin,dc=local,dc=site"
credentials="radler"
mode=self
chain-return-error true
chain-rebind-as-user true
(unterhalt vonsyncrepl rid=01)
updateref "ldap://192.168.3.4"
''**/etc/init.d/slapd restart**''
Indexe einfügen:
''**/etc/init.d/slapd stop**''
''**vi /etc/ldap/slapd.conf**''
index entryCSN,entryUUID,uid eq
slapindex -b dc=local,dc=site
ls -l /var/lib/ldap2
chown -R openldap.openldap /var/lib/ldap2/
ls -l /var/lib/ldap2
''**/etc/init.d/slapd start**''
Consumerschreibbar:
''**vi /etc/default/slapd**''
SLAPD_SERVICES="ldap:/// ldapi:///"
''**vi /etc/pam_ldap.conf **''
uri ldapi:///
''**vi /etc/libnss-ldap.conf**''
uri ldapi:///
Posixgruppe anlegen:
''**vi group.ldif**''
dn: cn=linuxgroup1,ou=verkauf,dc=local,dc=site
objectClass: top
objectClass: posixGroup
cn: linuxgroup1
gidNumber: 5001
description: Testgruppe
memberUid: hcallahan
memberUid: ckent
''**ldapadd -xW -D cn=ldapadmin,dc=local,dc=site -f group.ldif **''
===== Transportsicherheit =====
SSL/TLS
Start TLS Port 389
SSL Port 636
CA = Zertifizierungsselle
key (Geheim)
cert (öffentlich)
openssl
gnomint (GUI)
openssl.cnf vom Buch:
''**export OPENSSL_CONF=/root/openssl.cnf**''
===== Zertifizierungsstelle erstellen: =====
''server1:~# **/usr/lib/ssl/misc/CA.sh -newca**''
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.....++++++
.....................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
TLD Domaenen-Komponente (dc=site) [site]:
Zweite Domaenen-Komponente (dc=local) [local]:
State or Province Name (full name) [Deutschland]:
Locality Name (eg, city) [Dresden]:
Organization Name (eg, company) [Brainstorm]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) [ldapmaster.local.site]:
Email Address []:ldapamin@ldapmaster.local.site
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Nov 10 09:12:15 2011 GMT
Not After : Nov 9 09:12:15 2014 GMT
Subject:
domainComponent = site
domainComponent = local
stateOrProvinceName = Deutschland
organizationName = Brainstorm
commonName = ldapmaster.local.site
emailAddress = ldapamin@ldapmaster.local.site
X509v3 extensions:
X509v3 Subject Key Identifier:
AB:78:72:B0:0F:B0:04:7D:46:D4:9B:7D:38:E1:03:4F:BD:6C:73:0C
X509v3 Authority Key Identifier:
keyid:AB:78:72:B0:0F:B0:04:7D:46:D4:9B:7D:38:E1:03:4F:BD:6C:73:0C
DirName:/DC=site/DC=local/ST=Deutschland/O=Brainstorm/CN=ldapmaster.local.site/emailAddress=ldapamin@ldapmaster.local.site
serial:00
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 9 09:12:15 2014 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
===== Zertifikat der CA (Sicheres Passwort) =====
''server1:~# **/usr/lib/ssl/misc/CA.sh -newreq**''
Generating a 1024 bit RSA private key
....++++++
...++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
TLD Domaenen-Komponente (dc=site) [site]:
Zweite Domaenen-Komponente (dc=local) [local]:
State or Province Name (full name) [Deutschland]:
Locality Name (eg, city) [Dresden]:
Organization Name (eg, company) [Brainstorm]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) [ldapmaster.local.site]:
Email Address []:ldapamin@ldapmaster.local.site
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
===== Serverzerftifikat zertifizieren =====
''server1:~# **/usr/lib/ssl/misc/CA.sh -sign**''
Using configuration from /root/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 10 09:23:36 2011 GMT
Not After : Nov 9 09:23:36 2012 GMT
Subject:
domainComponent = site
domainComponent = local
stateOrProvinceName = Deutschland
localityName = Dresden
organizationName = Brainstorm
commonName = ldapmaster.local.site
emailAddress = ldapamin@ldapmaster.local.site
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6A:9E:48:63:D7:00:37:A9:D5:57:F5:22:03:F2:39:D6:DE:76:41:5C
X509v3 Authority Key Identifier:
keyid:AB:78:72:B0:0F:B0:04:7D:46:D4:9B:7D:38:E1:03:4F:BD:6C:73:0C
DirName:/DC=site/DC=local/ST=Deutschland/O=Brainstorm/CN=ldapmaster.local.site/emailAddress=ldapamin@ldapmaster.local.site
serial:00
Certificate is to be certified until Nov 9 09:23:36 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=site, DC=local, ST=Deutschland, O=Brainstorm, CN=ldapmaster.local.site/emailAddress=ldapamin@ldapmaster.local.site
Validity
Not Before: Nov 10 09:23:36 2011 GMT
Not After : Nov 9 09:23:36 2012 GMT
Subject: DC=site, DC=local, ST=Deutschland, L=Dresden, O=Brainstorm, CN=ldapmaster.local.site/emailAddress=ldapamin@ldapmaster.local.site
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c3:25:76:17:5c:b7:5c:4a:9a:04:0c:ff:87:00:
7b:a2:10:52:98:3b:17:ed:80:ce:37:00:47:66:a5:
e6:c2:8e:25:a9:a2:60:ae:94:be:84:e4:7a:89:de:
62:e3:39:e9:27:5b:c5:15:11:86:f4:46:a9:d6:67:
b3:39:cf:58:ad:5c:83:64:4b:0c:94:d9:f9:6d:76:
c5:84:48:ac:61:64:c0:01:e5:10:c7:0b:25:a5:01:
4a:44:e8:f4:1c:d6:b1:47:8a:fd:5c:96:b0:8d:f1:
0a:76:40:21:05:39:a9:b1:9f:73:4e:02:e6:e2:15:
a1:a9:69:92:d6:d0:0d:58:83
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6A:9E:48:63:D7:00:37:A9:D5:57:F5:22:03:F2:39:D6:DE:76:41:5C
X509v3 Authority Key Identifier:
keyid:AB:78:72:B0:0F:B0:04:7D:46:D4:9B:7D:38:E1:03:4F:BD:6C:73:0C
DirName:/DC=site/DC=local/ST=Deutschland/O=Brainstorm/CN=ldapmaster.local.site/emailAddress=ldapamin@ldapmaster.local.site
serial:00
Signature Algorithm: sha1WithRSAEncryption
62:c9:43:39:e3:7c:80:bd:d0:54:45:be:4a:04:be:7a:89:f6:
88:90:ca:e4:3a:4a:5c:13:ba:0f:5c:5a:54:3f:9d:be:43:0d:
07:6c:00:62:b8:69:44:dc:40:8f:a5:84:9f:9c:c4:66:b0:ed:
9b:54:2e:e6:06:ff:8d:c8:61:82:63:94:32:ca:f5:44:5c:51:
e7:aa:09:ee:a5:4a:00:b1:a7:c5:e4:5b:54:72:39:80:4d:3e:
cf:04:b5:77:6f:9c:2b:c7:af:5d:e0:e9:54:52:af:b4:83:d7:
b5:4d:77:e2:db:11:a7:d3:35:37:ed:ea:6b:a4:18:df:a4:aa:
75:53
-----BEGIN CERTIFICATE-----
MIIEDTCCA3agAwIBAgIBATANBgkqhkiG9w0BAQUFADCBpzEUMBIGCgmSJomT8ixk
ARkWBHNpdGUxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEUMBIGA1UECBMLRGV1dHNj
aGxhbmQxEzARBgNVBAoTCkJyYWluc3Rvcm0xHjAcBgNVBAMTFWxkYXBtYXN0ZXIu
bG9jYWwuc2l0ZTEtMCsGCSqGSIb3DQEJARYebGRhcGFtaW5AbGRhcG1hc3Rlci5s
b2NhbC5zaXRlMB4XDTExMTExMDA5MjMzNloXDTEyMTEwOTA5MjMzNlowgbkxFDAS
BgoJkiaJk/IsZAEZFgRzaXRlMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgNV
BAgTC0RldXRzY2hsYW5kMRAwDgYDVQQHEwdEcmVzZGVuMRMwEQYDVQQKEwpCcmFp
bnN0b3JtMR4wHAYDVQQDExVsZGFwbWFzdGVyLmxvY2FsLnNpdGUxLTArBgkqhkiG
9w0BCQEWHmxkYXBhbWluQGxkYXBtYXN0ZXIubG9jYWwuc2l0ZTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAwyV2F1y3XEqaBAz/hwB7ohBSmDsX7YDONwBHZqXm
wo4lqaJgrpS+hOR6id5i4znpJ1vFFRGG9Eap1mezOc9YrVyDZEsMlNn5bXbFhEis
YWTAAeUQxwslpQFKROj0HNaxR4r9XJawjfEKdkAhBTmpsZ9zTgLm4hWhqWmS1tAN
WIMCAwEAAaOCATMwggEvMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRqnkhj1wA3qdVX9SID
8jnW3nZBXDCB1AYDVR0jBIHMMIHJgBSreHKwD7AEfUbUm3044QNPvWxzDKGBraSB
qjCBpzEUMBIGCgmSJomT8ixkARkWBHNpdGUxFTATBgoJkiaJk/IsZAEZFgVsb2Nh
bDEUMBIGA1UECBMLRGV1dHNjaGxhbmQxEzARBgNVBAoTCkJyYWluc3Rvcm0xHjAc
BgNVBAMTFWxkYXBtYXN0ZXIubG9jYWwuc2l0ZTEtMCsGCSqGSIb3DQEJARYebGRh
cGFtaW5AbGRhcG1hc3Rlci5sb2NhbC5zaXRlggEAMA0GCSqGSIb3DQEBBQUAA4GB
AGLJQznjfIC90FRFvkoEvnqJ9oiQyuQ6SlwTug9cWlQ/nb5DDQdsAGK4aUTcQI+l
hJ+cxGaw7ZtULuYG/43IYYJjlDLK9URcUeeqCe6lSgCxp8XkW1RyOYBNPs8EtXdv
nCvHr13g6VRSr7SD17VNd+LbEafTNTft6mukGN+kqnVT
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
''server1:~# **ls new***''
''newcert.pem **newkey.pem newreq.pem**''
===== In sprechenen Namen umbenennen =====
''server1:~# **mv newkey.pem ldapmaster.local.site_key.pem**''
''server1:~# **mv newcert.pem ldapmaster.local.site_cert.pem**''
''server1:~# **mv newreq.pem ldapmaster.local.site_req.pem**''
===== Passwort entfernen: =====
''server1:~# **openssl rsa -in ldapmaster.local.site_key.pem -out ldapmaster.local.site_key_nopw.pem**''
''server1:~# **cp ldapmaster.local.site_key_nopw.pem /etc/ssl/private/**''
''server1:~# **adduser openldap ssl-cert**''
''server1:~# **chown :ssl-cert /etc/ssl/private/ldapmaster.local.site_key_nopw.pem **''
''server1:~# **chmod 640 /etc/ssl/private/ldapmaster.local.site_key_nopw.pem **''
''server1:~# **cp ldapmaster.local.site_cert.pem /etc/ssl/certs/**''
''server1:~# **cp demoCA/cacert.pem /etc/ssl/certs/**''
''server1:~# **vi /etc/ldap/slapd.conf**''
Global Directives:
nach
moduleload
TLSCertificateFile /etc/ssl/certs/ldapmaster.local.site_cert.pem
TLSCertificateKeyFile /etc/ssl/private/ldapmaster.local.site_key_nopw.pem
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSVerifyClient allow
Auf Server2:
''**scp 192.168.3.4:/etc/ssl/certs/cacert.pem /etc/ssl/certs/**''
''**vi /etc/hosts**''
192.168.3.4 ldapmaster.local.site
''**vi .ldaprc (Buch Seite 255)**''
TLS_CACERT /etc/ssl/certs/cacert.pem
TLS_REQCERT allow
''**ldapsearch -x -b dc=local,dc=site -h ldapmaster.local.site -LLL -ZZ-**''
''**groupadd -r ssl-cert**''
/etc/ldap/slapd.conf
starttls=yes
##################################################################
ACL
''**slapacl -D cn=replicator,dc=local,dc=site -b uid=ckent,ou=verkauf,dc=local,dc=site**''
''server1:~# **ldapsearch -xWD cn=replicator,dc=local,dc=site -b dc=local,dc=site uid=ckent**''
Eigenes Schema einfügen
include /etc/ldap/schema/addPersonInfo.schema
''**ldapvi --profile site**''
objectClass: additionalPersonInformation
alternativeMail: ckent@gmx.de
''**ldapsearch -xWD uid=ckent,ou=verkauf,dc=local,dc=site -b ou=verkauf,dc=local,dc=site -LLL**''
''**ldapsearch -xWD uid=ckent,ou=verkauf,dc=local,dc=site -b ou=verkauf,dc=local,dc=site -LLL uid=ckent**''
##################################################################
Debian Squeezze
''**vi ~/.ldapvirc:**''
profile: config
base: cn=config
host: ldapi:///
sasl-mech: EXTERNAL
update_alternatives --config editor
Auswahl Pfad Priorität Status
------------------------------------------------------------
* 0 /bin/nano 40 Auto-Modus
1 /bin/nano 40 manueller Modus
2 /usr/bin/vim.basic 30 manueller Modus
3 /usr/bin/vim.tiny 10 manueller Modus
auswahl 2
''**ldapvi --profile config**''
Convertieren
''**slaptest -f /etc/ldap/slapd.conf -F ldapconfig**''
#########################
Links
http://de.wikibooks.org
#########################
Grafik von Programm des Servers auf eigenme Bildschirm
ssh -X IP:/Programm
z.B.
ssh -X kit@192.168.3.103 /usr/bin/xclock
E-Book-Verwaltung Calibre