Inhaltsverzeichnis
Open LDAP
07.11 -11.11.2011 Lehrer Herr Pampel
Teilnemer Dominik Duszyca Jörg Grosse Gaulke Ronny
VMWare ändern
cc=/usr/bin/gcc-4.1 vmware-config.pl
IpAdresse holen dhclient eth0
Freemind tool:
VIM Tips: Esc :set list (macht leerzeichen käntlich)
DIT = Directory Information Tree (Baum) DSE = Directory Service Entry (Auskunft) DSA = Directory Service Agent DN = Distinguished Name RDN = Relative Distinguished Name
Schlüssel integrieren
apt-key add debian.key
Open-LDAP installieren
aptitude install slapd
Passwort= radler
aptitude install ldap-utils
/etc/ldap/schema/core.schema
ldapsearch -x -b dc=nodomain
ldapsearch -x -b dc=nodomain -LLL
grep -r -A 10 „'organization'“ /etc/ldap/schema/core.schema –color
ldapsearch -xW -D cn=admin,dc=nodomain -b dc=nodomain -LLL
ldapsearch -xW -D cn=admin,dc=nodomain -b dc=nodomain -LLL +
ldapsearch -xW -D cn=admin,dc=nodomain -b dc=nodomain -LLL cn=admin
vi users.ldif
dn: ou=users,dc=nodomain objectClass: organizationalUnit ou: users
ldapadd -xW -D cn=admin,dc=nodomain -f users.ldif
ldapsearch -xW -D cn=admin,dc=nodomain -b dc=nodomain -LLL ou=users
ldapsearch -x -b dc=nodomain -LLL '(objectClass=organizationalUnit)'
Oder suche:
ldapsearch -x -b dc=nodomain -LLL '(|(objectClass=organizationalUnit)(objectClass=person))'
server1:~# ldapmodify -xWD cn=admin,dc=nodomain
Enter LDAP Password: dn: cn=Hubenthal,ou=users,dc=nodomain changetype: modify replace: description description: Erster User modifying entry "cn=Hubenthal,ou=users,dc=nodomain"
server1:~# ldapadd -xWD cn=admin,dc=nodomain
Enter LDAP Password: dn:cn=Meyer,ou=users,dc=nodomain objectClass: person cn: Meyer sn: Meyer adding new entry "cn=Meyer,ou=users,dc=nodomain"
server1:~# ldapdelete -xWD cn=admin,dc=nodomain
Enter LDAP Password: cn=Meyer,ou=users,dc=nodomain
server1:~# ldapmodrdn -xWD cn=admin,dc=nodomain
Enter LDAP Password: cn=Meyer,ou=users,dc=nodomain cn=Horst Meyer server1:~# ldapsearch -x -b dc=nodomain -LLL '(cn=Meyer)' dn: cn=Horst Meyer,ou=users,dc=nodomain objectClass: person cn: Meyer cn: Horst Meyer sn: Meye
aptitude install ldapvi screen multitail ccze
server1:~# cat .ldapvirc
profile default host: ldapi:/// user: cn=admin,dc=nodomain password: radler base: dc=nodomain ldif: yes profile site host: ldapi:/// user: cn=ldapadmin,dc=local,dc=site password: radler base: dc=local,dc=site ldif: yes
ldapvi –profile site
server1:~# ldapcompare -x „cn=Ralf Schmidt,ou=users,dc=nodomain“ sn:schmidt
TRUE
ldapsearch -x -b -s base +|less
ldapsearch -x -b 'cn=subschema' -s base objectClasses
ldapsearch -x -b 'cn=subschema' -s base objectClasses|grep organizationalUnit
slapadd -n2 -l /root/openldap24/kapitel/2.3/ldapmaster/ldif/struktur.ldif
aptitude install phpldapadmin
dn: uid=eripley,ou=xeno,ou=forschung,dc=local,dc=site
87 ldapvi-key: 10
88 objectClass: posixAccount
89 objectClass: inetOrgPerson
90 uid: eripley
91 uidNumber: 907
92 gidNumber: 100
93 description: Mitarbeiterin Ellen Ripley, Klon 2, Abteilung Forschung, Unterabteilung Xeno
94 sn: Ripley
95 mail: eripley@xeno.forschung.local.site
96 telephoneNumber: 0800-xenoforschung-907
97 homeDirectory: /home/eripley
98 loginShell: /bin/bash
99 userPassword: {SSHA}e25UieR1GG2EJBZDWHGWW8Ys2N7aEzmH
100 cn: Ellen Ripley 2
Backup
LDAP Sichern:
slapcat -b dc=local,dc=site -l /var/backups/local.site.ldif
stoppen:
/etc/init.d/slapd stop
Einspielen:
slapadd -b dc=local,dc=site -l /var/backups/local.site.ldif
Rechte änder:
chown -R openldap.openldap /var/lib/ldap2/
starten:
/etc/init.d/slapd start
aptitude install libnss-ldapd
common-auth: auth [success=1 default=ignore] pam_unix.so auth required pam_ldap.so use_first_pass auth required pam_permit.so
common-account: account [success=1 default=ignore] pam_unix.so account required pam_ldap.so account required pam_permit.so
common-session: session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_unix.so
common-password: password [success=1 default=ignore] pam_unix.so password required pam_ldap.so nullok obscure md5 password required pam_permit.so
aptitude install ntp
server 192.168.20.150 iburst minpoll 4 maxpoll 4
/etc/init.d/ntp restart
watch -n1 ntpq -p
overlays: moduleload back_hdb moduleload accesslog
database hdb sufffix „cn=logs“ rootdn „cn=logs“ rootpw {SSHA}b5xyvtd5svAUWkFc++XhGtmp4fe/1IHJ direktory /var/lib/ldaplog index reqStart,reqEnd,reqMod,reqResult eq
overlay accesslog logdb cn=logs logops writes session logpurge 08:00 00:30
Replikation: auf Provider in /etc/ldap/slapd.conf moduleload syncprov overlay syncprov
auf Consumer in /etc/ldap/slapd.conf moduleload syncprov overlay syncprov (nach rootpw) syncrepl rid=01
provider=ldap://192.168.3.4 type=refreshAndPersist searchbase="dc=local,dc=site" bindmethod=simple binddn="cn=ldapadmin,dc=local,dc=site" credentials="radler"
Schreibbarer Consumer (Buch Seite 195): auf Consumer in /etc/ldap/slapd.con moduleload back_ldap
overlay chain chain-uri „ldap://192.168.3.4“ chain-idassert-bind bindmethod=simple
binddn="cn=ldapadmin,dc=local,dc=site"
credentials="radler"
mode=self
chain-return-error true chain-rebind-as-user true
(unterhalt vonsyncrepl rid=01) updateref „ldap://192.168.3.4“
/etc/init.d/slapd restart
Indexe einfügen:
/etc/init.d/slapd stop
vi /etc/ldap/slapd.conf
index entryCSN,entryUUID,uid eq slapindex -b dc=local,dc=site ls -l /var/lib/ldap2 chown -R openldap.openldap /var/lib/ldap2/ ls -l /var/lib/ldap2
/etc/init.d/slapd start
Consumerschreibbar:
vi /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldapi:///"
vi /etc/pam_ldap.conf
uri ldapi:///
vi /etc/libnss-ldap.conf
uri ldapi:///
Posixgruppe anlegen:
vi group.ldif
dn: cn=linuxgroup1,ou=verkauf,dc=local,dc=site objectClass: top objectClass: posixGroup cn: linuxgroup1 gidNumber: 5001 description: Testgruppe memberUid: hcallahan memberUid: ckent
ldapadd -xW -D cn=ldapadmin,dc=local,dc=site -f group.ldif
Transportsicherheit
SSL/TLS
Start TLS Port 389 SSL Port 636
CA = Zertifizierungsselle
key (Geheim) cert (öffentlich)
openssl gnomint (GUI)
openssl.cnf vom Buch:
export OPENSSL_CONF=/root/openssl.cnf
Zertifizierungsstelle erstellen:
server1:~# /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.....++++++
.....................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
TLD Domaenen-Komponente (dc=site) [site]:
Zweite Domaenen-Komponente (dc=local) [local]:
State or Province Name (full name) [Deutschland]:
Locality Name (eg, city) [Dresden]:
Organization Name (eg, company) [Brainstorm]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) [ldapmaster.local.site]:
Email Address []:ldapamin@ldapmaster.local.site
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Nov 10 09:12:15 2011 GMT
Not After : Nov 9 09:12:15 2014 GMT
Subject:
domainComponent = site
domainComponent = local
stateOrProvinceName = Deutschland
organizationName = Brainstorm
commonName = ldapmaster.local.site
emailAddress = ldapamin@ldapmaster.local.site
X509v3 extensions:
X509v3 Subject Key Identifier:
AB:78:72:B0:0F:B0:04:7D:46:D4:9B:7D:38:E1:03:4F:BD:6C:73:0C
X509v3 Authority Key Identifier:
keyid:AB:78:72:B0:0F:B0:04:7D:46:D4:9B:7D:38:E1:03:4F:BD:6C:73:0C
DirName:/DC=site/DC=local/ST=Deutschland/O=Brainstorm/CN=ldapmaster.local.site/emailAddress=ldapamin@ldapmaster.local.site
serial:00
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 9 09:12:15 2014 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
Zertifikat der CA (Sicheres Passwort)
server1:~# /usr/lib/ssl/misc/CA.sh -newreq
Generating a 1024 bit RSA private key ....++++++ ...++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- TLD Domaenen-Komponente (dc=site) [site]: Zweite Domaenen-Komponente (dc=local) [local]: State or Province Name (full name) [Deutschland]: Locality Name (eg, city) [Dresden]: Organization Name (eg, company) [Brainstorm]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) [ldapmaster.local.site]: Email Address []:ldapamin@ldapmaster.local.site Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem
Serverzerftifikat zertifizieren
server1:~# /usr/lib/ssl/misc/CA.sh -sign
Using configuration from /root/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 10 09:23:36 2011 GMT
Not After : Nov 9 09:23:36 2012 GMT
Subject:
domainComponent = site
domainComponent = local
stateOrProvinceName = Deutschland
localityName = Dresden
organizationName = Brainstorm
commonName = ldapmaster.local.site
emailAddress = ldapamin@ldapmaster.local.site
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6A:9E:48:63:D7:00:37:A9:D5:57:F5:22:03:F2:39:D6:DE:76:41:5C
X509v3 Authority Key Identifier:
keyid:AB:78:72:B0:0F:B0:04:7D:46:D4:9B:7D:38:E1:03:4F:BD:6C:73:0C
DirName:/DC=site/DC=local/ST=Deutschland/O=Brainstorm/CN=ldapmaster.local.site/emailAddress=ldapamin@ldapmaster.local.site
serial:00
Certificate is to be certified until Nov 9 09:23:36 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=site, DC=local, ST=Deutschland, O=Brainstorm, CN=ldapmaster.local.site/emailAddress=ldapamin@ldapmaster.local.site
Validity
Not Before: Nov 10 09:23:36 2011 GMT
Not After : Nov 9 09:23:36 2012 GMT
Subject: DC=site, DC=local, ST=Deutschland, L=Dresden, O=Brainstorm, CN=ldapmaster.local.site/emailAddress=ldapamin@ldapmaster.local.site
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c3:25:76:17:5c:b7:5c:4a:9a:04:0c:ff:87:00:
7b:a2:10:52:98:3b:17:ed:80:ce:37:00:47:66:a5:
e6:c2:8e:25:a9:a2:60:ae:94:be:84:e4:7a:89:de:
62:e3:39:e9:27:5b:c5:15:11:86:f4:46:a9:d6:67:
b3:39:cf:58:ad:5c:83:64:4b:0c:94:d9:f9:6d:76:
c5:84:48:ac:61:64:c0:01:e5:10:c7:0b:25:a5:01:
4a:44:e8:f4:1c:d6:b1:47:8a:fd:5c:96:b0:8d:f1:
0a:76:40:21:05:39:a9:b1:9f:73:4e:02:e6:e2:15:
a1:a9:69:92:d6:d0:0d:58:83
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6A:9E:48:63:D7:00:37:A9:D5:57:F5:22:03:F2:39:D6:DE:76:41:5C
X509v3 Authority Key Identifier:
keyid:AB:78:72:B0:0F:B0:04:7D:46:D4:9B:7D:38:E1:03:4F:BD:6C:73:0C
DirName:/DC=site/DC=local/ST=Deutschland/O=Brainstorm/CN=ldapmaster.local.site/emailAddress=ldapamin@ldapmaster.local.site
serial:00
Signature Algorithm: sha1WithRSAEncryption
62:c9:43:39:e3:7c:80:bd:d0:54:45:be:4a:04:be:7a:89:f6:
88:90:ca:e4:3a:4a:5c:13:ba:0f:5c:5a:54:3f:9d:be:43:0d:
07:6c:00:62:b8:69:44:dc:40:8f:a5:84:9f:9c:c4:66:b0:ed:
9b:54:2e:e6:06:ff:8d:c8:61:82:63:94:32:ca:f5:44:5c:51:
e7:aa:09:ee:a5:4a:00:b1:a7:c5:e4:5b:54:72:39:80:4d:3e:
cf:04:b5:77:6f:9c:2b:c7:af:5d:e0:e9:54:52:af:b4:83:d7:
b5:4d:77:e2:db:11:a7:d3:35:37:ed:ea:6b:a4:18:df:a4:aa:
75:53
-----BEGIN CERTIFICATE-----
MIIEDTCCA3agAwIBAgIBATANBgkqhkiG9w0BAQUFADCBpzEUMBIGCgmSJomT8ixk
ARkWBHNpdGUxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEUMBIGA1UECBMLRGV1dHNj
aGxhbmQxEzARBgNVBAoTCkJyYWluc3Rvcm0xHjAcBgNVBAMTFWxkYXBtYXN0ZXIu
bG9jYWwuc2l0ZTEtMCsGCSqGSIb3DQEJARYebGRhcGFtaW5AbGRhcG1hc3Rlci5s
b2NhbC5zaXRlMB4XDTExMTExMDA5MjMzNloXDTEyMTEwOTA5MjMzNlowgbkxFDAS
BgoJkiaJk/IsZAEZFgRzaXRlMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgNV
BAgTC0RldXRzY2hsYW5kMRAwDgYDVQQHEwdEcmVzZGVuMRMwEQYDVQQKEwpCcmFp
bnN0b3JtMR4wHAYDVQQDExVsZGFwbWFzdGVyLmxvY2FsLnNpdGUxLTArBgkqhkiG
9w0BCQEWHmxkYXBhbWluQGxkYXBtYXN0ZXIubG9jYWwuc2l0ZTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAwyV2F1y3XEqaBAz/hwB7ohBSmDsX7YDONwBHZqXm
wo4lqaJgrpS+hOR6id5i4znpJ1vFFRGG9Eap1mezOc9YrVyDZEsMlNn5bXbFhEis
YWTAAeUQxwslpQFKROj0HNaxR4r9XJawjfEKdkAhBTmpsZ9zTgLm4hWhqWmS1tAN
WIMCAwEAAaOCATMwggEvMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRqnkhj1wA3qdVX9SID
8jnW3nZBXDCB1AYDVR0jBIHMMIHJgBSreHKwD7AEfUbUm3044QNPvWxzDKGBraSB
qjCBpzEUMBIGCgmSJomT8ixkARkWBHNpdGUxFTATBgoJkiaJk/IsZAEZFgVsb2Nh
bDEUMBIGA1UECBMLRGV1dHNjaGxhbmQxEzARBgNVBAoTCkJyYWluc3Rvcm0xHjAc
BgNVBAMTFWxkYXBtYXN0ZXIubG9jYWwuc2l0ZTEtMCsGCSqGSIb3DQEJARYebGRh
cGFtaW5AbGRhcG1hc3Rlci5sb2NhbC5zaXRlggEAMA0GCSqGSIb3DQEBBQUAA4GB
AGLJQznjfIC90FRFvkoEvnqJ9oiQyuQ6SlwTug9cWlQ/nb5DDQdsAGK4aUTcQI+l
hJ+cxGaw7ZtULuYG/43IYYJjlDLK9URcUeeqCe6lSgCxp8XkW1RyOYBNPs8EtXdv
nCvHr13g6VRSr7SD17VNd+LbEafTNTft6mukGN+kqnVT
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
server1:~# ls new*
newcert.pem newkey.pem newreq.pem
In sprechenen Namen umbenennen
server1:~# mv newkey.pem ldapmaster.local.site_key.pem
server1:~# mv newcert.pem ldapmaster.local.site_cert.pem
server1:~# mv newreq.pem ldapmaster.local.site_req.pem
Passwort entfernen:
server1:~# openssl rsa -in ldapmaster.local.site_key.pem -out ldapmaster.local.site_key_nopw.pem
server1:~# cp ldapmaster.local.site_key_nopw.pem /etc/ssl/private/
server1:~# adduser openldap ssl-cert
server1:~# chown :ssl-cert /etc/ssl/private/ldapmaster.local.site_key_nopw.pem
server1:~# chmod 640 /etc/ssl/private/ldapmaster.local.site_key_nopw.pem
server1:~# cp ldapmaster.local.site_cert.pem /etc/ssl/certs/
server1:~# cp demoCA/cacert.pem /etc/ssl/certs/
server1:~# vi /etc/ldap/slapd.conf
Global Directives: nach moduleload
TLSCertificateFile /etc/ssl/certs/ldapmaster.local.site_cert.pem TLSCertificateKeyFile /etc/ssl/private/ldapmaster.local.site_key_nopw.pem TLSCACertificateFile /etc/ssl/certs/cacert.pem TLSVerifyClient allow
Auf Server2:
scp 192.168.3.4:/etc/ssl/certs/cacert.pem /etc/ssl/certs/
vi /etc/hosts
192.168.3.4 ldapmaster.local.site
vi .ldaprc (Buch Seite 255)
TLS_CACERT /etc/ssl/certs/cacert.pem TLS_REQCERT allow
ldapsearch -x -b dc=local,dc=site -h ldapmaster.local.site -LLL -ZZ-
groupadd -r ssl-cert
/etc/ldap/slapd.conf starttls=yes
################################################################## ACL
slapacl -D cn=replicator,dc=local,dc=site -b uid=ckent,ou=verkauf,dc=local,dc=site
server1:~# ldapsearch -xWD cn=replicator,dc=local,dc=site -b dc=local,dc=site uid=ckent
Eigenes Schema einfügen include /etc/ldap/schema/addPersonInfo.schema
ldapvi –profile site
objectClass: additionalPersonInformation
alternativeMail: ckent@gmx.de
ldapsearch -xWD uid=ckent,ou=verkauf,dc=local,dc=site -b ou=verkauf,dc=local,dc=site -LLL
ldapsearch -xWD uid=ckent,ou=verkauf,dc=local,dc=site -b ou=verkauf,dc=local,dc=site -LLL uid=ckent
################################################################## Debian Squeezze
vi ~/.ldapvirc:
profile: config base: cn=config host: ldapi:/// sasl-mech: EXTERNAL
update_alternatives --config editor Auswahl Pfad Priorität Status ------------------------------------------------------------ * 0 /bin/nano 40 Auto-Modus 1 /bin/nano 40 manueller Modus 2 /usr/bin/vim.basic 30 manueller Modus 3 /usr/bin/vim.tiny 10 manueller Modus
auswahl 2
ldapvi –profile config
Convertieren
slaptest -f /etc/ldap/slapd.conf -F ldapconfig
######################### Links http://de.wikibooks.org
######################### Grafik von Programm des Servers auf eigenme Bildschirm ssh -X IP:/Programm z.B. ssh -X kit@192.168.3.103 /usr/bin/xclock
E-Book-Verwaltung Calibre