===== Instalação e configuração inicial =====
==== Ajustes do sistema ====
Arquivo hosts:
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.0.2.150 ldap.laboratorio.com.br ldap
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
2001:db8:cafe::150 ldap.laboratorio.com.br ldap
Hostname:
# hostnamectl status | grep hostname
Static hostname: ldap.laboratorio.com.br
Caso não queira reiniciar o sistema depois de alterar o hostname faça assim:
# echo ldap > /proc/sys/kernel/hostname
==== Instalação dos pacotes ====
# yum install openldap-servers openldap-clients
==== Informações dos pacotes instalados ====
openldap-servers
# rpm -qil openldap-servers
Name : openldap-servers
Version : 2.4.39
Release : 6.el7
Architecture: x86_64
Install Date: Qua 07 Out 2015 20:21:41 BRT
Group : System Environment/Daemons
Size : 4887528
License : OpenLDAP
Signature : RSA/SHA256, Sáb 14 Mar 2015 05:22:49 BRT, Key ID 24c6a8a7f4a80eb5
Source RPM : openldap-2.4.39-6.el7.src.rpm
Build Date : Sex 06 Mar 2015 01:36:42 BRT
Build Host : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem
Vendor : CentOS
URL : http://www.openldap.org/
Summary : LDAP server
Description :
OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
Protocol) applications and development tools. LDAP is a set of
protocols for accessing directory services (usually phone book style
information, but other information is possible) over the Internet,
similar to the way DNS (Domain Name System) information is propagated
over the Internet. This package contains the slapd server and related files.
/etc/openldap/check_password.conf
/etc/openldap/schema
/etc/openldap/schema/collective.ldif
/etc/openldap/schema/collective.schema
/etc/openldap/schema/corba.ldif
/etc/openldap/schema/corba.schema
/etc/openldap/schema/core.ldif
/etc/openldap/schema/core.schema
/etc/openldap/schema/cosine.ldif
/etc/openldap/schema/cosine.schema
/etc/openldap/schema/duaconf.ldif
/etc/openldap/schema/duaconf.schema
/etc/openldap/schema/dyngroup.ldif
/etc/openldap/schema/dyngroup.schema
/etc/openldap/schema/inetorgperson.ldif
/etc/openldap/schema/inetorgperson.schema
/etc/openldap/schema/java.ldif
/etc/openldap/schema/java.schema
/etc/openldap/schema/misc.ldif
/etc/openldap/schema/misc.schema
/etc/openldap/schema/nis.ldif
/etc/openldap/schema/nis.schema
/etc/openldap/schema/openldap.ldif
/etc/openldap/schema/openldap.schema
/etc/openldap/schema/pmi.ldif
/etc/openldap/schema/pmi.schema
/etc/openldap/schema/ppolicy.ldif
/etc/openldap/schema/ppolicy.schema
/etc/openldap/slapd.conf
/etc/openldap/slapd.conf.bak
/etc/openldap/slapd.d
/etc/sysconfig/slapd
/usr/lib/systemd/system/slapd.service
/usr/lib/tmpfiles.d/slapd.conf
/usr/lib64/openldap/accesslog-2.4.so.2
/usr/lib64/openldap/accesslog-2.4.so.2.10.2
/usr/lib64/openldap/accesslog.la
/usr/lib64/openldap/auditlog-2.4.so.2
/usr/lib64/openldap/auditlog-2.4.so.2.10.2
/usr/lib64/openldap/auditlog.la
/usr/lib64/openldap/back_dnssrv-2.4.so.2
/usr/lib64/openldap/back_dnssrv-2.4.so.2.10.2
/usr/lib64/openldap/back_dnssrv.la
/usr/lib64/openldap/back_ldap-2.4.so.2
/usr/lib64/openldap/back_ldap-2.4.so.2.10.2
/usr/lib64/openldap/back_ldap.la
/usr/lib64/openldap/back_meta-2.4.so.2
/usr/lib64/openldap/back_meta-2.4.so.2.10.2
/usr/lib64/openldap/back_meta.la
/usr/lib64/openldap/back_null-2.4.so.2
/usr/lib64/openldap/back_null-2.4.so.2.10.2
/usr/lib64/openldap/back_null.la
/usr/lib64/openldap/back_passwd-2.4.so.2
/usr/lib64/openldap/back_passwd-2.4.so.2.10.2
/usr/lib64/openldap/back_passwd.la
/usr/lib64/openldap/back_perl-2.4.so.2
/usr/lib64/openldap/back_perl-2.4.so.2.10.2
/usr/lib64/openldap/back_perl.la
/usr/lib64/openldap/back_relay-2.4.so.2
/usr/lib64/openldap/back_relay-2.4.so.2.10.2
/usr/lib64/openldap/back_relay.la
/usr/lib64/openldap/back_shell-2.4.so.2
/usr/lib64/openldap/back_shell-2.4.so.2.10.2
/usr/lib64/openldap/back_shell.la
/usr/lib64/openldap/back_sock-2.4.so.2
/usr/lib64/openldap/back_sock-2.4.so.2.10.2
/usr/lib64/openldap/back_sock.la
/usr/lib64/openldap/check_password.so.1.1
/usr/lib64/openldap/collect-2.4.so.2
/usr/lib64/openldap/collect-2.4.so.2.10.2
/usr/lib64/openldap/collect.la
/usr/lib64/openldap/constraint-2.4.so.2
/usr/lib64/openldap/constraint-2.4.so.2.10.2
/usr/lib64/openldap/constraint.la
/usr/lib64/openldap/dds-2.4.so.2
/usr/lib64/openldap/dds-2.4.so.2.10.2
/usr/lib64/openldap/dds.la
/usr/lib64/openldap/deref-2.4.so.2
/usr/lib64/openldap/deref-2.4.so.2.10.2
/usr/lib64/openldap/deref.la
/usr/lib64/openldap/dyngroup-2.4.so.2
/usr/lib64/openldap/dyngroup-2.4.so.2.10.2
/usr/lib64/openldap/dyngroup.la
/usr/lib64/openldap/dynlist-2.4.so.2
/usr/lib64/openldap/dynlist-2.4.so.2.10.2
/usr/lib64/openldap/dynlist.la
/usr/lib64/openldap/memberof-2.4.so.2
/usr/lib64/openldap/memberof-2.4.so.2.10.2
/usr/lib64/openldap/memberof.la
/usr/lib64/openldap/pcache-2.4.so.2
/usr/lib64/openldap/pcache-2.4.so.2.10.2
/usr/lib64/openldap/pcache.la
/usr/lib64/openldap/ppolicy-2.4.so.2
/usr/lib64/openldap/ppolicy-2.4.so.2.10.2
/usr/lib64/openldap/ppolicy.la
/usr/lib64/openldap/refint-2.4.so.2
/usr/lib64/openldap/refint-2.4.so.2.10.2
/usr/lib64/openldap/refint.la
/usr/lib64/openldap/retcode-2.4.so.2
/usr/lib64/openldap/retcode-2.4.so.2.10.2
/usr/lib64/openldap/retcode.la
/usr/lib64/openldap/rwm-2.4.so.2
/usr/lib64/openldap/rwm-2.4.so.2.10.2
/usr/lib64/openldap/rwm.la
/usr/lib64/openldap/seqmod-2.4.so.2
/usr/lib64/openldap/seqmod-2.4.so.2.10.2
/usr/lib64/openldap/seqmod.la
/usr/lib64/openldap/smbk5pwd-2.4.so.2
/usr/lib64/openldap/smbk5pwd-2.4.so.2.10.2
/usr/lib64/openldap/smbk5pwd.la
/usr/lib64/openldap/sssvlv-2.4.so.2
/usr/lib64/openldap/sssvlv-2.4.so.2.10.2
/usr/lib64/openldap/sssvlv.la
/usr/lib64/openldap/syncprov-2.4.so.2
/usr/lib64/openldap/syncprov-2.4.so.2.10.2
/usr/lib64/openldap/syncprov.la
/usr/lib64/openldap/translucent-2.4.so.2
/usr/lib64/openldap/translucent-2.4.so.2.10.2
/usr/lib64/openldap/translucent.la
/usr/lib64/openldap/unique-2.4.so.2
/usr/lib64/openldap/unique-2.4.so.2.10.2
/usr/lib64/openldap/unique.la
/usr/lib64/openldap/valsort-2.4.so.2
/usr/lib64/openldap/valsort-2.4.so.2.10.2
/usr/lib64/openldap/valsort.la
/usr/libexec/openldap/check-config.sh
/usr/libexec/openldap/convert-config.sh
/usr/libexec/openldap/functions
/usr/libexec/openldap/generate-server-cert.sh
/usr/libexec/openldap/upgrade-db.sh
/usr/sbin/slapacl
/usr/sbin/slapadd
/usr/sbin/slapauth
/usr/sbin/slapcat
/usr/sbin/slapd
/usr/sbin/slapdn
/usr/sbin/slapindex
/usr/sbin/slappasswd
/usr/sbin/slapschema
/usr/sbin/slaptest
/usr/share/doc/openldap-servers-2.4.39
/usr/share/doc/openldap-servers-2.4.39/README.back_perl
/usr/share/doc/openldap-servers-2.4.39/README.check_pwd
/usr/share/doc/openldap-servers-2.4.39/README.schema
/usr/share/doc/openldap-servers-2.4.39/README.smbk5pwd
/usr/share/doc/openldap-servers-2.4.39/SampleLDAP.pm
/usr/share/doc/openldap-servers-2.4.39/allmail-en.png
/usr/share/doc/openldap-servers-2.4.39/allusersgroup-en.png
/usr/share/doc/openldap-servers-2.4.39/config_dit.png
/usr/share/doc/openldap-servers-2.4.39/config_local.png
/usr/share/doc/openldap-servers-2.4.39/config_ref.png
/usr/share/doc/openldap-servers-2.4.39/config_repl.png
/usr/share/doc/openldap-servers-2.4.39/delta-syncrepl.png
/usr/share/doc/openldap-servers-2.4.39/dual_dc.png
/usr/share/doc/openldap-servers-2.4.39/guide.html
/usr/share/doc/openldap-servers-2.4.39/intro_dctree.png
/usr/share/doc/openldap-servers-2.4.39/intro_tree.png
/usr/share/doc/openldap-servers-2.4.39/ldap-sync-refreshandpersist.png
/usr/share/doc/openldap-servers-2.4.39/ldap-sync-refreshonly.png
/usr/share/doc/openldap-servers-2.4.39/n-way-multi-master.png
/usr/share/doc/openldap-servers-2.4.39/push-based-complete.png
/usr/share/doc/openldap-servers-2.4.39/push-based-standalone.png
/usr/share/doc/openldap-servers-2.4.39/refint.png
/usr/share/doc/openldap-servers-2.4.39/set-following-references.png
/usr/share/doc/openldap-servers-2.4.39/set-memberUid.png
/usr/share/doc/openldap-servers-2.4.39/set-recursivegroup.png
/usr/share/man/man5/slapd-bdb.5.gz
/usr/share/man/man5/slapd-config.5.gz
/usr/share/man/man5/slapd-dnssrv.5.gz
/usr/share/man/man5/slapd-hdb.5.gz
/usr/share/man/man5/slapd-ldap.5.gz
/usr/share/man/man5/slapd-ldbm.5.gz
/usr/share/man/man5/slapd-ldif.5.gz
/usr/share/man/man5/slapd-mdb.5.gz
/usr/share/man/man5/slapd-meta.5.gz
/usr/share/man/man5/slapd-monitor.5.gz
/usr/share/man/man5/slapd-ndb.5.gz
/usr/share/man/man5/slapd-null.5.gz
/usr/share/man/man5/slapd-passwd.5.gz
/usr/share/man/man5/slapd-perl.5.gz
/usr/share/man/man5/slapd-relay.5.gz
/usr/share/man/man5/slapd-shell.5.gz
/usr/share/man/man5/slapd-sock.5.gz
/usr/share/man/man5/slapd-sql.5.gz
/usr/share/man/man5/slapd.access.5.gz
/usr/share/man/man5/slapd.backends.5.gz
/usr/share/man/man5/slapd.conf.5.gz
/usr/share/man/man5/slapd.overlays.5.gz
/usr/share/man/man5/slapd.plugin.5.gz
/usr/share/man/man5/slapo-accesslog.5.gz
/usr/share/man/man5/slapo-auditlog.5.gz
/usr/share/man/man5/slapo-chain.5.gz
/usr/share/man/man5/slapo-collect.5.gz
/usr/share/man/man5/slapo-constraint.5.gz
/usr/share/man/man5/slapo-dds.5.gz
/usr/share/man/man5/slapo-dyngroup.5.gz
/usr/share/man/man5/slapo-dynlist.5.gz
/usr/share/man/man5/slapo-memberof.5.gz
/usr/share/man/man5/slapo-pbind.5.gz
/usr/share/man/man5/slapo-pcache.5.gz
/usr/share/man/man5/slapo-ppolicy.5.gz
/usr/share/man/man5/slapo-refint.5.gz
/usr/share/man/man5/slapo-retcode.5.gz
/usr/share/man/man5/slapo-rwm.5.gz
/usr/share/man/man5/slapo-sock.5.gz
/usr/share/man/man5/slapo-sssvlv.5.gz
/usr/share/man/man5/slapo-syncprov.5.gz
/usr/share/man/man5/slapo-translucent.5.gz
/usr/share/man/man5/slapo-unique.5.gz
/usr/share/man/man5/slapo-valsort.5.gz
/usr/share/man/man8/slapacl.8.gz
/usr/share/man/man8/slapadd.8.gz
/usr/share/man/man8/slapauth.8.gz
/usr/share/man/man8/slapcat.8.gz
/usr/share/man/man8/slapd.8.gz
/usr/share/man/man8/slapdn.8.gz
/usr/share/man/man8/slapindex.8.gz
/usr/share/man/man8/slappasswd.8.gz
/usr/share/man/man8/slapschema.8.gz
/usr/share/man/man8/slaptest.8.gz
/usr/share/openldap-servers
/usr/share/openldap-servers/DB_CONFIG.example
/usr/share/openldap-servers/slapd.ldif
/var/lib/ldap
/var/run/openldap
openldap-clients
# rpm -qil openldap-clients
Name : openldap-clients
Version : 2.4.39
Release : 6.el7
Architecture: x86_64
Install Date: Qua 07 Out 2015 20:21:43 BRT
Group : Applications/Internet
Size : 588433
License : OpenLDAP
Signature : RSA/SHA256, Sáb 14 Mar 2015 05:22:43 BRT, Key ID 24c6a8a7f4a80eb5
Source RPM : openldap-2.4.39-6.el7.src.rpm
Build Date : Sex 06 Mar 2015 01:36:42 BRT
Build Host : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem
Vendor : CentOS
URL : http://www.openldap.org/
Summary : LDAP client utilities
Description :
OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
Protocol) applications and development tools. LDAP is a set of
protocols for accessing directory services (usually phone book style
information, but other information is possible) over the Internet,
similar to the way DNS (Domain Name System) information is propagated
over the Internet. The openldap-clients package contains the client
programs needed for accessing and modifying OpenLDAP directories.
/usr/bin/ldapadd
/usr/bin/ldapcompare
/usr/bin/ldapdelete
/usr/bin/ldapexop
/usr/bin/ldapmodify
/usr/bin/ldapmodrdn
/usr/bin/ldappasswd
/usr/bin/ldapsearch
/usr/bin/ldapurl
/usr/bin/ldapwhoami
/usr/share/man/man1/ldapadd.1.gz
/usr/share/man/man1/ldapcompare.1.gz
/usr/share/man/man1/ldapdelete.1.gz
/usr/share/man/man1/ldapexop.1.gz
/usr/share/man/man1/ldapmodify.1.gz
/usr/share/man/man1/ldapmodrdn.1.gz
/usr/share/man/man1/ldappasswd.1.gz
/usr/share/man/man1/ldapsearch.1.gz
/usr/share/man/man1/ldapurl.1.gz
/usr/share/man/man1/ldapwhoami.1.gz
==== Status dos serviços ====
# systemctl enable slapd.service
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
# systemctl list-unit-files --type=service | grep -e slapd.service
slapd.service enabled
# systemctl is-enabled slapd.service
enabled
==== Configuração básica ====
Antes de iniciarmos as configurações vamos fazer um backup dos arquivos originais
# cp -ap /etc/openldap/slapd.d{,.org}
# ls -la /etc/openldap/
total 28
drwxr-xr-x. 7 root root 4096 Out 8 09:38 .
drwxr-xr-x. 77 root root 8192 Out 8 09:06 ..
drwxr-xr-x. 2 root root 85 Out 7 20:21 certs
-rw-r--r--. 1 root root 121 Mar 6 2015 check_password.conf
-rw-r--r--. 1 root root 363 Mar 6 2015 ldap.conf
drwxr-xr-x. 2 root root 4096 Out 7 20:21 schema
drwx------. 3 ldap ldap 43 Out 7 20:21 slapd.d
drwx------. 3 ldap ldap 43 Out 7 20:21 slapd.d.org
Comparando os dois arquivos
# diff -r /etc/openldap/slapd.d /etc/openldap/slapd.d.org
Alterando entrada do cliente
# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/certs
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
BASE dc=laboratorio,dc=com,dc=br
URI ldap://ldap.laboratorio.com.br
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/certs
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
Preparando o Backend
# cp -ap /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Alterando a permissão e contexto
# chown -R ldap:ldap /var/lib/ldap
# chcon -t slapd_db_t /var/lib/ldap/DB_CONFIG
==== Iniciando slapd ====
# systemctl start slapd.service
Checando o processo slapd
# ps -ef | grep slapd
ldap 2326 1 0 08:59 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
root 12024 2474 0 09:49 pts/0 00:00:00 grep --color=auto slapd
Checando a porta do slapd
# ss -nat | grep 389
LISTEN 0 128 *:389 *:*
LISTEN 0 128 :::389 :::*
==== Defininindo senha para o superusuário da base cn=config ====
Gerando o hash de senha:
# slappasswd -s senha123
{SSHA}V2PXUyj03NBO2435hzeM2R6d29UEicVr
Ldif com as modificações
# mkdir /etc/openldap/ldif
# cd /etc/openldap/ldif/
# cat root.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}V2PXUyj03NBO2435hzeM2R6d29UEicVr
Modificando
# sed -i 's/^ $//g' root.ldif
# ldapmodify -H ldapi:/// -Y EXTERNAL -f root.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
==== Visualizando as configurções ====
# ldapsearch -w senha123 -x -D cn=config -b cn=config "(objectclass=olcGlobal)" -LLL
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
* /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif
# ldapsearch -w senha123 -x -D cn=config -b olcDatabase={0}config,cn=config -LLL
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" manage by * none
olcRootPW: {SSHA}V2PXUyj03NBO2435hzeM2R6d29UEicVr
* etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
# ldapsearch -wsenha123 -x -D cn=config -b olcDatabase={-1}frontend,cn=config -LLL
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
* /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
# ldapsearch -w senha123 -x -D cn=config -b olcDatabase={1}monitor,cn=config -LLL
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
* /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
# ldapsearch -w senha123 -x -D cn=config -b olcDatabase={2}hdb,cn=config -LLL
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
Para uma visão geral use esse comando
# ldapsearch -w senha123 -x -D cn=config -b cn=config -LLL
==== Alterando o database ====
* olcDatabase={1}monitor,cn=config
* olcDatabase={2}hdb,cn=config
# cat base.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=laboratorio,dc=com,dc=br" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=laboratorio,dc=com,dc=br
-
replace: olcRootDN
olcRootDN: cn=admin,dc=laboratorio,dc=com,dc=br
# sed -i 's/^ $//g' base.ldif
# ldapmodify -x -D cn=config -w senha123 -f base.ldif
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
Senha para o admin
# slappasswd -s senha123
{SSHA}ETWZJQ5rwppUgj8ZezgCjmlvls923bqY
# cat admin.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}ETWZJQ5rwppUgj8ZezgCjmlvls923bqY
# sed -i 's/^ $//g' base.ldif
# ldapmodify -x -D cn=config -w senha123 -f admin.ldif
modifying entry "olcDatabase={2}hdb,cn=config"
# ldapsearch -w senha123 -x -D cn=config -b olcDatabase={1}monitor,cn=config -LLL
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" read by dn.base="cn=admin,dc=laboratorio,dc=com,dc=br" read by * no
ne
# ldapsearch -w senha123 -x -D cn=config -b olcDatabase={2}hdb,cn=config -LLL
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcSuffix: dc=laboratorio,dc=com,dc=br
olcRootDN: cn=admin,dc=laboratorio,dc=com,dc=br
olcRootPW: {SSHA}ETWZJQ5rwppUgj8ZezgCjmlvls923bqY
==== Schemas ====
Schemas existentes:
# ldapsearch -x -D cn=config -w senha123 -b cn=schema,cn=config -LLL dn
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
Para a arvore de diretório precisamos de mais três schemas:
* /etc/openldap/schema/cosine.ldif
* /etc/openldap/schema/inetorgperson.ldif
* /etc/openldap/schema/nis.ldif
# ldapadd -x -D cn=config -w senha123 -f /etc/openldap/schema/cosine.ldif
adding new entry "cn=cosine,cn=schema,cn=config"
# ldapadd -x -D cn=config -w senha123 -f /etc/openldap/schema/inetorgperson.ldif
adding new entry "cn=inetorgperson,cn=schema,cn=config"
# ldapadd -x -D cn=config -w senha123 -f /etc/openldap/schema/nis.ldif
adding new entry "cn=nis,cn=schema,cn=config"
# ldapsearch -x -D cn=config -w senha123 -b cn=schema,cn=config -LLL dn
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}inetorgperson,cn=schema,cn=config
dn: cn={3}nis,cn=schema,cn=config
==== Montando a arvore ====
Senha para o administrador do LDAP
# slappasswd -h {SSHA}
New password:
Re-enter new password:
{SSHA}p8tlsGNq6Wv/BSpybPQN2n/7XHY6tNAN
# cat arvore.ldif
dn: dc=laboratorio,dc=com,dc=br
objectClass: top
objectClass: dcObject
objectClass: organization
o: laboratorio.com.br
dc: laboratorio
dn: cn=admin,dc=laboratorio,dc=com,dc=br
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {SSHA}p8tlsGNq6Wv/BSpybPQN2n/7XHY6tNAN
dn: o=matriz,dc=laboratorio,dc=com,dc=br
o: matriz
objectClass: organization
objectClass: top
dn: o=filial,dc=laboratorio,dc=com,dc=br
o: filial
objectClass: organization
objectClass: top
dn: ou=Grupos,o=matriz,dc=laboratorio,dc=com,dc=br
ou: Usuarios
objectClass: organizationalUnit
objectClass: top
dn: ou=Grupos,o=filial,dc=laboratorio,dc=com,dc=br
ou: Usuarios
objectClass: organizationalUnit
objectClass: top
dn: ou=Usuarios,o=matriz,dc=laboratorio,dc=com,dc=br
ou: Usuarios
objectClass: organizationalUnit
objectClass: top
dn: ou=Usuarios,o=filial,dc=laboratorio,dc=com,dc=br
ou: Usuarios
objectClass: organizationalUnit
objectClass: top
# sed -i 's/^ $//g' arvore.ldif
# ldapadd -x -D cn=admin,dc=laboratorio,dc=com,dc=br -w senha123 -f arvore.ldif
adding new entry "dc=laboratorio,dc=com,dc=br"
adding new entry "cn=admin,dc=laboratorio,dc=com,dc=br"
adding new entry "o=matriz,dc=laboratorio,dc=com,dc=br"
adding new entry "o=filial,dc=laboratorio,dc=com,dc=br"
adding new entry "ou=Grupos,o=matriz,dc=laboratorio,dc=com,dc=br"
adding new entry "ou=Grupos,o=filial,dc=laboratorio,dc=com,dc=br"
adding new entry "ou=Usuarios,o=matriz,dc=laboratorio,dc=com,dc=br"
adding new entry "ou=Usuarios,o=filial,dc=laboratorio,dc=com,dc=br"
==== Visualizando a arvore ====
# ldapsearch -x -b dc=laboratorio,dc=com,dc=br -LLL
dn: dc=laboratorio,dc=com,dc=br
objectClass: top
objectClass: dcObject
objectClass: organization
o: laboratorio.com.br
dc: laboratorio
dn: cn=admin,dc=laboratorio,dc=com,dc=br
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9cDh0bHNHTnE2V3YvQlNweWJQUU4ybi83WEhZNnROQU4=
dn: o=matriz,dc=laboratorio,dc=com,dc=br
o: matriz
objectClass: organization
objectClass: top
dn: o=filial,dc=laboratorio,dc=com,dc=br
o: filial
objectClass: organization
objectClass: top
dn: ou=Grupos,o=matriz,dc=laboratorio,dc=com,dc=br
ou: Usuarios
ou: Grupos
objectClass: organizationalUnit
objectClass: top
dn: ou=Grupos,o=filial,dc=laboratorio,dc=com,dc=br
ou: Usuarios
ou: Grupos
objectClass: organizationalUnit
objectClass: top
dn: ou=Usuarios,o=matriz,dc=laboratorio,dc=com,dc=br
ou: Usuarios
objectClass: organizationalUnit
objectClass: top
dn: ou=Usuarios,o=filial,dc=laboratorio,dc=com,dc=br
ou: Usuarios
objectClass: organizationalUnit
objectClass: top
# slapcat
56168de4 The first database does not allow slapcat; using the first available one (2)
dn: dc=laboratorio,dc=com,dc=br
objectClass: top
objectClass: dcObject
objectClass: organization
o: laboratorio.com.br
dc: laboratorio
structuralObjectClass: organization
entryUUID: 925672fa-021d-1035-9a38-13f3c3b06d98
creatorsName: cn=admin,dc=laboratorio,dc=com,dc=br
createTimestamp: 20151008153247Z
entryCSN: 20151008153247.311086Z#000000#000#000000
modifiersName: cn=admin,dc=laboratorio,dc=com,dc=br
modifyTimestamp: 20151008153247Z
dn: cn=admin,dc=laboratorio,dc=com,dc=br
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9cDh0bHNHTnE2V3YvQlNweWJQUU4ybi83WEhZNnROQU4=
structuralObjectClass: organizationalRole
entryUUID: 92613730-021d-1035-9a39-13f3c3b06d98
creatorsName: cn=admin,dc=laboratorio,dc=com,dc=br
createTimestamp: 20151008153247Z
entryCSN: 20151008153247.381650Z#000000#000#000000
modifiersName: cn=admin,dc=laboratorio,dc=com,dc=br
modifyTimestamp: 20151008153247Z
dn: o=matriz,dc=laboratorio,dc=com,dc=br
o: matriz
objectClass: organization
objectClass: top
structuralObjectClass: organization
entryUUID: 9263a754-021d-1035-9a3a-13f3c3b06d98
creatorsName: cn=admin,dc=laboratorio,dc=com,dc=br
createTimestamp: 20151008153247Z
entryCSN: 20151008153247.397627Z#000000#000#000000
modifiersName: cn=admin,dc=laboratorio,dc=com,dc=br
modifyTimestamp: 20151008153247Z
dn: o=filial,dc=laboratorio,dc=com,dc=br
o: filial
objectClass: organization
objectClass: top
structuralObjectClass: organization
entryUUID: 92645da2-021d-1035-9a3b-13f3c3b06d98
creatorsName: cn=admin,dc=laboratorio,dc=com,dc=br
createTimestamp: 20151008153247Z
entryCSN: 20151008153247.402297Z#000000#000#000000
modifiersName: cn=admin,dc=laboratorio,dc=com,dc=br
modifyTimestamp: 20151008153247Z
dn: ou=Grupos,o=matriz,dc=laboratorio,dc=com,dc=br
ou: Usuarios
ou: Grupos
objectClass: organizationalUnit
objectClass: top
structuralObjectClass: organizationalUnit
entryUUID: 9264f2a8-021d-1035-9a3c-13f3c3b06d98
creatorsName: cn=admin,dc=laboratorio,dc=com,dc=br
createTimestamp: 20151008153247Z
entryCSN: 20151008153247.406111Z#000000#000#000000
modifiersName: cn=admin,dc=laboratorio,dc=com,dc=br
modifyTimestamp: 20151008153247Z
dn: ou=Grupos,o=filial,dc=laboratorio,dc=com,dc=br
ou: Usuarios
ou: Grupos
objectClass: organizationalUnit
objectClass: top
structuralObjectClass: organizationalUnit
entryUUID: 92675264-021d-1035-9a3d-13f3c3b06d98
creatorsName: cn=admin,dc=laboratorio,dc=com,dc=br
createTimestamp: 20151008153247Z
entryCSN: 20151008153247.421666Z#000000#000#000000
modifiersName: cn=admin,dc=laboratorio,dc=com,dc=br
modifyTimestamp: 20151008153247Z
dn: ou=Usuarios,o=matriz,dc=laboratorio,dc=com,dc=br
ou: Usuarios
objectClass: organizationalUnit
objectClass: top
structuralObjectClass: organizationalUnit
entryUUID: 9267fc96-021d-1035-9a3e-13f3c3b06d98
creatorsName: cn=admin,dc=laboratorio,dc=com,dc=br
createTimestamp: 20151008153247Z
entryCSN: 20151008153247.426024Z#000000#000#000000
modifiersName: cn=admin,dc=laboratorio,dc=com,dc=br
modifyTimestamp: 20151008153247Z
dn: ou=Usuarios,o=filial,dc=laboratorio,dc=com,dc=br
ou: Usuarios
objectClass: organizationalUnit
objectClass: top
structuralObjectClass: organizationalUnit
entryUUID: 9268b58c-021d-1035-9a3f-13f3c3b06d98
creatorsName: cn=admin,dc=laboratorio,dc=com,dc=br
createTimestamp: 20151008153247Z
entryCSN: 20151008153247.430761Z#000000#000#000000
modifiersName: cn=admin,dc=laboratorio,dc=com,dc=br
modifyTimestamp: 20151008153247Z