Cenário:
Pacotes necessários:
[root@ldapmatriz01 ~]# yum install openldap-servers openldap-clients sssd
Cópia dos arquivos originais:
[root@ldapmatriz01 ~]# cp -vap /etc/openldap/slapd.d{,.dist}
Copiando o backend de exemplo criado na instalação para /usr/lib/ldap:
[root@ldapmatriz01 ~]# install -m 644 -o ldap -g ldap /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Iniciando e ativando o slapd:
[root@ldapmatriz01 ~]# systemctl start slapd.service [root@ldapmatriz01 ~]# systemctl enable slapd.service Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
Adicionar uma senha de root e modificar o olcAccess a fim de exigir uma senha de autenticação
[root@ldapmatriz01 ~]# slappasswd New password: Re-enter new password: {SSHA}TeBX8HlxLzjEIBaeoxvMmMt7ExutUcAP
[root@ldapmatriz01 ~]# mkdir ldifs [root@ldapmatriz01 ~]# cd ldifs/
[root@ldapmatriz01 ldifs]# cat manager.ldif dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}TeBX8HlxLzjEIBaeoxvMmMt7ExutUcAP - replace: olcAccess olcAccess: {0}to * by dn.base="cn=Manager,dc=example,dc=com" manage by * none
[root@ldapmatriz01 ldifs]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f manager.ldif modifying entry "olcDatabase={0}config,cn=config"
[root@ldapmatriz01 ldifs]# ldapsearch -W -x -D cn=config -b olcDatabase={0}config,cn=config -LLL Enter LDAP Password: dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: {SSHA}TeBX8HlxLzjEIBaeoxvMmMt7ExutUcAP olcAccess: {0}to * by dn.base="cn=Manager,dc=example,dc=com" manage by * none
olcDatabase={1}monitor: Modificando a ACL.
[root@ldapmatriz01 ldifs]# ldapsearch -W -x -D cn=config -b olcDatabase={1}monitor,cn=config -LLL Enter LDAP Password: dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
[root@ldapmatriz01 ldifs]# cat monitor.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
[root@ldapmatriz01 ldifs]# ldapmodify -H ldapi:/// -x -D "cn=config" -W -f monitor.ldif Enter LDAP Password: modifying entry "olcDatabase={1}monitor,cn=config"
[root@ldapmatriz01 ldifs]# ldapsearch -W -x -D cn=config -b olcDatabase={1}monitor,cn=config -LLL Enter LDAP Password: dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=ext ernal,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
olcDatabase={2}hdb: Alterar o sufixo e adicionando uma senha de root.
[root@ldapmatriz01 ldifs]# ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config -LLL Enter LDAP Password: dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
[root@ldapmatriz01 ldifs]# cat hdb.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=com - replace: olcRootDN olcRootDN: cn=Manager,dc=example,dc=com - add: olcRootPW olcRootPW: {SSHA}TeBX8HlxLzjEIBaeoxvMmMt7ExutUcAP
[root@ldapmatriz01 ldifs]# ldapmodify -H ldapi:/// -x -D "cn=config" -W -f hdb.ldif Enter LDAP Password: modifying entry "olcDatabase={2}hdb,cn=config"
[root@ldapmatriz01 ldifs]# ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config -LLL Enter LDAP Password: dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcSuffix: dc=example,dc=com olcRootDN: cn=Manager,dc=example,dc=com olcRootPW: {SSHA}TeBX8HlxLzjEIBaeoxvMmMt7ExutUcAP
Configurar a indexação no olcDatabase={2}hdb:
OBS: Antes precisamos adicionar novas schemas.
[root@ldapmatriz01 ldifs]# ldapsearch -W -x -D cn=config -b cn=schema,cn=config -LLL dn Enter LDAP Password: dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config
[root@ldapmatriz01 ldifs]# ldapadd -H ldapi:/// -x -D "cn=config" -W -f /etc/openldap/schema/cosine.ldif [root@ldapmatriz01 ldifs]# ldapadd -H ldapi:/// -x -D "cn=config" -W -f /etc/openldap/schema/inetorgperson.ldif [root@ldapmatriz01 ldifs]# ldapadd -H ldapi:/// -x -D "cn=config" -W -f /etc/openldap/schema/nis.ldif
[root@ldapmatriz01 ldifs]# ldapsearch -W -x -D cn=config -b cn=schema,cn=config -LLL dnEnter LDAP Password: dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}inetorgperson,cn=schema,cn=config dn: cn={3}nis,cn=schema,cn=config
[root@ldapmatriz01 ldifs]# cat indices.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcDbIndex olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uid,memberUid,gidNumber eq
[root@ldapmatriz01 ldifs]# ldapmodify -H ldapi:/// -x -D "cn=config" -W -f indices.ldif
[root@ldapmatriz01 ldifs]# ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config -LLL Enter LDAP Password: dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcRootDN: cn=Manager,dc=example,dc=com olcRootPW: {SSHA}TeBX8HlxLzjEIBaeoxvMmMt7ExutUcAP olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uid,memberUid,gidNumber eq
Modificar a configuração para que os usuários podem alterar suas próprias senhas, mas não é possível visualizar outros:
[root@ldapmatriz01 ldifs]# cat hdb_passwd.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn.exact="cn=Manager,dc=example,dc=com" write by self =xw by anonymous auth by * none olcAccess: {1}to * by dn.exact="cn=Manager,dc=example,dc=com" write by self read by users read by * none
[root@ldapmatriz01 ldifs]# ldapmodify -H ldapi:/// -x -D "cn=config" -W -f hdb_passwd.ldif
[root@ldapmatriz01 ldifs]# ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config -LLL Enter LDAP Password: dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcRootDN: cn=Manager,dc=example,dc=com olcRootPW: {SSHA}TeBX8HlxLzjEIBaeoxvMmMt7ExutUcAP olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uid,memberUid,gidNumber eq olcAccess: {0}to attrs=userPassword,shadowLastChange by dn.exact="cn=Mana ger,dc=example,dc=com" write by self =xw by anonymous auth by * none olcAccess: {1}to * by dn.exact="cn=Manager,dc=example,dc=com" write by self read by users read by * none
Criando uma estrutura básica:
[root@ldapmatriz01 ldifs]# cat base.ldif dn: dc=example,dc=com dc: example objectClass: top objectClass: domain dn: ou=Usuarios,dc=example,dc=com ou: Usuarios objectClass: top objectClass: organizationalUnit dn: ou=Grupos,dc=example,dc=com ou: Grupos objectClass: top objectClass: organizationalUnit
[root@ldapmatriz01 ldifs]# ldapadd -H ldap://ldapmatriz01.example.com -x -W -D cn=Manager,dc=example,dc=com -f base.ldif
[root@ldapmatriz01 ldifs]# ldapsearch -H ldap://ldapmatriz01.example.com -x -D cn=Manager,dc=example,dc=com -W -b dc=example,dc=com -LLL Enter LDAP Password: dn: dc=example,dc=com dc: example objectClass: top objectClass: domain dn: ou=Usuarios,dc=example,dc=com ou: Usuarios objectClass: top objectClass: organizationalUnit dn: ou=Grupos,dc=example,dc=com ou: Grupos objectClass: top objectClass: organizationalUnit