OpenLDAP

Da Emigar.
Jump to navigation Jump to search

Password Policy

Per implementare il modulo di password policy:

  • caricare il modulo ppolicy
  • caricare lo schema di ppolicy
  • definire nel database la policy di defaultl
  • creare la policy di default nel dn definito nel punto 3
  • eventualmente creare altre policy
  • eventualmente definire policy diverse ad utenti diversi


Monitoring

  • caricare il modulo back_monitor
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: back_monitor.la
  • creare database
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
  • add acl
dn: olcDatabase={4}monitor,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=exter
 nal,cn=auth" manage  by users read  by * none


  • interrogazione
ldapsearch -H ldapi:/// -Y EXTERNAL -b cn=Monitor

Replica

mirror

slave

Caricare il modulo syncprov: 

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

Definire database 

dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbDirectory: /var/lib/ldap/dc=local
olcSuffix: dc=local
olcRootDN: cn=Manager,dc=local
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: entryUUID eq
olcDbMaxSize: 1024000000000
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" manage by * read
olcRootPW:: xxxxxxxxxxxxxxxxxxxxxxxx
olcSyncrepl: rid=001 provider=ldap://ldap-server-00-01:389/ bindmethod=simpl
 e binddn="cn=replicator,dc=dominio1,dc=it" credentials=xxxxxxxxxxxx searchb
 ase="dc=local" scope=sub schemachecking=on type=refreshAndPersist retry="30
  5 300 3" interval=00:00:05:00
olcSyncrepl: rid=002 provider=ldap://ldap-server-00-02:389/ bindmethod=simpl
 e binddn="cn=replicator,dc=dominio1,dc=it" credentials=xxxxxxxxxxxx searchb
 ase="dc=local" scope=sub schemachecking=on type=refreshAndPersist retry="30
  5 300 3" interval=00:00:05:00

Relay

Il modulo relay consente di creare un database "vista" di un altro sottoalbero: 


dn: cn=module,cn=config
cn: module
objectclass: olcModuleList
olcmoduleload: back_relay
olcmodulepath: /usr/lib64/openldap

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm

dn: olcDatabase=relay,cn=config
objectClass: olcDatabaseConfig
objectClass: olcRelayConfig
olcDatabase: relay
olcSuffix: dc=it
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" manage by * read
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=it
olcRootPW:: xxxxxxxxxxxxxxxxxxxxxxxxxxx
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
olcRelay: dc=IT,dc=local

dn: olcOverlay=rwm,olcDatabase={3}relay,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: rwm-suffixmassage "dc=IT" "dc=IT,dc=local"
olcRwmTFSupport: false
olcRwmNormalizeMapped: FALSE

Link

http://www.openldap.org

http://www.bind9.net/ldap/

http://www.firenze.linux.it/~piccardi/ldap/

http://www.kobold.it/ldap/

http://linuxwiki.riverworth.com/index.php/LDAP_Authentication

Estratto da "http://www.emigar.com/wiki/index.php?title=OpenLDAP&oldid=5496"