OpenLDAP: differenze tra le versioni
Jump to navigation
Jump to search
Nessun oggetto della modifica |
|||
(17 versioni intermedie di uno stesso utente non sono mostrate) | |||
Riga 1: | Riga 1: | ||
=Password Policy= |
|||
Per implementare il modulo di password policy: |
|||
* caricare il modulo ppolicy |
|||
* caricare lo schema di ppolicy |
|||
* definire nel database la policy di defaultl |
|||
* creare la policy di default nel dn definito nel punto 3 |
|||
* eventualmente creare altre policy |
|||
* eventualmente definire policy diverse ad utenti diversi |
|||
=Monitoring= |
|||
* caricare il modulo back_monitor |
|||
dn: cn=module{0},cn=config |
|||
changetype: modify |
|||
add: olcModuleLoad |
|||
olcModuleLoad: back_monitor.la |
|||
* creare database |
|||
dn: olcDatabase=monitor,cn=config |
|||
objectClass: olcDatabaseConfig |
|||
olcDatabase: monitor |
|||
* add acl |
|||
dn: olcDatabase={4}monitor,cn=config |
|||
changetype: modify |
|||
add: olcAccess |
|||
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=exter |
|||
nal,cn=auth" manage by users read by * none |
|||
* interrogazione |
|||
ldapsearch -H ldapi:/// -Y EXTERNAL -b cn=Monitor |
|||
=Replica= |
|||
==mirror== |
|||
==slave== |
|||
Caricare il modulo syncprov: |
|||
dn: cn=module,cn=config |
|||
objectClass: olcModuleList |
|||
cn: module |
|||
olcModulePath: /usr/lib64/openldap |
|||
olcModuleLoad: syncprov.la |
|||
Definire database |
|||
dn: olcDatabase=mdb,cn=config |
|||
objectClass: olcDatabaseConfig |
|||
objectClass: olcMdbConfig |
|||
olcDatabase: mdb |
|||
olcDbDirectory: /var/lib/ldap/dc=local |
|||
olcSuffix: dc=local |
|||
olcRootDN: cn=Manager,dc=local |
|||
olcDbIndex: objectClass eq,pres |
|||
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub |
|||
olcDbIndex: entryUUID eq |
|||
olcDbMaxSize: 1024000000000 |
|||
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern |
|||
al,cn=auth" manage by * read |
|||
olcRootPW:: xxxxxxxxxxxxxxxxxxxxxxxx |
|||
olcSyncrepl: rid=001 provider=ldap://ldap-server-00-01:389/ bindmethod=simpl |
|||
e binddn="cn=replicator,dc=dominio1,dc=it" credentials=xxxxxxxxxxxx searchb |
|||
ase="dc=local" scope=sub schemachecking=on type=refreshAndPersist retry="30 |
|||
5 300 3" interval=00:00:05:00 |
|||
olcSyncrepl: rid=002 provider=ldap://ldap-server-00-02:389/ bindmethod=simpl |
|||
e binddn="cn=replicator,dc=dominio1,dc=it" credentials=xxxxxxxxxxxx searchb |
|||
ase="dc=local" scope=sub schemachecking=on type=refreshAndPersist retry="30 |
|||
5 300 3" interval=00:00:05:00 |
|||
=Relay= |
|||
Il modulo relay consente di creare un database "vista" di un altro sottoalbero: |
|||
dn: cn=module,cn=config |
|||
cn: module |
|||
objectclass: olcModuleList |
|||
olcmoduleload: back_relay |
|||
olcmodulepath: /usr/lib64/openldap |
|||
dn: cn=module{0},cn=config |
|||
changetype: modify |
|||
add: olcModuleLoad |
|||
olcModuleLoad: rwm |
|||
dn: olcDatabase=relay,cn=config |
|||
objectClass: olcDatabaseConfig |
|||
objectClass: olcRelayConfig |
|||
olcDatabase: relay |
|||
olcSuffix: dc=it |
|||
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern |
|||
al,cn=auth" manage by * read |
|||
olcAddContentAcl: FALSE |
|||
olcLastMod: TRUE |
|||
olcMaxDerefDepth: 15 |
|||
olcReadOnly: FALSE |
|||
olcRootDN: cn=Manager,dc=it |
|||
olcRootPW:: xxxxxxxxxxxxxxxxxxxxxxxxxxx |
|||
olcSyncUseSubentry: FALSE |
|||
olcMonitoring: FALSE |
|||
olcRelay: dc=IT,dc=local |
|||
dn: olcOverlay=rwm,olcDatabase={3}relay,cn=config |
|||
objectClass: olcOverlayConfig |
|||
objectClass: olcRwmConfig |
|||
olcOverlay: rwm |
|||
olcRwmRewrite: rwm-suffixmassage "dc=IT" "dc=IT,dc=local" |
|||
olcRwmTFSupport: false |
|||
olcRwmNormalizeMapped: FALSE |
|||
=Link= |
|||
http://www.openldap.org |
http://www.openldap.org |
||
Versione attuale delle 16:46, 11 dic 2017
Password Policy
Per implementare il modulo di password policy:
- caricare il modulo ppolicy
- caricare lo schema di ppolicy
- definire nel database la policy di defaultl
- creare la policy di default nel dn definito nel punto 3
- eventualmente creare altre policy
- eventualmente definire policy diverse ad utenti diversi
Monitoring
- caricare il modulo back_monitor
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: back_monitor.la
- creare database
dn: olcDatabase=monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: monitor
- add acl
dn: olcDatabase={4}monitor,cn=config changetype: modify add: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=exter nal,cn=auth" manage by users read by * none
- interrogazione
ldapsearch -H ldapi:/// -Y EXTERNAL -b cn=Monitor
Replica
mirror
slave
Caricare il modulo syncprov:
dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la
Definire database
dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbDirectory: /var/lib/ldap/dc=local olcSuffix: dc=local olcRootDN: cn=Manager,dc=local olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: entryUUID eq olcDbMaxSize: 1024000000000 olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" manage by * read olcRootPW:: xxxxxxxxxxxxxxxxxxxxxxxx olcSyncrepl: rid=001 provider=ldap://ldap-server-00-01:389/ bindmethod=simpl e binddn="cn=replicator,dc=dominio1,dc=it" credentials=xxxxxxxxxxxx searchb ase="dc=local" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00 olcSyncrepl: rid=002 provider=ldap://ldap-server-00-02:389/ bindmethod=simpl e binddn="cn=replicator,dc=dominio1,dc=it" credentials=xxxxxxxxxxxx searchb ase="dc=local" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00
Relay
Il modulo relay consente di creare un database "vista" di un altro sottoalbero:
dn: cn=module,cn=config cn: module objectclass: olcModuleList olcmoduleload: back_relay olcmodulepath: /usr/lib64/openldap
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm
dn: olcDatabase=relay,cn=config objectClass: olcDatabaseConfig objectClass: olcRelayConfig olcDatabase: relay olcSuffix: dc=it olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" manage by * read olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=Manager,dc=it olcRootPW:: xxxxxxxxxxxxxxxxxxxxxxxxxxx olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcRelay: dc=IT,dc=local
dn: olcOverlay=rwm,olcDatabase={3}relay,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: rwm-suffixmassage "dc=IT" "dc=IT,dc=local" olcRwmTFSupport: false olcRwmNormalizeMapped: FALSE
Link
http://www.firenze.linux.it/~piccardi/ldap/
http://linuxwiki.riverworth.com/index.php/LDAP_Authentication