dpkg-reconfigure slapd
can reconfigure the LDAP database:
falcot.com
”.
dpkg-reconfigure slapd
subito dopo la prima installazione.
$
ldapsearch -x -b dc=falcot,dc=com
# extended LDIF # # LDAPv3 # base <dc=falcot,dc=com> with scope sub # filter: (objectclass=*) # requesting: ALL # # falcot.com dn: dc=falcot,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Falcot Corp dc: falcot # admin, falcot.com dn: cn=admin,dc=falcot,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
/etc/passwd
, /etc/group
, /etc/services
, /etc/hosts
e così via), convertire questi dati ed inserirli all'interno del database LDAP.
/etc/migrationtools/migrate_common.ph
must be edited; the IGNORE_UID_BELOW
and IGNORE_GID_BELOW
options need to be enabled (uncommenting them is enough), and DEFAULT_MAIL_DOMAIN
/DEFAULT_BASE
need to be updated.
migrate_all_online.sh
come segue:
#
cd /usr/share/migrationtools
#
LDAPADD="/usr/bin/ldapadd -c" ETC_ALIASES=/dev/null ./migrate_all_online.sh
migrate_all_online.sh
rivolge alcune domande a proposito del database LDAP nel quale si vogliono migrare i dati. Tabella 11.1 riassume le risposte fornite nel caso d'uso della Falcot.
Tabella 11.1. Le risposte fornite alle domande poste dallo script migrate_all_online.sh
Domanda | Risposta |
---|---|
X.500 naming context | dc=falcot,dc=com |
Nome host del server LDAP | localhost |
Manager DN | cn=admin,dc=falcot,dc=com |
Bind credentials | la password amministrativa |
Create DUAConfigProfile | no |
/etc/aliases
dato che lo schema standard fornito da Debian non include le strutture che utilizza questo script per gli alias email. Se dovessimo integrare questi dati nella directory il file /etc/ldap/schema/misc.schema
dovrebbe essere aggiunto allo schema standard.
-c
con il comando ldapadd
: questa opzione richiede che l'elaborazione non si interrompa in caso di errori. Utilizzare questa opzione è necessario poiché convertire il database /etc/services
genera spesso qualche errore che può essere ignorato senza conseguenze.
Tabella 11.2. Configurare il pacchetto libnss-ldap
Domanda | Risposta |
---|---|
L'Uniform Resource Identifier del server LDAP | ldap://ldap.falcot.com |
Il nome distintivo per la base di ricerca | dc=falcot,dc=com |
La versione di LDAP da utilizzare | 3 |
Il database LDAP deve richiedere il login? | no |
Special LDAP privileges for root | yes |
Make the configuration file readable/writeable by its owner only | no |
L'account LDAP per root | cn=admin,dc=falcot,dc=com |
La password per l'account root di LDAP | la password amministrativa |
/etc/nsswitch.conf
richiede poi di essere modificato per configurare NSS in modo che utilizzi il modulo ldap
appena installato.
Esempio 11.30. Il file /etc/nsswitch.conf
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: ldap compat group: ldap compat shadow: ldap compat hosts: files dns ldap networks: ldap files protocols: ldap db files services: ldap db files ethers: ldap db files rpc: ldap db files netgroup: ldap files
ldap
module is usually inserted before others, and it will therefore be queried first. The notable exception is the hosts
service since contacting the LDAP server requires consulting DNS first (to resolve ldap.falcot.com
). Without this exception, a hostname query would try to ask the LDAP server; this would trigger a name resolution for the LDAP server, and so on in an infinite loop.
files
ignorati) i servizi possono essere configurati con la seguente sintassi:
servizio: ldap [NOTFOUND=return] files
.
/etc/environment
e /etc/default/locale
) that will allow applications to perform the required authentications against the LDAP database.
Tabella 11.3. Configurazione di libpam-ldap
Domanda | Risposta |
---|---|
Permettere all'account amministrativo LDAP di agire come root? | Sì. Questo ci consente di utilizzare il comando passwd per cambiare le password conservate nel database LDAP. |
Il database LDAP richiede il login? | no |
L'account LDAP per root | cn=admin,dc=falcot,dc=com |
La password per l'account root di LDAP | La password amministrativa del database LDAP |
Local encryption algorithm to use for passwords | crypt |
/etc/pam.d/common-auth
, /etc/pam.d/common-password
e /etc/pam.d/common-account
. Questo meccanismo utilizza lo strumento dedicato pam-auth-update
(fornito con il pacchetto libpam-runtime). Questo strumento può anche essere eseguito dall'amministratore qualora desideri abilitare o disabilitare dei moduli PAM.
./build-server-key ldap.falcot.com
asks a few mundane questions (location, organization name and so on). The answer to the “common name” question must be the fully-qualified hostname for the LDAP server; in our case, ldap.falcot.com
.
keys/ldap.falcot.com.crt
file; the corresponding private key is stored in keys/ldap.falcot.com.key
.
openldap
user identity:
#adduser openldap ssl-cert
Adding user `openldap' to group `ssl-cert' ... Adding user openldap to group ssl-cert Done. #mv keys/ldap.falcot.com.key /etc/ssl/private/ldap.falcot.com.key
#chown root:ssl-cert /etc/ssl/private/ldap.falcot.com.key
#chmod 0640 /etc/ssl/private/ldap.falcot.com.key
#mv newcert.pem /etc/ssl/certs/ldap.falcot.com.pem
slapd
daemon also needs to be told to use these keys for encryption. The LDAP server configuration is managed dynamically: the configuration can be updated with normal LDAP operations on the cn=config
object hierarchy, and the server updates /etc/ldap/slapd.d
in real time to make the configuration persistent. ldapmodify
is thus the right tool to update the configuration:
Esempio 11.31. Configurare slapd
per la cifratura
#cat >ssl.ldif <<END dn: cn=config changetype: modify add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap.falcot.com.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap.falcot.com.key - END
#ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
SLAPD_SERVICES
nel file /etc/default/slapd
. Inoltre, per essere prudenti, si renderà necessario disabilitare l'LDAP non sicuro.
Esempio 11.32. Il file /etc/default/slapd
# Default location of the slapd.conf file or slapd.d cn=config directory. If # empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to # /etc/ldap/slapd.conf). SLAPD_CONF= # System account to run the slapd server under. If empty the server # will run as root. SLAPD_USER="openldap" # System group to run the slapd server under. If empty the server will # run in the primary group of its user. SLAPD_GROUP="openldap" # Path to the pid file of the slapd server. If not set the init.d script # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by # default) SLAPD_PIDFILE= # slapd normally serves ldap only on all TCP-ports 389. slapd can also # service requests on TCP-port 636 (ldaps) and requests via unix # sockets. # Example usage: # SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" SLAPD_SERVICES="ldaps:/// ldapi:///" # If SLAPD_NO_START is set, the init script will not start or restart # slapd (but stop will still work). Uncomment this if you are # starting slapd via some other means or if you don't want slapd normally # started at boot. #SLAPD_NO_START=1 # If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, # the init script will not start or restart slapd (but stop will still # work). Use this for temporarily disabling startup of slapd (when doing # maintenance, for example, or through a configuration management system) # when you don't want to edit a configuration file. SLAPD_SENTINEL_FILE=/etc/ldap/noslapd # For Kerberos authentication (via SASL), slapd by default uses the system # keytab file (/etc/krb5.keytab). To use a different keytab file, # uncomment this line and change the path. #export KRB5_KTNAME=/etc/krb5.keytab # Additional options to pass to slapd SLAPD_OPTIONS=""
ldaps://
URI.
/usr/local/share/ca-certificates
and running update-ca-certificates
.
#cp keys/ca.crt /usr/local/share/ca-certificates/falcot.crt
#update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... Adding debian:falcot.pem done. done.
/etc/ldap/ldap.conf
. This will save quite some typing.
Esempio 11.33. Il file /etc/ldap/ldap.conf
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=falcot,dc=com URI ldaps://ldap.falcot.com #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt