[Show page]
[Old revisions]
[[unknown link type]]
[
]

Differences

This shows you the differences between two versions of the page.

--- linux:skoleni:ldap [2018/05/15 00:07]
admin
+++ linux:skoleni:ldap [2018/11/01 18:23] (current)
admin
@@ Line 27: / Line 27: @@
 An entry is basically a collection of attributes under a name used to describe something.
+<code>
 objectclass ( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL
 MUST ( sn $ cn )
 MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
+</code>
+<code>
 attributetype ( 2.5.4.41 NAME 'name' DESC 'RFC4519: common supertype of name attributes'
 EQUALITY caseIgnoreMatch
 SUBSTR caseIgnoreSubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+</code>
 Unlike traditional relational databases, schemas in LDAP are simply collections of related objectClasses and attributes
@@ Line 46: / Line 48: @@
 Skoro vsechny dedicnosti objectClass ve stromu konci specielni objectClassou zvanou "top". Prakticky jen proto, "aby tam neco bylo".
-====== Instalace na Linuxux ========
+====== Instalace na Linux ========
-Poznamka pro me: zminit fail2ban a omezit jen na vasi sit kde je DB
+<code bash>
+# apt-get install slapd ldap-utils
+</code>
+Poznamka pro me: zminit fail2ban a omezit jen na vasi sit, kde je DB
+Existuji jeste krome BDB take HDB a MDB. Mene konfigurace, rychlejsi. BDB je naopak vyzkousena min. 20 let a opravitelna.
 Uchylarna s DB_CONFIG
-<file DB_CONFIG>
+<file bash DB_CONFIG>
 # WARNING: Before tuning the following parameters, _PLEASE READ_
 #   /usr/share/doc/slapd/README.DB_CONFIG.gz
@@ Line 131: / Line 139: @@
 </file>
-Filipika proti slapd.d a pouziti slapd.conf
+Filipika proti slapd.d a pouziti slapd.conf.
-<file salpd.conf>
+Soubor vytvorime pomoci
+   cat >slapd.conf
+vkladani staci copy&paste, prostredni tlacitko mysi a ukoncime stiskem ctrl+d.
+<file bash slapd.conf>
 include /etc/ldap/schema/core.schema
 include /etc/ldap/schema/cosine.schema
@@ Line 155: / Line 167: @@
 suffix "dc=pb"
 rootdn "cn=admin,dc=pb"
-rootpw gaMMa2018
+rootpw deLTa2019
 cachesize 10000
@@ Line 169: / Line 181: @@
 access to dn.base="" by * read
+access to *
+  by dn="cn=admin,dc=example,dc=net" write
+  by * read
 </file>
@@ Line 185: / Line 201: @@
 </code>
-====== Pridavani zaznamu =======
 Nezapomenout na gymnastiku s
@@ Line 192: / Line 208: @@
 pri vytvareni databaze a provadeni slaptest -f -F.
+Test, zda-li slapd posloucha na portu 389
+<code>
+netstat -nlpt
+Active Internet connections (only servers)
+Proto Recv-Q Send-Q Local Address           Foreign Address         State
+tcp        0      0 0.0.0.0:9102            0.0.0.0:*               LISTEN
+tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
+tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
+tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
+tcp        0      0 0.0.0.0:5666            0.0.0.0:*               LISTEN
+tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN
+tcp6       0      0 :::111                  :::*                    LISTEN
+tcp6       0      0 :::22                   :::*                    LISTEN
+tcp6       0      0 :::25                   :::*                    LISTEN
+tcp6       0      0 :::5666                 :::*                    LISTEN
+tcp6       0      0 :::389                  :::*                    LISTEN
+</code>
+====== Pridavani zaznamu =======
+Nejdrive si vytvorime soubor a pak ho pridame pomoc ldapadd
+<file ldif pb.ldif>
+version: 1
+## version not strictly necessary (and some implementations reject it) but generally good practice
+## DEFINE DIT ROOT/BASE/SUFFIX ####
+## uses RFC 2377 (domain name) format
+## dcObject is an AUXILIARY objectclass and MUST
+## have a STRUCTURAL objectclass (organization in this case)
+# this is an ENTRY sequence and is preceded by a BLANK line
+dn: dc=pb
+dc: pb
+description: Praguebest
+objectClass: dcObject
+objectClass: organization
+o: Praguebest s.r.o.
+## FIRST Level hierarchy - people
+# this is an ENTRY sequence and is preceded by a BLANK line
+dn: ou=people, dc=pb
+ou: people
+description: All people in organisation
+objectClass: organizationalUnit
+## SECOND Level hierarchy - people entries
+# this is an ENTRY sequence and is preceded by a BLANK line
+dn: cn=Radek Saturka,ou=people,dc=pb
+objectclass: inetOrgPerson
+cn: Radek Saturka
+cn: Radek
+sn: Saturka
+uid: saturka
+mail: radek.saturka@praguebest.com
+ou: manager
+## SECOND Level hierarchy - people entries
+# this is an ENTRY sequence and is preceded by a BLANK line
+dn: cn=Bill Novak,ou=people,dc=pb
+objectclass: inetOrgPerson
+cn: Bill Novak
+cn: William
+sn: Novak
+uid: bnovak
+mail: bill@example.com
+ou: project
+## SECOND Level hierarchy - people entries
+# this is an ENTRY sequence and is preceded by a BLANK line
+dn: cn=John Novak,ou=people,dc=pb
+objectclass: inetOrgPerson
+cn: John Novak
+sn: novak
+uid: jnovak
+mail: jim@example.com
+ou: prog
+dn: cn=Robert Novak,ou=people,dc=pb
+objectclass: inetOrgPerson
+cn: Robert Novak
+cn: Robert
+sn: Novak
+uid: rnovak
+mail: robert@example.com
+ou: project
+dn: ou=groups, dc=pb
+ou: groups
+description: generic groups for GDPR
+objectClass: organizationalUnit
+</file>
+<file ldif pb_add1.ldif>
+dn: cn=projekt_a,ou=groups,dc=pb
+cn: projekt_a
+description: grupa ktera smi jen na projekt_a
+objectClass: groupOfNames
+member: cn=Bill Novak,ou=people,dc=pb
+dn: cn=projekt_b,ou=groups,dc=pb
+cn: projekt_b
+description: grupa ktera smi jen na projekt_b
+objectClass: groupOfNames
+member: cn=John Novak,ou=people,dc=pb
+</file>
+<code bash>
+   ldapadd  -x -D "cn=admin,dc=pb" -w heslo -f pb_add1.ldif
+</code>
+Ted sami pridejte
+  * sebe jako person
+  * dve skupiny
+<file ldif pb_add2.ldif>
+dn: uid=cervenka,ou=people,dc=pb
+objectclass: inetOrgPerson
+cn: David Cervenka
+sn: Cervenka
+uid: cervenka
+mail: cervenka@praguebest.com
+dn: uid=coufal,ou=people,dc=pb
+objectclass: inetOrgPerson
+cn: Martin Coufal
+sn: Coufal
+uid: coufal
+mail: coufal@praguebest.com
+dn: uid=cajkovsky,ou=people,dc=pb
+objectclass: inetOrgPerson
+cn: Igor Cajkovsky
+sn: Cajkovsky
+uid: cajkovsky
+mail: cajkovsky@praguebest.com
+</file>
+====== Vyhledavani ======
+Mnoho prikladu
+<code>
+ldapsearch -x -b 'uid=novak,ou=people,dc=pb'
+ldapsearch -x -b 'cn=Radek Saturka,ou=people,dc=pb'
+</code>
+<code>
+ldapsearch -x  -b 'ou=people,dc=pb'  uid=saturka
+ldapsearch -x  -b 'ou=people,dc=pb'  uid=jnovak
+ldapsearch -x  -b 'dc=pb'  uid=saturka
+ldapsearch -x  -b 'dc=pb'  uid=jnovak
+</code>
+A pozor, porad jedeme anonymne bez hesla, jinak bude search vypadat takto:
+   ldapsearch -x -b 'ou=people,dc=pb'  -D uid=cajkovsky,ou=people,dc=pb -w blooood '(&(objectClass=inetOrgPerson)(uid=cajkovsky)(memberOf=cn=projekt_b,ou=groups,dc=pb))'
+====== Instalace PhpLDAPadmin =======
+Pozor, je potreba pouzit php5, protoze nema opravene par chyb. Napr. create_function je v php7 obsolete
+   $CACHE[$sortby] = create_function('$a, $b',$code);
+Nam bude pro ukazku bohate stacit apache2 s php5 modulem. Pokud mate debian 9 stretch, pak je treba pro vyukove ucely pridat do /etc/apt/sources.list
+<code bash>
+   deb http://debian.superhosting.cz/debian/ jessie main contrib non-free
+</code>
+Provedte update db a pak instalaci
+<code bash>
+   apt update
+   apt install libapache2-mod-php5  php5.0-xml
+</code>
+Par uprav v konfiguraci a muzeme jet
+<code php>
+$servers->setValue('server','host','127.0.0.1');
+/* The port your LDAP server listens on (no quotes). 389 is standard. */
+// $servers->setValue('server','port',389);
+/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
+   auto-detect it for you. */
+$servers->setValue('server','base',array('dc=pb'));
+/* Five options for auth_type:
+. 'cookie': you will login via a web form, and a client-side cookie will
+      store your login dn and password.
+. 'session': same as cookie but your login dn and password are stored on the
+      web server in a persistent session variable.
+. 'http': same as session but your login dn and password are retrieved via
+      HTTP authentication.
+. 'config': specify your login dn and password here in this config file. No
+      login will be required to use phpLDAPadmin for this server.
+. 'sasl': login will be taken from the webserver's kerberos authentication.
+      Currently only GSSAPI has been tested (using mod_auth_kerb).
+   Choose wisely to protect your authentication information appropriately for
+   your situation. If you choose 'cookie', your cookie contents will be
+   encrypted using blowfish and the secret your specify above as
+   session['blowfish']. */
+$servers->setValue('login','auth_type','session');
+/* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or
+   'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS
+   BLANK. If you specify a login_attr in conjunction with a cookie or session
+   auth_type, then you can also specify the bind_id/bind_pass here for searching
+   the directory for users (ie, if your LDAP server does not allow anonymous
+   binds. */
+$servers->setValue('login','bind_id','cn=admin,dc=pb');
+</code>
+Racte namirit vas browser na cerstve nainstalovany ldapadmin
+[[http://127.0.0.1/phpldapadmin]]
+====== Pridavani strukturalnich zaznamu ======
 <code>
 # ldapadd -x -D "cn=admin,dc=pb" -W -f memberof_config.ldif
@@ Line 219: / Line 453: @@
 )
-olcRootDN: cn=admin,cn=config
+  olcRootDN: cn=admin,cn=config
-olcRootPW: superheslo
+  olcRootPW: superheslo
 Je nutné restartovat ldap:
@@ Line 234: / Line 468: @@
-<code>
+<file ldif memberof_config.ldif>
 dn: cn=module,cn=config
 cn: module
@@ Line 252: / Line 486: @@
 olcMemberOfMemberAD: member
 olcMemberOfMemberOfAD: memberOf
-</code>
+</file>
 Proc nepouzivat "muzevsude" a jine powergroupy? -> protoze tam z lenosti pak skonci vsichni.
-   ldapsearch -x -b 'ou=people,dc=pb' '(&(objectClass=inetOrgPerson)(uid=cajkovsky)(memberOf=cn=projekt_b,ou=groups,dc=pb))'
+====== Pokrocile vyhledavani ======
+Syntaxe je prefixova, kterou vymyslel chory mozek, aby byl LDAP jeste vice hustej nezli je
+   ldapsearch -x -b 'ou=people,dc=pb' '(&(objectClass=inetOrgPerson)(uid=cajkovsky)(memberOf=cn=projekt_b,ou=groups,dc=pb))'
+   NAME=ldapsearch -x -h 127.0.0.1 "(&(objectClass=person)(|(telephoneNumber=${NUM})(mobile=${NUM})(homePhone=${NUM})(fax=${NUM})))" cn | sed -n 's/cn:\s\(.*\)/\1/p
+   ldapsearch -x -b "dc=pb"  '(objectClass=inetOrgPerson)' uid
+====== Ukazka kodu v PHP ======
 Pozor na mala a velka pismena v poli memberOf -> memberof
 <code php>
@@ Line 290: / Line 532: @@
 </code>
+Dotaz na clenstvi ve skupine je diky schizofrennimu memberof jednoduche
+<code php>
+<?php
+    $server = "ldap://127.0.0.1";
+    $ldap = ldap_connect($server);
+    $username = 'cajkovsky';
+    $password = 'blooood';
+    $ldap_base = 'ou=people,dc=pb';
+    ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
+    ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
+#    $bind = @ldap_bind($ldap, "cn=$username,$ldap_base", $password);
+    $bind = @ldap_bind($ldap, "uid=$username,$ldap_base", $password);
+                if($bind) {
+                        print "gut";
+                } else {
+                        print "access denied";
+                }
+   $filter = "(uid=" . $username . ")";
+   $attrs = array("memberOf");
+   $result = ldap_search($ldap, 'ou=people,dc=pb', $filter, $attrs);
+   $entries = ldap_get_entries($ldap, $result);
+   print_r($entries[0]['memberof']);
+   $filter = "(&(objectClass=inetOrgPerson)(uid=cajkovsky)(memberOf=cn=projekt_b,ou=groups,dc=pb))";
+   $result = ldap_search($ldap, 'ou=people,dc=pb', $filter, $attrs);
+   $attrs = array("uid");
+   $entries = ldap_get_entries($ldap, $result);
+   print_r($entries);
+?>
+</code>
 ====== Zabezpeceni, zalohovani a indexy ======
 disallow bind_anon

linux/skoleni/ldap.1526335671.txt.gz · Last modified: 2018/05/15 00:07 by admin