Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux:skoleni:ldap [2018/05/15 00:14]
admin 		linux:skoleni:ldap [2018/11/01 18:23] (current)
admin
Line 27: Line 27:
  
 An entry is basically a collection of attributes under a name used to describe something. An entry is basically a collection of attributes under a name used to describe something.
 +<​code>​
 objectclass ( 2.5.6.6 NAME '​person'​ DESC '​RFC2256:​ a person'​ SUP top STRUCTURAL objectclass ( 2.5.6.6 NAME '​person'​ DESC '​RFC2256:​ a person'​ SUP top STRUCTURAL
 MUST ( sn $ cn ) MUST ( sn $ cn )
 MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
 +</​code>​ 
 +<​code>​
 attributetype ( 2.5.4.41 NAME '​name'​ DESC '​RFC4519:​ common supertype of name attributes'​ attributetype ( 2.5.4.41 NAME '​name'​ DESC '​RFC4519:​ common supertype of name attributes'​
 EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
 SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
 +</​code>​
  
 Unlike traditional relational databases, schemas in LDAP are simply collections of related objectClasses and attributes Unlike traditional relational databases, schemas in LDAP are simply collections of related objectClasses and attributes
Line 46: Line 48:
 Skoro vsechny dedicnosti objectClass ve stromu konci specielni objectClassou zvanou "​top"​. Prakticky jen proto, "aby tam neco bylo". Skoro vsechny dedicnosti objectClass ve stromu konci specielni objectClassou zvanou "​top"​. Prakticky jen proto, "aby tam neco bylo".
  
-====== Instalace na Linuxux ​======== +====== Instalace na Linux ======== 
-Poznamka pro me: zminit fail2ban a omezit jen na vasi sit kde je DB+<code bash> 
 +# apt-get install slapd ldap-utils 
 +</​code>​ 
 + 
 +Poznamka pro me: zminit fail2ban a omezit jen na vasi sitkde je DB 
 + 
 +Existuji jeste krome BDB take HDB a MDB. Mene konfigurace,​ rychlejsi. BDB je naopak vyzkousena min. 20 let a opravitelna.
  
 Uchylarna s DB_CONFIG Uchylarna s DB_CONFIG
-<file DB_CONFIG>​+<​file ​bash DB_CONFIG>​
 # WARNING: Before tuning the following parameters, _PLEASE READ_ # WARNING: Before tuning the following parameters, _PLEASE READ_
 #   /​usr/​share/​doc/​slapd/​README.DB_CONFIG.gz #   /​usr/​share/​doc/​slapd/​README.DB_CONFIG.gz
Line 131: Line 139:
 </​file>​ </​file>​
  
-Filipika proti slapd.d a pouziti slapd.conf +Filipika proti slapd.d a pouziti slapd.conf
-<​file ​salpd.conf>+Soubor vytvorime pomoci 
 +   cat >​slapd.conf 
 +vkladani staci copy&​paste,​ prostredni tlacitko mysi a ukoncime stiskem ctrl+d. 
 + 
 +<​file ​bash slapd.conf>
 include /​etc/​ldap/​schema/​core.schema include /​etc/​ldap/​schema/​core.schema
 include /​etc/​ldap/​schema/​cosine.schema include /​etc/​ldap/​schema/​cosine.schema
Line 155: Line 167:
 suffix "​dc=pb"​ suffix "​dc=pb"​
 rootdn "​cn=admin,​dc=pb"​ rootdn "​cn=admin,​dc=pb"​
-rootpw ​gaMMa2018+rootpw ​deLTa2019
 cachesize 10000 cachesize 10000
  
Line 169: Line 181:
  
 access to dn.base=""​ by * read access to dn.base=""​ by * read
 +
 +access to *
 +  by dn="​cn=admin,​dc=example,​dc=net"​ write
 +  by * read
  
 </​file>​ </​file>​
Line 191: Line 207:
    chown openldap.openldap /​etc/​ldap/​slapd.d -R    chown openldap.openldap /​etc/​ldap/​slapd.d -R
 pri vytvareni databaze a provadeni slaptest -f -F.    pri vytvareni databaze a provadeni slaptest -f -F.   
 +
 +Test, zda-li slapd posloucha na portu 389
 +<​code>​
 +netstat -nlpt
 +Active Internet connections (only servers)
 +Proto Recv-Q Send-Q Local Address ​          ​Foreign Address ​        ​State ​
 +tcp        0      0 0.0.0.0:​9102 ​           0.0.0.0:​* ​              ​LISTEN
 +tcp        0      0 0.0.0.0:​111 ​            ​0.0.0.0:​* ​              ​LISTEN
 +tcp        0      0 0.0.0.0:​22 ​             0.0.0.0:​* ​              ​LISTEN
 +tcp        0      0 0.0.0.0:​25 ​             0.0.0.0:​* ​              ​LISTEN
 +tcp        0      0 0.0.0.0:​5666 ​           0.0.0.0:​* ​              ​LISTEN
 +tcp        0      0 0.0.0.0:​389 ​            ​0.0.0.0:​* ​              ​LISTEN
 +tcp6       ​0 ​     0 :::​111 ​                 :::*                    LISTEN
 +tcp6       ​0 ​     0 :::22                   :::​* ​                   LISTEN
 +tcp6       ​0 ​     0 :::25                   :::​* ​                   LISTEN
 +tcp6       ​0 ​     0 :::​5666 ​                :::​* ​                   LISTEN
 +tcp6       ​0 ​     0 :::​389 ​                 :::*                    LISTEN
 +</​code>​
 +
 ====== Pridavani zaznamu ======= ====== Pridavani zaznamu =======
-<file pb.ldif>+Nejdrive si vytvorime soubor a pak ho pridame pomoc ldapadd 
 + 
 +<​file ​ldif pb.ldif>
 version: 1 version: 1
  
Line 270: Line 307:
 </​file>​ </​file>​
  
-<file pb_add1.ldif>​+<​file ​ldif pb_add1.ldif>​
 dn: cn=projekt_a,​ou=groups,​dc=pb dn: cn=projekt_a,​ou=groups,​dc=pb
 cn: projekt_a cn: projekt_a
Line 285: Line 322:
 </​file>​ </​file>​
  
-<file pb_add2.ldif>​+<code bash> 
 +   ​ldapadd ​ -x -D "​cn=admin,​dc=pb"​ -w heslo -f pb_add1.ldif 
 +</​code>​ 
 + 
 +Ted sami pridejte 
 +  * sebe jako person 
 +  * dve skupiny 
 + 
 +<​file ​ldif pb_add2.ldif>​
 dn: uid=cervenka,​ou=people,​dc=pb dn: uid=cervenka,​ou=people,​dc=pb
 objectclass:​ inetOrgPerson objectclass:​ inetOrgPerson
Line 309: Line 354:
 </​file>​ </​file>​
  
 +====== Vyhledavani ======
 +Mnoho prikladu
 +<​code>​
 +ldapsearch -x -b '​uid=novak,​ou=people,​dc=pb' ​
 +ldapsearch -x -b '​cn=Radek Saturka,​ou=people,​dc=pb' ​
 +</​code>​
 +
 +<​code>​
 +ldapsearch -x  -b '​ou=people,​dc=pb' ​ uid=saturka
 +ldapsearch -x  -b '​ou=people,​dc=pb' ​ uid=jnovak
 +ldapsearch -x  -b '​dc=pb' ​ uid=saturka
 +ldapsearch -x  -b '​dc=pb' ​ uid=jnovak
 +</​code>​
 +
 +A pozor, porad jedeme anonymne bez hesla, jinak bude search vypadat takto:
 +   ​ldapsearch -x -b '​ou=people,​dc=pb' ​ -D uid=cajkovsky,​ou=people,​dc=pb -w blooood '​(&​(objectClass=inetOrgPerson)(uid=cajkovsky)(memberOf=cn=projekt_b,​ou=groups,​dc=pb))'​
 +   
 +====== Instalace PhpLDAPadmin =======
 +Pozor, je potreba pouzit php5, protoze nema opravene par chyb. Napr. create_function je v php7 obsolete
 +   ​$CACHE[$sortby] = create_function('​$a,​ $b',​$code);​
 +Nam bude pro ukazku bohate stacit apache2 s php5 modulem. Pokud mate debian 9 stretch, pak je treba pro vyukove ucely pridat do /​etc/​apt/​sources.list
 +<code bash>
 +   deb http://​debian.superhosting.cz/​debian/​ jessie main contrib non-free
 +</​code>​
 +
 +Provedte update db a pak instalaci
 +<code bash>
 +   apt update
 +   apt install libapache2-mod-php5 ​ php5.0-xml ​
 +</​code>​
 +Par uprav v konfiguraci a muzeme jet
 +<code php>
 +$servers->​setValue('​server','​host','​127.0.0.1'​);​
 +
 +/* The port your LDAP server listens on (no quotes). 389 is standard. */
 +// $servers->​setValue('​server','​port',​389);​
 +
 +/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
 +   ​auto-detect it for you. */
 +$servers->​setValue('​server','​base',​array('​dc=pb'​));​
 +
 +/* Five options for auth_type:
 +   1. '​cookie':​ you will login via a web form, and a client-side cookie will
 +      store your login dn and password.
 +   2. '​session':​ same as cookie but your login dn and password are stored on the
 +      web server in a persistent session variable.
 +   3. '​http':​ same as session but your login dn and password are retrieved via
 +      HTTP authentication.
 +   4. '​config':​ specify your login dn and password here in this config file. No
 +      login will be required to use phpLDAPadmin for this server.
 +   5. '​sasl':​ login will be taken from the webserver'​s kerberos authentication.
 +      Currently only GSSAPI has been tested (using mod_auth_kerb).
 +
 +   ​Choose wisely to protect your authentication information appropriately for
 +   your situation. If you choose '​cookie',​ your cookie contents will be
 +   ​encrypted using blowfish and the secret your specify above as
 +   ​session['​blowfish'​]. */
 +$servers->​setValue('​login','​auth_type','​session'​);​
 +
 +/* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or
 +   '​cookie','​session'​ or '​sasl'​ auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS
 +   ​BLANK. If you specify a login_attr in conjunction with a cookie or session
 +   ​auth_type,​ then you can also specify the bind_id/​bind_pass here for searching
 +   the directory for users (ie, if your LDAP server does not allow anonymous
 +   ​binds. */
 +$servers->​setValue('​login','​bind_id','​cn=admin,​dc=pb'​);​
 +</​code>​
  
 +Racte namirit vas browser na cerstve nainstalovany ldapadmin
 +[[http://​127.0.0.1/​phpldapadmin]]
  
 ====== Pridavani strukturalnich zaznamu ====== ====== Pridavani strukturalnich zaznamu ======
Line 339: Line 453:
 ) )
  
-olcRootDN: cn=admin,​cn=config +  ​olcRootDN: cn=admin,​cn=config 
-olcRootPW: superheslo+  olcRootPW: superheslo
  
 Je nutné restartovat ldap: Je nutné restartovat ldap:
Line 354: Line 468:
  
  
-<code>+<file ldif memberof_config.ldif>
 dn: cn=module,​cn=config dn: cn=module,​cn=config
 cn: module cn: module
Line 372: Line 486:
 olcMemberOfMemberAD:​ member olcMemberOfMemberAD:​ member
 olcMemberOfMemberOfAD:​ memberOf olcMemberOfMemberOfAD:​ memberOf
-</code>+</file>
  
 Proc nepouzivat "​muzevsude"​ a jine powergroupy?​ -> protoze tam z lenosti pak skonci vsichni. Proc nepouzivat "​muzevsude"​ a jine powergroupy?​ -> protoze tam z lenosti pak skonci vsichni.
Line 380: Line 494:
  
    ​ldapsearch -x -b '​ou=people,​dc=pb'​ '​(&​(objectClass=inetOrgPerson)(uid=cajkovsky)(memberOf=cn=projekt_b,​ou=groups,​dc=pb))'​    ​ldapsearch -x -b '​ou=people,​dc=pb'​ '​(&​(objectClass=inetOrgPerson)(uid=cajkovsky)(memberOf=cn=projekt_b,​ou=groups,​dc=pb))'​
 +   
 +   
    ​NAME=ldapsearch -x -h 127.0.0.1 "​(&​(objectClass=person)(|(telephoneNumber=${NUM})(mobile=${NUM})(homePhone=${NUM})(fax=${NUM})))"​ cn | sed -n '​s/​cn:​\s\(.*\)/​\1/​p    ​NAME=ldapsearch -x -h 127.0.0.1 "​(&​(objectClass=person)(|(telephoneNumber=${NUM})(mobile=${NUM})(homePhone=${NUM})(fax=${NUM})))"​ cn | sed -n '​s/​cn:​\s\(.*\)/​\1/​p
        
 +   ​ldapsearch -x -b "​dc=pb" ​ '​(objectClass=inetOrgPerson)'​ uid
 ====== Ukazka kodu v PHP ====== ====== Ukazka kodu v PHP ======
 Pozor na mala a velka pismena v poli memberOf -> memberof Pozor na mala a velka pismena v poli memberOf -> memberof
Line 415: Line 532:
 </​code>​ </​code>​
  
 +Dotaz na clenstvi ve skupine je diky schizofrennimu memberof jednoduche
 +<code php>
 +<?php
  
 +    $server = "​ldap://​127.0.0.1";​
 +
 +    $ldap = ldap_connect($server);​
 +    $username = '​cajkovsky';​
 +    $password = '​blooood';​
 +
 +    $ldap_base = '​ou=people,​dc=pb';​
 +
 +    ldap_set_option($ldap,​ LDAP_OPT_PROTOCOL_VERSION,​ 3);
 +    ldap_set_option($ldap,​ LDAP_OPT_REFERRALS,​ 0);
 +
 +#    $bind = @ldap_bind($ldap,​ "​cn=$username,​$ldap_base",​ $password);
 +    $bind = @ldap_bind($ldap,​ "​uid=$username,​$ldap_base",​ $password);
 +
 +                if($bind) {
 +                        print "​gut";​
 +                } else {
 +                        print "​access denied";​
 +                }
 +
 +   ​$filter = "​(uid="​ . $username . "​)";​
 +   ​$attrs = array("​memberOf"​);​
 +   ​$result = ldap_search($ldap,​ '​ou=people,​dc=pb',​ $filter, $attrs);
 +
 +   ​$entries = ldap_get_entries($ldap,​ $result);
 +   ​print_r($entries[0]['​memberof'​]);​
 +
 +   ​$filter = "​(&​(objectClass=inetOrgPerson)(uid=cajkovsky)(memberOf=cn=projekt_b,​ou=groups,​dc=pb))";​
 +
 +   ​$result = ldap_search($ldap,​ '​ou=people,​dc=pb',​ $filter, $attrs);
 +   ​$attrs = array("​uid"​);​
 +   ​$entries = ldap_get_entries($ldap,​ $result);
 +   ​print_r($entries);​
 +?>
 +</​code>​
 ====== Zabezpeceni,​ zalohovani a indexy ====== ====== Zabezpeceni,​ zalohovani a indexy ======
 disallow bind_anon disallow bind_anon
 
linux/skoleni/ldap.1526336048.txt.gz · Last modified: 2018/05/15 00:14 by admin