[Show page]
[Old revisions]
[[unknown link type]]
[
]

Differences

This shows you the differences between two versions of the page.

--- linux:skoleni:ldap [2018/05/15 00:30]
admin [Instalace na Linux]
+++ linux:skoleni:ldap [2018/11/01 18:23] (current)
admin
@@ Line 27: / Line 27: @@
 An entry is basically a collection of attributes under a name used to describe something.
+<code>
 objectclass ( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL
 MUST ( sn $ cn )
 MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
+</code>
+<code>
 attributetype ( 2.5.4.41 NAME 'name' DESC 'RFC4519: common supertype of name attributes'
 EQUALITY caseIgnoreMatch
 SUBSTR caseIgnoreSubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+</code>
 Unlike traditional relational databases, schemas in LDAP are simply collections of related objectClasses and attributes
@@ Line 48: / Line 50: @@
 ====== Instalace na Linux ========
 <code bash>
-# apt install slapd ldap-utils
+# apt-get install slapd ldap-utils
 </code>
 Poznamka pro me: zminit fail2ban a omezit jen na vasi sit, kde je DB
+Existuji jeste krome BDB take HDB a MDB. Mene konfigurace, rychlejsi. BDB je naopak vyzkousena min. 20 let a opravitelna.
 Uchylarna s DB_CONFIG
@@ Line 136: / Line 139: @@
 </file>
-Filipika proti slapd.d a pouziti slapd.conf
+Filipika proti slapd.d a pouziti slapd.conf.
-<file salpd.conf>
+Soubor vytvorime pomoci
+   cat >slapd.conf
+vkladani staci copy&paste, prostredni tlacitko mysi a ukoncime stiskem ctrl+d.
+<file bash slapd.conf>
 include /etc/ldap/schema/core.schema
 include /etc/ldap/schema/cosine.schema
@@ Line 160: / Line 167: @@
 suffix "dc=pb"
 rootdn "cn=admin,dc=pb"
-rootpw gaMMa2018
+rootpw deLTa2019
 cachesize 10000
@@ Line 174: / Line 181: @@
 access to dn.base="" by * read
+access to *
+  by dn="cn=admin,dc=example,dc=net" write
+  by * read
 </file>
@@ Line 196: / Line 207: @@
    chown openldap.openldap /etc/ldap/slapd.d -R
 pri vytvareni databaze a provadeni slaptest -f -F.
+Test, zda-li slapd posloucha na portu 389
+<code>
+netstat -nlpt
+Active Internet connections (only servers)
+Proto Recv-Q Send-Q Local Address           Foreign Address         State
+tcp        0      0 0.0.0.0:9102            0.0.0.0:*               LISTEN
+tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
+tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
+tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
+tcp        0      0 0.0.0.0:5666            0.0.0.0:*               LISTEN
+tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN
+tcp6       0      0 :::111                  :::*                    LISTEN
+tcp6       0      0 :::22                   :::*                    LISTEN
+tcp6       0      0 :::25                   :::*                    LISTEN
+tcp6       0      0 :::5666                 :::*                    LISTEN
+tcp6       0      0 :::389                  :::*                    LISTEN
+</code>
 ====== Pridavani zaznamu =======
-<file pb.ldif>
+Nejdrive si vytvorime soubor a pak ho pridame pomoc ldapadd
+<file ldif pb.ldif>
 version: 1
@@ Line 275: / Line 307: @@
 </file>
-<file pb_add1.ldif>
+<file ldif pb_add1.ldif>
 dn: cn=projekt_a,ou=groups,dc=pb
 cn: projekt_a
@@ Line 290: / Line 322: @@
 </file>
-<file pb_add2.ldif>
+<code bash>
+   ldapadd  -x -D "cn=admin,dc=pb" -w heslo -f pb_add1.ldif
+</code>
+Ted sami pridejte
+  * sebe jako person
+  * dve skupiny
+<file ldif pb_add2.ldif>
 dn: uid=cervenka,ou=people,dc=pb
 objectclass: inetOrgPerson
@@ Line 413: / Line 453: @@
 )
-olcRootDN: cn=admin,cn=config
+  olcRootDN: cn=admin,cn=config
-olcRootPW: superheslo
+  olcRootPW: superheslo
 Je nutné restartovat ldap:
@@ Line 428: / Line 468: @@
-<code>
+<file ldif memberof_config.ldif>
 dn: cn=module,cn=config
 cn: module
@@ Line 446: / Line 486: @@
 olcMemberOfMemberAD: member
 olcMemberOfMemberOfAD: memberOf
-</code>
+</file>
 Proc nepouzivat "muzevsude" a jine powergroupy? -> protoze tam z lenosti pak skonci vsichni.
@@ Line 454: / Line 494: @@
    ldapsearch -x -b 'ou=people,dc=pb' '(&(objectClass=inetOrgPerson)(uid=cajkovsky)(memberOf=cn=projekt_b,ou=groups,dc=pb))'
    NAME=ldapsearch -x -h 127.0.0.1 "(&(objectClass=person)(|(telephoneNumber=${NUM})(mobile=${NUM})(homePhone=${NUM})(fax=${NUM})))" cn | sed -n 's/cn:\s\(.*\)/\1/p
+   ldapsearch -x -b "dc=pb"  '(objectClass=inetOrgPerson)' uid
 ====== Ukazka kodu v PHP ======
 Pozor na mala a velka pismena v poli memberOf -> memberof
@@ Line 489: / Line 532: @@
 </code>
+Dotaz na clenstvi ve skupine je diky schizofrennimu memberof jednoduche
+<code php>
+<?php
+    $server = "ldap://127.0.0.1";
+    $ldap = ldap_connect($server);
+    $username = 'cajkovsky';
+    $password = 'blooood';
+    $ldap_base = 'ou=people,dc=pb';
+    ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
+    ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
+#    $bind = @ldap_bind($ldap, "cn=$username,$ldap_base", $password);
+    $bind = @ldap_bind($ldap, "uid=$username,$ldap_base", $password);
+                if($bind) {
+                        print "gut";
+                } else {
+                        print "access denied";
+                }
+   $filter = "(uid=" . $username . ")";
+   $attrs = array("memberOf");
+   $result = ldap_search($ldap, 'ou=people,dc=pb', $filter, $attrs);
+   $entries = ldap_get_entries($ldap, $result);
+   print_r($entries[0]['memberof']);
+   $filter = "(&(objectClass=inetOrgPerson)(uid=cajkovsky)(memberOf=cn=projekt_b,ou=groups,dc=pb))";
+   $result = ldap_search($ldap, 'ou=people,dc=pb', $filter, $attrs);
+   $attrs = array("uid");
+   $entries = ldap_get_entries($ldap, $result);
+   print_r($entries);
+?>
+</code>
 ====== Zabezpeceni, zalohovani a indexy ======
 disallow bind_anon

linux/skoleni/ldap.1526337017.txt.gz · Last modified: 2018/05/15 00:30 by admin