- [Show page]
- [Old revisions]
- [[unknown link type]]
- []
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
linux:skoleni:ldap [2018/05/15 00:34] admin [Pridavani zaznamu] |
linux:skoleni:ldap [2018/11/01 18:23] (current) admin |
||
|---|---|---|---|
| Line 27: | Line 27: | ||
| An entry is basically a collection of attributes under a name used to describe something. | An entry is basically a collection of attributes under a name used to describe something. | ||
| + | <code> | ||
| objectclass ( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL | objectclass ( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL | ||
| MUST ( sn $ cn ) | MUST ( sn $ cn ) | ||
| MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) | MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) | ||
| + | </code> | ||
| + | <code> | ||
| attributetype ( 2.5.4.41 NAME 'name' DESC 'RFC4519: common supertype of name attributes' | attributetype ( 2.5.4.41 NAME 'name' DESC 'RFC4519: common supertype of name attributes' | ||
| EQUALITY caseIgnoreMatch | EQUALITY caseIgnoreMatch | ||
| SUBSTR caseIgnoreSubstringsMatch | SUBSTR caseIgnoreSubstringsMatch | ||
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) | ||
| + | </code> | ||
| Unlike traditional relational databases, schemas in LDAP are simply collections of related objectClasses and attributes | Unlike traditional relational databases, schemas in LDAP are simply collections of related objectClasses and attributes | ||
| Line 48: | Line 50: | ||
| ====== Instalace na Linux ======== | ====== Instalace na Linux ======== | ||
| <code bash> | <code bash> | ||
| - | # apt install slapd ldap-utils | + | # apt-get install slapd ldap-utils |
| </code> | </code> | ||
| Poznamka pro me: zminit fail2ban a omezit jen na vasi sit, kde je DB | Poznamka pro me: zminit fail2ban a omezit jen na vasi sit, kde je DB | ||
| + | Existuji jeste krome BDB take HDB a MDB. Mene konfigurace, rychlejsi. BDB je naopak vyzkousena min. 20 let a opravitelna. | ||
| Uchylarna s DB_CONFIG | Uchylarna s DB_CONFIG | ||
| Line 136: | Line 139: | ||
| </file> | </file> | ||
| - | Filipika proti slapd.d a pouziti slapd.conf | + | Filipika proti slapd.d a pouziti slapd.conf. |
| - | <file salpd.conf> | + | Soubor vytvorime pomoci |
| + | cat >slapd.conf | ||
| + | vkladani staci copy&paste, prostredni tlacitko mysi a ukoncime stiskem ctrl+d. | ||
| + | |||
| + | <file bash slapd.conf> | ||
| include /etc/ldap/schema/core.schema | include /etc/ldap/schema/core.schema | ||
| include /etc/ldap/schema/cosine.schema | include /etc/ldap/schema/cosine.schema | ||
| Line 160: | Line 167: | ||
| suffix "dc=pb" | suffix "dc=pb" | ||
| rootdn "cn=admin,dc=pb" | rootdn "cn=admin,dc=pb" | ||
| - | rootpw gaMMa2018 | + | rootpw deLTa2019 |
| cachesize 10000 | cachesize 10000 | ||
| Line 174: | Line 181: | ||
| access to dn.base="" by * read | access to dn.base="" by * read | ||
| + | |||
| + | access to * | ||
| + | by dn="cn=admin,dc=example,dc=net" write | ||
| + | by * read | ||
| </file> | </file> | ||
| Line 196: | Line 207: | ||
| chown openldap.openldap /etc/ldap/slapd.d -R | chown openldap.openldap /etc/ldap/slapd.d -R | ||
| pri vytvareni databaze a provadeni slaptest -f -F. | pri vytvareni databaze a provadeni slaptest -f -F. | ||
| + | |||
| + | Test, zda-li slapd posloucha na portu 389 | ||
| + | <code> | ||
| + | netstat -nlpt | ||
| + | Active Internet connections (only servers) | ||
| + | Proto Recv-Q Send-Q Local Address Foreign Address State | ||
| + | tcp 0 0 0.0.0.0:9102 0.0.0.0:* LISTEN | ||
| + | tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN | ||
| + | tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN | ||
| + | tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN | ||
| + | tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN | ||
| + | tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN | ||
| + | tcp6 0 0 :::111 :::* LISTEN | ||
| + | tcp6 0 0 :::22 :::* LISTEN | ||
| + | tcp6 0 0 :::25 :::* LISTEN | ||
| + | tcp6 0 0 :::5666 :::* LISTEN | ||
| + | tcp6 0 0 :::389 :::* LISTEN | ||
| + | </code> | ||
| + | |||
| ====== Pridavani zaznamu ======= | ====== Pridavani zaznamu ======= | ||
| Nejdrive si vytvorime soubor a pak ho pridame pomoc ldapadd | Nejdrive si vytvorime soubor a pak ho pridame pomoc ldapadd | ||
| Line 295: | Line 325: | ||
| ldapadd -x -D "cn=admin,dc=pb" -w heslo -f pb_add1.ldif | ldapadd -x -D "cn=admin,dc=pb" -w heslo -f pb_add1.ldif | ||
| </code> | </code> | ||
| + | |||
| + | Ted sami pridejte | ||
| + | * sebe jako person | ||
| + | * dve skupiny | ||
| <file ldif pb_add2.ldif> | <file ldif pb_add2.ldif> | ||
| Line 419: | Line 453: | ||
| ) | ) | ||
| - | olcRootDN: cn=admin,cn=config | + | olcRootDN: cn=admin,cn=config |
| - | olcRootPW: superheslo | + | olcRootPW: superheslo |
| Je nutné restartovat ldap: | Je nutné restartovat ldap: | ||
| Line 434: | Line 468: | ||
| - | <code> | + | <file ldif memberof_config.ldif> |
| dn: cn=module,cn=config | dn: cn=module,cn=config | ||
| cn: module | cn: module | ||
| Line 452: | Line 486: | ||
| olcMemberOfMemberAD: member | olcMemberOfMemberAD: member | ||
| olcMemberOfMemberOfAD: memberOf | olcMemberOfMemberOfAD: memberOf | ||
| - | </code> | + | </file> |
| Proc nepouzivat "muzevsude" a jine powergroupy? -> protoze tam z lenosti pak skonci vsichni. | Proc nepouzivat "muzevsude" a jine powergroupy? -> protoze tam z lenosti pak skonci vsichni. | ||
| Line 460: | Line 494: | ||
| ldapsearch -x -b 'ou=people,dc=pb' '(&(objectClass=inetOrgPerson)(uid=cajkovsky)(memberOf=cn=projekt_b,ou=groups,dc=pb))' | ldapsearch -x -b 'ou=people,dc=pb' '(&(objectClass=inetOrgPerson)(uid=cajkovsky)(memberOf=cn=projekt_b,ou=groups,dc=pb))' | ||
| + | |||
| + | |||
| NAME=ldapsearch -x -h 127.0.0.1 "(&(objectClass=person)(|(telephoneNumber=${NUM})(mobile=${NUM})(homePhone=${NUM})(fax=${NUM})))" cn | sed -n 's/cn:\s\(.*\)/\1/p | NAME=ldapsearch -x -h 127.0.0.1 "(&(objectClass=person)(|(telephoneNumber=${NUM})(mobile=${NUM})(homePhone=${NUM})(fax=${NUM})))" cn | sed -n 's/cn:\s\(.*\)/\1/p | ||
| + | ldapsearch -x -b "dc=pb" '(objectClass=inetOrgPerson)' uid | ||
| ====== Ukazka kodu v PHP ====== | ====== Ukazka kodu v PHP ====== | ||
| Pozor na mala a velka pismena v poli memberOf -> memberof | Pozor na mala a velka pismena v poli memberOf -> memberof | ||
| Line 495: | Line 532: | ||
| </code> | </code> | ||
| + | Dotaz na clenstvi ve skupine je diky schizofrennimu memberof jednoduche | ||
| + | <code php> | ||
| + | <?php | ||
| + | $server = "ldap://127.0.0.1"; | ||
| + | |||
| + | $ldap = ldap_connect($server); | ||
| + | $username = 'cajkovsky'; | ||
| + | $password = 'blooood'; | ||
| + | |||
| + | $ldap_base = 'ou=people,dc=pb'; | ||
| + | |||
| + | ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); | ||
| + | ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); | ||
| + | |||
| + | # $bind = @ldap_bind($ldap, "cn=$username,$ldap_base", $password); | ||
| + | $bind = @ldap_bind($ldap, "uid=$username,$ldap_base", $password); | ||
| + | |||
| + | if($bind) { | ||
| + | print "gut"; | ||
| + | } else { | ||
| + | print "access denied"; | ||
| + | } | ||
| + | |||
| + | $filter = "(uid=" . $username . ")"; | ||
| + | $attrs = array("memberOf"); | ||
| + | $result = ldap_search($ldap, 'ou=people,dc=pb', $filter, $attrs); | ||
| + | |||
| + | $entries = ldap_get_entries($ldap, $result); | ||
| + | print_r($entries[0]['memberof']); | ||
| + | |||
| + | $filter = "(&(objectClass=inetOrgPerson)(uid=cajkovsky)(memberOf=cn=projekt_b,ou=groups,dc=pb))"; | ||
| + | |||
| + | $result = ldap_search($ldap, 'ou=people,dc=pb', $filter, $attrs); | ||
| + | $attrs = array("uid"); | ||
| + | $entries = ldap_get_entries($ldap, $result); | ||
| + | print_r($entries); | ||
| + | ?> | ||
| + | </code> | ||
| ====== Zabezpeceni, zalohovani a indexy ====== | ====== Zabezpeceni, zalohovani a indexy ====== | ||
| disallow bind_anon | disallow bind_anon | ||
linux/skoleni/ldap.1526337250.txt.gz · Last modified: 2018/05/15 00:34 by admin