Diferencias

Muestra las diferencias entre dos versiones de la página.

--- proyectos:linuxservidor-db-ldap [2022/04/23 22:47] – [Referencias] manuel.floresv
+++ proyectos:linuxservidor-db-ldap [2022/05/02 00:23] (actual) – [Referencias] manuel.floresv
@@ Línea 62: / Línea 62: @@
-===== Referencias =====
-  * https://computingforgeeks.com/how-to-install-and-configure-openldap-ubuntu-18-04/
 ====== LDAP Cliente Auth pam ======
@@ Línea 99: / Línea 96: @@
  skel=/etc/skel umask=077
 </code>
-===== Referencias =====
-  * https://www.tecmint.com/configure-ldap-client-to-connect-external-authentication/
+====== Accesos LDAP ======
-  * https://computingforgeeks.com/how-to-configure-ubuntu-18-04-ubuntu-16-04-lts-as-ldap-client/
+Para ver los accesos a la base de datos, debemos buscar en la configuracion del la base con:
-  * https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities
+<code bash>
-  * http://tutoriels.meddeb.net/openldap-tutorial-log/
+ldapsearch -Y external -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL
-  * https://www.zytrax.com/books/ldap/ch6/#loglevel
+</code>
-  * https://linoxide.com/linux-how-to/setup-openldap-server-authenticate-client-workstation/  *
+Y tendremos que ver algo como:
+<code bash>
+.
+.
+.
+dn: olcDatabase={1}mdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDatabase: {1}mdb
+olcDbDirectory: /var/lib/ldap
+olcSuffix: dc=example,dc=com
+olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
+olcAccess: {1}to attrs=shadowLastChange by self write by * read
+olcAccess: {2}to * by * read
+olcLastMod: TRUE
+olcRootDN: cn=admin,dc=example,dc=com
+olcRootPW: {SSHA}2PEPV+8Pltp8wS1U8nmyAlKKILCOJpuQ
+olcDbCheckpoint: 512 30
+olcDbIndex: objectClass eq
+olcDbIndex: cn,uid eq
+olcDbIndex: uidNumber,gidNumber eq
+olcDbIndex: member,memberUid eq
+olcDbMaxSize: 1073741824
+</code>
+===== Agregar =====
+Para agregar algunas reglas mas debemos:
+<code bash>
+cat access.ldiff
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+add: olcAccess
+olcAccess: {3}to dn.children="dc=example,dc=com"
+  by self write
+  by dn.children="dc=example,dc=com" search
+  by * none break
+-
+add: olcAccess
+olcAccess: {4}to dn.children="dc=example,dc=com"
+  by self write
+  by anonymous auth
+  by * none break
+</code>
+Donde:
+  - ''{3}to'' : Representa el numero de la regla(En la instalación inicial hay 3 reglas 0,1,2)
+  - ''by self'': Nos dice a quien le da permisos
+  - ''none/search/read/write/manage'' : Son los permisos que damos
+Aplicamos los cambios con
+<code bash>
+ldapmodify -Y external -H ldapi:/// -f access.ldiff
+</code>
+===== Borrar =====
+Para borrar agregamos el ldiff
+<code bash>
+cat access-delete.ldiff
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+delete: olcAccess
+olcAccess: {2}
+</code>
+Aplicamos los cambios con
+<code bash>
+ldapmodify -Y external -H ldapi:/// -f access-delete.ldiff
+</code>
 ====== LDAP Habilitar Log ======
@@ Línea 123: / Línea 189: @@
 ===== Archivos =====
 ===== Opciones =====
-===== Interfaces =====
+====== Interfaces ======
+  * [[https://www.fusiondirectory.org/en/|FusionDirectory]] web
   * [[http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page|phpldapadmin]] web
-  * [[http://directory.apache.org/studio/|Apache Studio]] escritorio
+  * [[http://directory.apache.org/studio/|Apache Studio]] de escritorio
-  * [[https://www.ldap-account-manager.org/lamcms/|LDAP Account Manager]]
+  * [[https://www.ldap-account-manager.org/lamcms/|LDAP Account Manager]]  web
-  * [[https://github.com/kakwa/ldapcherry|LDAPcherry]]
+  * [[https://github.com/kakwa/ldapcherry|LDAPcherry]]  web
-  * [[https://www.fusiondirectory.org/en/|FusionDirectory]]
+FusionDirectory tiene una version libre y una verdida. La última version liberada es la version 1.3 en abril del 2019 con version de desarrollo 1.4 y último commit en https://github.com/fusiondirectory/fusiondirectory/commits/1.4-dev con fecha 18 marzo del 2022. Este programa viene debian bullseye.
+LDAP Account Manager tiene la version 7.9.1 https://github.com/LDAPAccountManager lanzada el 15 de abril del 2022 con último commit el día 28 de abril del 2022. Este programa viene debian bullseye.
+Por defecto se utilizaba Phpldapadmin para administración, pero debido a que no tuvo actualizaciones durante varios años, se creo un fork https://github.com/leenooks/phpLDAPadmin pero la ultima version y commit es la 1.2.6.3 en diciembre del 2021. Este programa viene debian bookworm (testing).
+Ldapcherry la última version liberada es la 1.1.1 en febrero del 2019 con último commit en mayo 20 del 2020.
+Por eso se sugiere usar fusiondirectory o LDAP Account Manager  por que es la que esta en constante desarrollo.
+===== LDAPcherry =====
 **Instalar ldapcherryd**
@@ Línea 178: / Línea 257: @@
   * https://gitlab.com/smacz/docker-ldapcherry-fork/-/blob/andrewcz-homelab-179/Dockerfile
   * https://ldapcherry.readthedocs.io/en/latest/
+===== FusionDirectory =====
+Requisitos:
+  - apache2 y
+  - php
+Instalando paquetes
+<code bash>
+apt install fusiondirectory fusiondirectory-plugin-audit fusiondirectory-plugin-audit-schema fusiondirectory-plugin-freeradius-schema fusiondirectory-plugin-freeradius  fusiondirectory-plugin-posix fusiondirectory-schema fusiondirectory-plugin-alias  fusiondirectory-plugin-alias-schema fusiondirectory-plugin-ldapdump fusiondirectory-plugin-ldapmanager fusiondirectory-plugin-mail fusiondirectory-plugin-mail-schema fusiondirectory-plugin-postfix fusiondirectory-plugin-postfix-schema fusiondirectory-plugin-quota fusiondirectory-plugin-quota-schema fusiondirectory-schema
+</code>
+Agregando esquemas LDAP necesarios
+<code bash>
+fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/mail-fd.schema
+fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/mail-fd-conf.schema
+fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/dns-fd.schema
+fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/dns-fd-conf.schema
+fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/ldapns.schema
+fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/template-fd.schema
+fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/core-fd.schema
+fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/core-fd-conf.schema
+</code>
+Creando la configuración de acceso LDAP
+<code bash>
+nano /etc/fusiondirectory/fusiondirectory.conf
+fusiondirectory-setup --check-config
+</code>
+Luego ir al http://localhost/fusiondirectory/ para configurarlo
 ====== Multiple Bases de Datos ======
 <code bash>
@@ Línea 241: / Línea 352: @@
 ===== Instalación no Interactiva =====
-====== Administracion Web ======
-Requisitos:
-  - apache2 y
-  - php
-Instalando paquetes
-<code bash>
-apt install fusiondirectory fusiondirectory-plugin-audit fusiondirectory-plugin-audit-schema fusiondirectory-plugin-freeradius-schema fusiondirectory-plugin-freeradius  fusiondirectory-plugin-posix fusiondirectory-schema fusiondirectory-plugin-alias  fusiondirectory-plugin-alias-schema fusiondirectory-plugin-ldapdump fusiondirectory-plugin-ldapmanager fusiondirectory-plugin-mail fusiondirectory-plugin-mail-schema fusiondirectory-plugin-postfix fusiondirectory-plugin-postfix-schema fusiondirectory-plugin-quota fusiondirectory-plugin-quota-schema fusiondirectory-schema
-</code>
-Agregando esquemas LDAP necesarios
-<code bash>
-fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/mail-fd.schema
-fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/mail-fd-conf.schema
-fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/dns-fd.schema
-fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/dns-fd-conf.schema
-fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/ldapns.schema
-fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/template-fd.schema
-fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/core-fd.schema
-fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/core-fd-conf.schema
-</code>
-Creando la configuración de acceso LDAP
-<code bash>
-nano /etc/fusiondirectory/fusiondirectory.conf
-fusiondirectory-setup --check-config
-</code>
-Luego ir al http://localhost/fusiondirectory/ para configurarlo
 ===== Referencias =====
+Generales
-  * http://tutoriels.meddeb.net/openldap-tutorial-log/
+  * https://computingforgeeks.com/how-to-install-and-configure-openldap-ubuntu-18-04/
-  * https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls
+  * https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities
-  * https://www.tecmint.com/configure-ldap-client-to-connect-external-authentication/
+  * https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system
+  * https://unix.stackexchange.com/questions/362547/automating-slapd-install
+  * https://apassionatechie.wordpress.com/2017/12/12/automating-slapd-install/
+Autenticacion PC PAM
   * https://linoxide.com/linux-how-to/setup-openldap-server-authenticate-client-workstation/
   * https://wiki.debian.org/LDAP/NSS
+  * https://www.tecmint.com/configure-ldap-client-to-connect-external-authentication/
+  * https://computingforgeeks.com/how-to-configure-ubuntu-18-04-ubuntu-16-04-lts-as-ldap-client/
+Logs
+  * http://tutoriels.meddeb.net/openldap-tutorial-log/
   * https://www.zytrax.com/books/ldap/ch6/#loglevel
   * http://tutoriels.meddeb.net/openldap-tutorial-log/
-  * https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities
+Seguridad
+  * https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls
   * https://computingforgeeks.com/secure-ldap-server-with-ssl-tls-on-ubuntu/
-  * https://computingforgeeks.com/how-to-install-and-configure-openldap-ubuntu-18-04/
+Multiple DB
-  * https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system
   * https://stackoverflow.com/questions/30898397/creating-second-database-domain-in-openldap
   * https://serverfault.com/questions/828490/setting-up-multiple-domain-in-ldap-server
-  * https://apassionatechie.wordpress.com/2017/12/12/automating-slapd-install/
+FusionDirectory
-  * https://unix.stackexchange.com/questions/362547/automating-slapd-install
   * https://serverfault.com/questions/818253/fusiondirectory-and-openldap-adding-an-attribute
   * https://metashell.net/index.php/2015/12/10/configuring-openldap-with-fusion-directory/
+Permisos:
+  * https://medium.com/@moep/keeping-your-sanity-while-designing-openldap-acls-9132068ed55c
+  * https://serverfault.com/questions/1064914/q-what-is-the-correct-way-to-add-olcaccess-rules-to-openldap
+  * https://openldap.org/doc/admin24/access-control.html
   * https://devopsideas.com/planning-of-ldap-dit-structure-and-config-of-overlays-access-ppolicy/
+Estructura
+  * https://serverfault.com/questions/828490/setting-up-multiple-domain-in-ldap-server
+  * https://serverfault.com/questions/546131/in-ldap-is-it-best-to-nest-groups-under-organizational-units-or-create-an-organi
+  * https://docs.informatica.com/content/dam/source/GUID-A/GUID-ACA85C10-6FE8-4E4A-8258-FDE38165C3BC/8/en/GUID-A197F875-87DE-4FDD-A54B-EE6E131B61B7-low.png
+  * https://stackoverflow.com/questions/18756688/what-are-cn-ou-dc-in-an-ldap-search#18756876