====== Instalación Server ======
===== Comandos =====
Configuramos el nombre del servidor y el FQDN para que al instalar el LDAP nos cree la base inicial con el dominio deseado.
echo "192.168.18.50 ldap.example.com" | sudo tee -a /etc/hosts
hostnamectl set-hostname ldap.example.com
Instalamos openLdap y verificamos su configuracion inicial
apt -y install slapd ldap-utils
slapcat
slappasswd
ldapadd -x -D cn=admin,dc=example,dc=com -W -f (ldaporgs.ldif |ldapusers.ldif | ldapgroups.ldif)
===== Archivos =====
vim ldaporgs.ldif
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
vim ldapusers.ldif
dn: uid=computingforgeeks,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: computingforgeeks
sn: Wiz
userPassword: {SSHA}Zn4/E5f+Ork7WZF/alrpMuHHGufC3x0k
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/computingforgeeks
cat ldapgroups.ldif
dn: cn=computingforgeeks,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: computingforgeeks
gidNumber: 2000
memberUid: computingforgeeks
cat ldapgroups_addmember.ldif
dn: cn=computingforgeeks,ou=groups,dc=example,dc=com
changetype: modify
#add: memberUid
replace: memberUid
memberUid: carlos,pedro
Probar la conexion desde otra computadora
apt install ldap-utils
ldapsearch -h 192.168.150.1 -b "dc=prueba,dc=local" -D cn=admin,dc=prueba,dc=local -W
===== Opciones =====
====== LDAP Cliente Auth pam ======
===== Comandos =====
apt install libnss-ldapd libpam-ldap ldap-utils
auth-client-config -t nss -p lac_ldap
pam-auth-update
systemctl restart nscd
systemctl enable nscd
systemctl restart nslcd
getent passwd USUARIO
===== Archivos =====
/etc/pam.d/common-session
/etc/pam_ldap.conf
/etc/nsswitch.conf
/etc/nslcd.conf
===== Opciones =====
skel=/etc/skel umask=077
====== Accesos LDAP ======
Para ver los accesos a la base de datos, debemos buscar en la configuracion del la base con:
ldapsearch -Y external -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL
Y tendremos que ver algo como:
.
.
.
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SSHA}2PEPV+8Pltp8wS1U8nmyAlKKILCOJpuQ
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
===== Agregar =====
Para agregar algunas reglas mas debemos:
cat access.ldiff
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn.children="dc=example,dc=com"
by self write
by dn.children="dc=example,dc=com" search
by * none break
-
add: olcAccess
olcAccess: {4}to dn.children="dc=example,dc=com"
by self write
by anonymous auth
by * none break
Donde:
- ''{3}to'' : Representa el numero de la regla(En la instalación inicial hay 3 reglas 0,1,2)
- ''by self'': Nos dice a quien le da permisos
- ''none/search/read/write/manage'' : Son los permisos que damos
Aplicamos los cambios con
ldapmodify -Y external -H ldapi:/// -f access.ldiff
===== Borrar =====
Para borrar agregamos el ldiff
cat access-delete.ldiff
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {2}
Aplicamos los cambios con
ldapmodify -Y external -H ldapi:/// -f access-delete.ldiff
====== LDAP Habilitar Log ======
===== Comandos =====
dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats
ldapsearch -Y external -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL
ldapmodify -Y external -H ldapi:/// -f slapdlog.ldif
===== Archivos =====
===== Opciones =====
====== Interfaces ======
* [[https://www.fusiondirectory.org/en/|FusionDirectory]] web
* [[http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page|phpldapadmin]] web
* [[http://directory.apache.org/studio/|Apache Studio]] de escritorio
* [[https://www.ldap-account-manager.org/lamcms/|LDAP Account Manager]] web
* [[https://github.com/kakwa/ldapcherry|LDAPcherry]] web
FusionDirectory tiene una version libre y una verdida. La última version liberada es la version 1.3 en abril del 2019 con version de desarrollo 1.4 y último commit en https://github.com/fusiondirectory/fusiondirectory/commits/1.4-dev con fecha 18 marzo del 2022. Este programa viene debian bullseye.
LDAP Account Manager tiene la version 7.9.1 https://github.com/LDAPAccountManager lanzada el 15 de abril del 2022 con último commit el día 28 de abril del 2022. Este programa viene debian bullseye.
Por defecto se utilizaba Phpldapadmin para administración, pero debido a que no tuvo actualizaciones durante varios años, se creo un fork https://github.com/leenooks/phpLDAPadmin pero la ultima version y commit es la 1.2.6.3 en diciembre del 2021. Este programa viene debian bookworm (testing).
Ldapcherry la última version liberada es la 1.1.1 en febrero del 2019 con último commit en mayo 20 del 2020.
Por eso se sugiere usar fusiondirectory o LDAP Account Manager por que es la que esta en constante desarrollo.
===== LDAPcherry =====
**Instalar ldapcherryd**
# clone the repository
$ git clone https://github.com/kakwa/ldapcherry && cd ldapcherry
# change the directory where to put the configuration (default: /etc)
$ export SYSCONFDIR=/etc
# change the directory where to put the resource (default: /usr/share)
$ export DATAROOTDIR=/usr/share/
# install ldapcherry
$ apt install python-cherrypy3 python-ldap python-mako python-pretty-yaml python3-cherrypy3 python3-ldap python3-mako python3-pretty-yaml python-setuptools python3-distutils
$ python setup.py install
# clone the repository
$ mkdir cherry && cd cherry
$ git clone https://github.com/kakwa/ldapcherry
$ apt install -y python-dev python-pip libldap2-dev libsasl2-dev libssl-dev python3-dev python3-pip build-essential python3-venv
$ python3 -m venv venv/
$ source venv/bin/activate
$ pip3 install wheel
$ pip3 install -r ldapcherry/requirements.txt
# change the directory where to put the configuration (default: /etc)
$ export SYSCONFDIR=/etc
# change the directory where to put the resource (default: /usr/share)
$ export DATAROOTDIR=/usr/share/
$ cd ldapcherry
$ python setup.py install
# edit configuration files
$ vi /etc/ldapcherry/ldapcherry.ini
$ vi /etc/ldapcherry/roles.yml
$ vi /etc/ldapcherry/attributes.yml
# launch ldapcherry
$ ../venv/bin/ldapcherryd -c /etc/ldapcherry/ldapcherry.ini -D
* https://gitlab.com/smacz/docker-ldapcherry-fork/-/blob/andrewcz-homelab-179/Dockerfile
* https://ldapcherry.readthedocs.io/en/latest/
===== FusionDirectory =====
Requisitos:
- apache2 y
- php
Instalando paquetes
apt install fusiondirectory fusiondirectory-plugin-audit fusiondirectory-plugin-audit-schema fusiondirectory-plugin-freeradius-schema fusiondirectory-plugin-freeradius fusiondirectory-plugin-posix fusiondirectory-schema fusiondirectory-plugin-alias fusiondirectory-plugin-alias-schema fusiondirectory-plugin-ldapdump fusiondirectory-plugin-ldapmanager fusiondirectory-plugin-mail fusiondirectory-plugin-mail-schema fusiondirectory-plugin-postfix fusiondirectory-plugin-postfix-schema fusiondirectory-plugin-quota fusiondirectory-plugin-quota-schema fusiondirectory-schema
Agregando esquemas LDAP necesarios
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/mail-fd.schema
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/mail-fd-conf.schema
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/dns-fd.schema
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/dns-fd-conf.schema
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/ldapns.schema
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/template-fd.schema
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/core-fd.schema
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/core-fd-conf.schema
Creando la configuración de acceso LDAP
nano /etc/fusiondirectory/fusiondirectory.conf
fusiondirectory-setup --check-config
Luego ir al http://localhost/fusiondirectory/ para configurarlo
====== Multiple Bases de Datos ======
mkdir /var/lib/ldap-dominio2
chown openldap:openldap /var/lib/ldap-dominio2
slappasswd -h {SSHA}
# Nueva base dominio2.com
dn: olcDatabase=mdb,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbDirectory: /var/lib/ldap-dominio2
olcSuffix: dc=dominio2,dc=com
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=dominio2,dc=com
olcRootPW: {SSHA}KgqLc7eVZfkXJo3hysJJhgoifCWo3Kc2
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
ldapmodify -Y external -H ldapi:/// -f newdatabase.ldiff
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config'
#El dominio top
dn: dc=dominio2,dc=com
changetype: add
objectClass: top
objectClass: dcObject
objectClass: organization
o: dominio2 personal
dc: dominio2
description: Dominio de dominio2
#El usuario administrador
dn: cn=admin,dc=dominio2,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: e1NTSEF9S2dxTGM3ZVZaZmtYSm8zaHlzSkpoZ29pZkNXbzNLYzI=
description: Directory Manager
ldapadd -x -D "cn=admin,dc=dominio2,dc=com" -w superclave -f dominio2.ldiff
===== Instalación no Interactiva =====
===== Referencias =====
Generales
* https://computingforgeeks.com/how-to-install-and-configure-openldap-ubuntu-18-04/
* https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities
* https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system
* https://unix.stackexchange.com/questions/362547/automating-slapd-install
* https://apassionatechie.wordpress.com/2017/12/12/automating-slapd-install/
Autenticacion PC PAM
* https://linoxide.com/linux-how-to/setup-openldap-server-authenticate-client-workstation/
* https://wiki.debian.org/LDAP/NSS
* https://www.tecmint.com/configure-ldap-client-to-connect-external-authentication/
* https://computingforgeeks.com/how-to-configure-ubuntu-18-04-ubuntu-16-04-lts-as-ldap-client/
Logs
* http://tutoriels.meddeb.net/openldap-tutorial-log/
* https://www.zytrax.com/books/ldap/ch6/#loglevel
* http://tutoriels.meddeb.net/openldap-tutorial-log/
Seguridad
* https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls
* https://computingforgeeks.com/secure-ldap-server-with-ssl-tls-on-ubuntu/
Multiple DB
* https://stackoverflow.com/questions/30898397/creating-second-database-domain-in-openldap
* https://serverfault.com/questions/828490/setting-up-multiple-domain-in-ldap-server
FusionDirectory
* https://serverfault.com/questions/818253/fusiondirectory-and-openldap-adding-an-attribute
* https://metashell.net/index.php/2015/12/10/configuring-openldap-with-fusion-directory/
Permisos:
* https://medium.com/@moep/keeping-your-sanity-while-designing-openldap-acls-9132068ed55c
* https://serverfault.com/questions/1064914/q-what-is-the-correct-way-to-add-olcaccess-rules-to-openldap
* https://openldap.org/doc/admin24/access-control.html
* https://devopsideas.com/planning-of-ldap-dit-structure-and-config-of-overlays-access-ppolicy/
Estructura
* https://serverfault.com/questions/828490/setting-up-multiple-domain-in-ldap-server
* https://serverfault.com/questions/546131/in-ldap-is-it-best-to-nest-groups-under-organizational-units-or-create-an-organi
* https://docs.informatica.com/content/dam/source/GUID-A/GUID-ACA85C10-6FE8-4E4A-8258-FDE38165C3BC/8/en/GUID-A197F875-87DE-4FDD-A54B-EE6E131B61B7-low.png
* https://stackoverflow.com/questions/18756688/what-are-cn-ou-dc-in-an-ldap-search#18756876