Configuramos el nombre del servidor y el FQDN para que al instalar el LDAP nos cree la base inicial con el dominio deseado.

echo "192.168.18.50 ldap.example.com" | sudo tee -a /etc/hosts
hostnamectl set-hostname ldap.example.com

Instalamos openLdap y verificamos su configuracion inicial

apt -y install slapd ldap-utils
slapcat
slappasswd
ldapadd -x -D cn=admin,dc=example,dc=com -W -f (ldaporgs.ldif |ldapusers.ldif | ldapgroups.ldif) 

vim ldaporgs.ldif
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
 
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
 
vim ldapusers.ldif
dn: uid=computingforgeeks,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: computingforgeeks
sn: Wiz
userPassword: {SSHA}Zn4/E5f+Ork7WZF/alrpMuHHGufC3x0k
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/computingforgeeks
 
cat ldapgroups.ldif
dn: cn=computingforgeeks,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: computingforgeeks
gidNumber: 2000
memberUid: computingforgeeks
 
cat ldapgroups_addmember.ldif
dn: cn=computingforgeeks,ou=groups,dc=example,dc=com
changetype: modify
#add: memberUid
replace: memberUid
memberUid: carlos,pedro

Probar la conexion desde otra computadora

apt install ldap-utils
ldapsearch -h 192.168.150.1 -b "dc=prueba,dc=local" -D cn=admin,dc=prueba,dc=local -W

• https://computingforgeeks.com/how-to-install-and-configure-openldap-ubuntu-18-04/

apt install libnss-ldapd libpam-ldap ldap-utils
auth-client-config  -t nss -p lac_ldap
pam-auth-update
systemctl restart  nscd
systemctl enable  nscd
systemctl restart nslcd
getent passwd USUARIO

/etc/pam.d/common-session
/etc/pam_ldap.conf
 
/etc/nsswitch.conf
/etc/nslcd.conf

 skel=/etc/skel umask=077

• https://www.tecmint.com/configure-ldap-client-to-connect-external-authentication/
• https://computingforgeeks.com/how-to-configure-ubuntu-18-04-ubuntu-16-04-lts-as-ldap-client/
• https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities
• http://tutoriels.meddeb.net/openldap-tutorial-log/
• https://www.zytrax.com/books/ldap/ch6/#loglevel
• https://linoxide.com/linux-how-to/setup-openldap-server-authenticate-client-workstation/ *

Para ver los accesos a la base de datos, debemos buscar en la configuracion del la base con:

ldapsearch -Y external -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL 

Y tendremos que ver algo como:

.
.
.
 
 
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SSHA}2PEPV+8Pltp8wS1U8nmyAlKKILCOJpuQ
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824

Para agregar algunas reglas mas debemos:

cat access.ldiff 
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn.children="dc=example,dc=com"
  by self write
  by dn.children="dc=example,dc=com" search
  by * none break
-
add: olcAccess
olcAccess: {4}to dn.children="dc=example,dc=com"
  by self write
  by anonymous auth  
  by * none break

Donde:

1. {3}to : Representa el numero de la regla(En la instalación inicial hay 3 reglas 0,1,2)
2. by self: Nos dice a quien le da permisos
3. none/search/read/write/manage : Son los permisos que damos

Aplicamos los cambios con

ldapmodify -Y external -H ldapi:/// -f access.ldiff

Para borrar agregamos el ldiff

cat access-delete.ldiff 
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {2}

Aplicamos los cambios con

ldapmodify -Y external -H ldapi:/// -f access-delete.ldiff

dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats

ldapsearch -Y external -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL 
ldapmodify -Y external -H ldapi:/// -f slapdlog.ldif

• phpldapadmin web
• Apache Studio escritorio
• LDAP Account Manager
• LDAPcherry
• FusionDirectory

Instalar ldapcherryd

# clone the repository
$ git clone https://github.com/kakwa/ldapcherry && cd ldapcherry
 
# change the directory where to put the configuration (default: /etc)
$ export SYSCONFDIR=/etc
# change the directory where to put the resource (default: /usr/share)
$ export DATAROOTDIR=/usr/share/
 
# install ldapcherry
$ apt install python-cherrypy3 python-ldap python-mako python-pretty-yaml python3-cherrypy3 python3-ldap python3-mako python3-pretty-yaml python-setuptools python3-distutils 
$ python setup.py install

# clone the repository
$ mkdir cherry && cd cherry
$ git clone https://github.com/kakwa/ldapcherry 
 
$ apt install -y python-dev python-pip libldap2-dev libsasl2-dev libssl-dev  python3-dev python3-pip build-essential python3-venv
$ python3 -m venv venv/
$ source venv/bin/activate
$ pip3 install wheel
$ pip3 install -r ldapcherry/requirements.txt
 
# change the directory where to put the configuration (default: /etc)
$ export SYSCONFDIR=/etc
# change the directory where to put the resource (default: /usr/share)
$ export DATAROOTDIR=/usr/share/
 
$ cd ldapcherry
$ python setup.py install
 
# edit configuration files
$ vi /etc/ldapcherry/ldapcherry.ini
$ vi /etc/ldapcherry/roles.yml
$ vi /etc/ldapcherry/attributes.yml
 
# launch ldapcherry
$ ../venv/bin/ldapcherryd -c /etc/ldapcherry/ldapcherry.ini -D

• https://gitlab.com/smacz/docker-ldapcherry-fork/-/blob/andrewcz-homelab-179/Dockerfile
• https://ldapcherry.readthedocs.io/en/latest/

mkdir /var/lib/ldap-dominio2
chown  openldap:openldap /var/lib/ldap-dominio2
slappasswd -h {SSHA}

# Nueva base dominio2.com
dn: olcDatabase=mdb,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbDirectory: /var/lib/ldap-dominio2
olcSuffix: dc=dominio2,dc=com
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=dominio2,dc=com
olcRootPW: {SSHA}KgqLc7eVZfkXJo3hysJJhgoifCWo3Kc2
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824

ldapmodify -Y external -H ldapi:/// -f newdatabase.ldiff
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config'

#El dominio top
dn: dc=dominio2,dc=com
changetype: add
objectClass: top
objectClass: dcObject
objectClass: organization
o: dominio2 personal
dc: dominio2
description: Dominio de dominio2
 
 
#El usuario administrador
dn: cn=admin,dc=dominio2,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: e1NTSEF9S2dxTGM3ZVZaZmtYSm8zaHlzSkpoZ29pZkNXbzNLYzI=
description: Directory Manager

ldapadd -x -D "cn=admin,dc=dominio2,dc=com" -w superclave -f  dominio2.ldiff

Requisitos:

1. apache2 y
2. php

Instalando paquetes

apt install fusiondirectory fusiondirectory-plugin-audit fusiondirectory-plugin-audit-schema fusiondirectory-plugin-freeradius-schema fusiondirectory-plugin-freeradius  fusiondirectory-plugin-posix fusiondirectory-schema fusiondirectory-plugin-alias  fusiondirectory-plugin-alias-schema fusiondirectory-plugin-ldapdump fusiondirectory-plugin-ldapmanager fusiondirectory-plugin-mail fusiondirectory-plugin-mail-schema fusiondirectory-plugin-postfix fusiondirectory-plugin-postfix-schema fusiondirectory-plugin-quota fusiondirectory-plugin-quota-schema fusiondirectory-schema 

Agregando esquemas LDAP necesarios

fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/mail-fd.schema 
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/mail-fd-conf.schema
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/dns-fd.schema 
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/dns-fd-conf.schema 
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/ldapns.schema 
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/template-fd.schema 
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/core-fd.schema 
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/core-fd-conf.schema

Creando la configuración de acceso LDAP

nano /etc/fusiondirectory/fusiondirectory.conf
fusiondirectory-setup --check-config

Luego ir al http://localhost/fusiondirectory/ para configurarlo

Generales

• https://computingforgeeks.com/how-to-install-and-configure-openldap-ubuntu-18-04/
• https://www.tecmint.com/configure-ldap-client-to-connect-external-authentication/
• https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities
• https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system
• https://unix.stackexchange.com/questions/362547/automating-slapd-install
• https://apassionatechie.wordpress.com/2017/12/12/automating-slapd-install/

Autenticacion PC

• https://linoxide.com/linux-how-to/setup-openldap-server-authenticate-client-workstation/
• https://wiki.debian.org/LDAP/NSS

Logs

• http://tutoriels.meddeb.net/openldap-tutorial-log/
• https://www.zytrax.com/books/ldap/ch6/#loglevel
• http://tutoriels.meddeb.net/openldap-tutorial-log/

Seguridad

• https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls
• https://computingforgeeks.com/secure-ldap-server-with-ssl-tls-on-ubuntu/

Multiple DB

• https://stackoverflow.com/questions/30898397/creating-second-database-domain-in-openldap
• https://serverfault.com/questions/828490/setting-up-multiple-domain-in-ldap-server

FusionDirectory

• https://serverfault.com/questions/818253/fusiondirectory-and-openldap-adding-an-attribute
• https://metashell.net/index.php/2015/12/10/configuring-openldap-with-fusion-directory/

Permisos:

• https://medium.com/@moep/keeping-your-sanity-while-designing-openldap-acls-9132068ed55c
• https://serverfault.com/questions/1064914/q-what-is-the-correct-way-to-add-olcaccess-rules-to-openldap
• https://openldap.org/doc/admin24/access-control.html
• https://devopsideas.com/planning-of-ldap-dit-structure-and-config-of-overlays-access-ppolicy/