{{tag>LDAP Auth MDP}}
= Notes LDAP
Voir :
* curl
* [[https://www.ldapadministrator.com/resources/english/help/la2022/ch24.html|LDAP Glossary]]
* https://www.informatiweb-pro.net/admin-systeme/linux/ubuntu-configurer-un-serveur-ldap-et-une-interface-web-pour-le-gerer.html
* https://connect.ed-diamond.com/Linux-Pratique/lp-115/installation-et-configuration-d-un-annuaire-openldap
* https://openclassrooms.com/fr/courses/1733551-gerez-votre-serveur-linux-et-ses-services/5236036-installez-un-annuaire-ldap
* http://www.thegeekstuff.com/2015/02/openldap-add-users-groups/
* https://guide.ubuntu-fr.org/server/openldap-server.html
* https://ubuntu.com/server/docs/service-ldap
* https://tldp.org/HOWTO/LDAP-HOWTO/
* https://libresavoir.org/index.php?title=Installation_et_configuration_d%27un_serveur_LDAP_sous_Linux_%28premi%C3%A8re_partie%29
* https://likegeeks.com/linux-ldap-server/
* https://tunuifranken.info/procedures/procedure_openldap-server_20201227.pdf
* [[https://linuxfr.org/news/la-version-2-2-de-ldap-synchronization-connector-est-la|LDAP Synchronization Connector (LSC)]]
* https://opendev.org/openstack/manila-image-elements/src/branch/master/data/docker/slapd.sh
Scripts :
* https://github.com/stuvusIT/ansible_slapd_config
Interface Web de changement de MDP compte utilisateur :
* https://linuxfr.org/news/sortie-de-ldap-tool-box-self-service-password-1-5
== Interface d'admin
Voir PhpLDAPadmin
apt-get install cockpit-389-ds
Interface WebUI
* https://linuxfr.org/news/ldap-tool-box-creation-du-projet-service-desk
== Création de compte LDAP
=== Trouver le ''uidNumber'' maximal
Si accès console sur le serveur :
slapcat |grep uidNumber |awk '{print $2}' |sort -n
slapcat |grep gidNumber |awk '{print $2}' |sort -n
Sinon : Find max uidNumber on LDAP \\
Dans mon cas ça n'a pas fonctionné.
ldapsearch -H ldaps://your-ldap-domain -D "cn=Manager,dc=domain,dc=com" -W | awk '/uidNumber: / {print $2}' | sort | tail -n 1
Source : https://www.dynobin.com/linux-find-max-uidnumber-on-ldap/
== Vérifier / lister les compte locké / verrouillés
ldapsearch -x -b "dc=acme,dc=fr" '(&(objectclass=shadowaccount)(shadowexpire=0))' uid
== Les filtres
curl -u USERNAME 'ldap://192.168.0.66/CN=Users,DC=training,DC=local?sAMAccountName?sub?(ObjectClass=*)'
$ curl "ldap://localhost:1389/dc=example,dc=com?homephone?sub?cn=*amar" \
-u "cn=directory manager"
Enter host password for user 'cn=directory manager':
DN: uid=mathieu,ou=People,dc=example,dc=com
homephone: +1 225 216 5900
ldapsearch -x -LLL -H ldap://192.168.20.153:389 -D "admin" -w 'P@ssw0rd' -b "dc=acme,dc=fr" |egrep -5 -i --color openstack
ldapsearch -x -LLL -H ldap://192.168.20.153:389 -D "admin" -w 'P@ssw0rd' -b "dc=acme,dc=fr" '(memberOf=CN=Openstack,OU=Groupes,dc=acme,dc=fr)' uid
ldapsearch -x -LLL -H ldap://192.168.20.153:389 -D "admin" -w 'P@ssw0rd' -b "dc=acme,dc=fr" '(memberOf=CN=Openstack,OU=Groupes,dc=acme,dc=fr)' sAMAccountName
Afficher les membres d'un groupe CN
ldapsearch -x -LLL -D "admin" -y ~/.ldap_pass -b "CN=groupe1,OU=Ressources Exchange,DC=acme,DC=fr" member
Autre
ldapsearch -h ldap.acme.fr -D "admin@acme.local" -W -b "ou=04 - Direction technique,ou=Paris,dc=acme,dc=local" "(&(objectclass=user))" \
-s sub "(&(objectCategory=person)(objectClass=user)(sAMAccountName=*)(OU=Paris,OU=Groups,DC=acme,DC=local))" mail
BASE dc=acme,dc=fr
URI ldap://192.168.20.153
SIZELIMIT 2000
echo -n P@ssw0rd > ~/.ldap_pass
chmod 600 !$
ldapsearch -x -LLL -D "admin" -y ~/.ldap_pass -b "dc=acme,dc=fr" '(memberOf=CN=Openstack,OU=Groupes,dc=acme,dc=fr)' cn
Cherche le login d'un utilisateur
#echo |ldapsearch -E pr=1000 -D "admin" -y ~/.ldap_pass sAMAccountName |egrep -i marley
echo |ldapsearch -LLL -o ldif-wrap=no -D "admin" -y ~/.ldap_pass sAMAccountName=marley sAMAccountName
# MARLEY Robert, Utilisateurs, SERVICE_INFRA
dn: CN=MARLEY Robert,OU=Utilisateurs,OU=SERVICE_INFRA
sAMAccountName: MARLEY
No wrap
-o ldif-wrap=no
== ldapsearch authentification Kerberos GSSAPI
export KRB5CCNAME=/var/lib/sss/db/ccache_ACME.LOCAL
ldapsearch -H ldap://srv_ldap.acme.local -Y GSSAPI -N -b "DC=ACME,DC=SVC" "(sAMAccountName=user_01)" mail description 2>/dev/null | grep "dn:\|description:\|mail:"
== Netgroup
''nisNetgroupTriple'' correspond aux utilisateurs \\
''memberNisNetgroup'' correspond aux autres netgroups
Netgroup
Voir http://articles.mongueurs.net/magazines/linuxmag67.html
netgroup: ldap
getent netgroup sysadmin
getent netgroup $(hostname -s)
ipa netgroup-add --desc="Netgroup description" --nisdomain="example.com" example-netgroup
ipa netgroup-add-member --users=user_name --groups=group_name --hosts=host_name \
--hostgroups=host_group_name --netgroups=netgroup_name group_nameame
ipa netgroup-add-member --users={user1;user2,user3} \
--groups={group1,group2} example-group
nisNetgroupTriple: This can be used to describe a user (,bobby,example.com) or a machine name (shellserver1,,example.com). This attribute can have multiple values.
memberNisNetgroup: This is a very powerful attribute. It is used to merge the attribute values of another netgroup into the current one by simply listing the name (cn) of the merging netgroup. This attribute can have multiple values as well.
+ : @QAUsers@@QASystems : 10.
+ : root : LOCAL
+ : @Admins : 10.
- : ALL : ALL
account required pam_access.so accessfile=/etc/security/access.netgroup.conf
https://support.hpe.com/hpesc/public/docDisplay?docId=c02058091&docLocale=en_US
== Autoriser l'accès que sur certains serveurs
+:root:ALL
+:admin:ALL
+:@srv1:ALL
-:ALL:ALL
Dans notre exemple "srv1" correspond au hostname simple ''hostname -s'' de notre serveur
== Pb
openldap sizelimit. Can't receive more than 500 entries
Solution ''-E pr=1000''
Ou
SIZELIMIT 2000