Voir :

• curl
• LDAP Glossary
• https://www.informatiweb-pro.net/admin-systeme/linux/ubuntu-configurer-un-serveur-ldap-et-une-interface-web-pour-le-gerer.html
• https://connect.ed-diamond.com/Linux-Pratique/lp-115/installation-et-configuration-d-un-annuaire-openldap
• https://openclassrooms.com/fr/courses/1733551-gerez-votre-serveur-linux-et-ses-services/5236036-installez-un-annuaire-ldap
• http://www.thegeekstuff.com/2015/02/openldap-add-users-groups/
• https://guide.ubuntu-fr.org/server/openldap-server.html
• https://ubuntu.com/server/docs/service-ldap
• https://tldp.org/HOWTO/LDAP-HOWTO/
• https://libresavoir.org/index.php?title=Installation_et_configuration_d%27un_serveur_LDAP_sous_Linux_%28premi%C3%A8re_partie%29
• https://likegeeks.com/linux-ldap-server/
• https://tunuifranken.info/procedures/procedure_openldap-server_20201227.pdf
• LDAP Synchronization Connector (LSC)
• https://opendev.org/openstack/manila-image-elements/src/branch/master/data/docker/slapd.sh

Scripts :

• https://github.com/stuvusIT/ansible_slapd_config

Interface Web de changement de MDP compte utilisateur :

• https://linuxfr.org/news/sortie-de-ldap-tool-box-self-service-password-1-5

Voir PhpLDAPadmin

apt-get install cockpit-389-ds

Interface WebUI

• https://linuxfr.org/news/ldap-tool-box-creation-du-projet-service-desk

Si accès console sur le serveur :

slapcat |grep uidNumber |awk '{print $2}' |sort -n
slapcat |grep gidNumber |awk '{print $2}' |sort -n

Sinon : Find max uidNumber on LDAP
Dans mon cas ça n'a pas fonctionné.

ldapsearch -H ldaps://your-ldap-domain -D "cn=Manager,dc=domain,dc=com" -W | awk '/uidNumber: / {print $2}' | sort | tail -n 1

Source : https://www.dynobin.com/linux-find-max-uidnumber-on-ldap/

ldapsearch -x -b "dc=acme,dc=fr" '(&(objectclass=shadowaccount)(shadowexpire=0))' uid

curl -u USERNAME 'ldap://192.168.0.66/CN=Users,DC=training,DC=local?sAMAccountName?sub?(ObjectClass=*)'

$ curl "ldap://localhost:1389/dc=example,dc=com?homephone?sub?cn=*amar" \
     -u "cn=directory manager"
Enter host password for user 'cn=directory manager':
DN: uid=mathieu,ou=People,dc=example,dc=com
    homephone: +1 225 216 5900

ldapsearch -x -LLL -H ldap://192.168.20.153:389 -D "admin" -w 'P@ssw0rd' -b "dc=acme,dc=fr" |egrep -5 -i --color openstack
ldapsearch -x -LLL -H ldap://192.168.20.153:389 -D "admin" -w 'P@ssw0rd' -b "dc=acme,dc=fr" '(memberOf=CN=Openstack,OU=Groupes,dc=acme,dc=fr)' uid
ldapsearch -x -LLL -H ldap://192.168.20.153:389 -D "admin" -w 'P@ssw0rd' -b "dc=acme,dc=fr" '(memberOf=CN=Openstack,OU=Groupes,dc=acme,dc=fr)' sAMAccountName

Afficher les membres d'un groupe CN

ldapsearch -x -LLL -D "admin" -y ~/.ldap_pass -b "CN=groupe1,OU=Ressources Exchange,DC=acme,DC=fr" member

Autre

ldapsearch -h ldap.acme.fr -D "admin@acme.local" -W  -b "ou=04 - Direction technique,ou=Paris,dc=acme,dc=local" "(&(objectclass=user))"   \
     -s sub "(&(objectCategory=person)(objectClass=user)(sAMAccountName=*)(OU=Paris,OU=Groups,DC=acme,DC=local))" mail

/etc/ldap/ldap.conf

BASE    dc=acme,dc=fr
URI     ldap://192.168.20.153
SIZELIMIT       2000

echo -n P@ssw0rd > ~/.ldap_pass
chmod 600 !$
ldapsearch -x -LLL -D "admin" -y ~/.ldap_pass -b "dc=acme,dc=fr" '(memberOf=CN=Openstack,OU=Groupes,dc=acme,dc=fr)' cn

Cherche le login d'un utilisateur

#echo |ldapsearch -E pr=1000 -D "admin" -y ~/.ldap_pass sAMAccountName |egrep -i marley
echo |ldapsearch -LLL -o ldif-wrap=no -D "admin" -y ~/.ldap_pass sAMAccountName=marley sAMAccountName
 
# MARLEY Robert, Utilisateurs, SERVICE_INFRA
dn: CN=MARLEY Robert,OU=Utilisateurs,OU=SERVICE_INFRA
sAMAccountName: MARLEY

No wrap

-o ldif-wrap=no

export KRB5CCNAME=/var/lib/sss/db/ccache_ACME.LOCAL
ldapsearch -H ldap://srv_ldap.acme.local -Y GSSAPI -N -b "DC=ACME,DC=SVC" "(sAMAccountName=user_01)" mail description 2>/dev/null | grep "dn:\|description:\|mail:"

nisNetgroupTriple correspond aux utilisateurs
memberNisNetgroup correspond aux autres netgroups

Netgroup

Voir http://articles.mongueurs.net/magazines/linuxmag67.html

/etc/nsswitch.conf

netgroup: ldap 

getent netgroup sysadmin
 
getent netgroup $(hostname -s)

ipa netgroup-add --desc="Netgroup description" --nisdomain="example.com" example-netgroup
 
ipa netgroup-add-member --users=user_name --groups=group_name --hosts=host_name \
     --hostgroups=host_group_name --netgroups=netgroup_name group_nameame
 
 
ipa netgroup-add-member --users={user1;user2,user3} \
     --groups={group1,group2} example-group

nisNetgroupTriple: This can be used to describe a user (,bobby,example.com) or a machine name (shellserver1,,example.com). This attribute can have multiple values.
memberNisNetgroup: This is a very powerful attribute. It is used to merge the attribute values of another netgroup into the current one by simply listing the name (cn) of the merging netgroup. This attribute can have multiple values as well.

+ : @QAUsers@@QASystems : 10.
+ : root : LOCAL    
+ : @Admins : 10.    
- : ALL : ALL    

account required pam_access.so accessfile=/etc/security/access.netgroup.conf

https://support.hpe.com/hpesc/public/docDisplay?docId=c02058091&docLocale=en_US

/etc/security/access.conf

+:root:ALL
+:admin:ALL
+:@srv1:ALL
-:ALL:ALL

Dans notre exemple “srv1” correspond au hostname simple hostname -s de notre serveur

openldap sizelimit. Can't receive more than 500 entries

Solution -E pr=1000

Ou

/etc/ldap/ldap.conf

SIZELIMIT       2000