Zentrale Benutzerverwaltung mit OpenLDAP und SSS: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(86 dazwischenliegende Versionen von 3 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
=installation=
+
= Installation =
 
;passwort nach wahl festlegen
 
;passwort nach wahl festlegen
*apt install slapd ldap-utils libldap2-dev
+
* apt update
 +
* DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils
  
;slapd: OpenLDAP Standalone Server
+
= Grundkonfiguration =
;ldap-utils: Utilities zum Zugriff auf den LDAP Server
+
* dpkg-reconfigure slapd
  
=Grundkonfiguration=
+
{| class="wikitable"
[[Datei:Ldap-61.png]]
+
! Debconf Question !! Recommended Input
 +
|-
 +
| Omit OpenLDAP server configuration? || No
 +
|-
 +
| DNS domain name: || it213.int
 +
|-
 +
| Organization name: || it213
 +
|-
 +
| Administrator password: || 123Start$
 +
|-
 +
| Database backend to use: || MDB
 +
|-
 +
| Remove database when slapd is purged? || No
 +
|-
 +
| Move old database? || Yes
 +
|-
 +
| Allow LDAPv2 protocol? || No
 +
|}
  
[[Datei:Ldap-62.png]]
+
= ldap.conf setzen =
=Weitere Konfiguration=
+
* vim /etc/ldap/ldap.conf
*dpkg-reconfigure -p low slapd
+
<pre>
 
+
BASE    dc=it213,dc=int
[[Datei:Ldap-63.png]]
+
URI    ldap://ldap.it213.int
 +
ldap_version    3
 +
</pre>
  
[[Datei:Ldap-64.png]]
+
= Kontrolle =
 +
* ldapsearch -x -LLL
  
[[Datei:Ldap-65.png]]
+
= Grundstruktur =
 
+
== Erstellen ==
[[Datei:Ldap-61.png]]
+
* cat <<EOF > /root/struktur.ldif
 
 
[[Datei:Ldap-62.png]]
 
 
 
[[Datei:Ldap-67.png]]
 
 
 
[[Datei:Ldap-66.png]]
 
=Konfiguration des Clients=
 
==ldap.conf==
 
*cat /etc/ldap/ldap.conf
 
base            dc=it21, dc=int
 
uri            ldap://server.it21.int
 
ldap_version    3
 
rootbinddn      cn=admin, dc=it21, dc=int
 
pam_password    md5
 
==Passwort für den Adminzugang eintragen==
 
*echo 123Start$ > /etc/ldap.secret
 
=Kontrolle=
 
==Stimmt der base dn?=
 
*ldapsearch -x -LLL
 
dn: dc=it21,dc=int
 
objectClass: top
 
objectClass: dcObject
 
objectClass: organization
 
o: int21
 
dc: it21
 
=Grundstruktur=
 
==Erstellen==
 
*cat /root/struktur.ldif  
 
 
<pre>
 
<pre>
dn: ou=users,dc=it21,dc=int
+
dn: ou=users,dc=it213,dc=int
 
objectClass: organizationalUnit
 
objectClass: organizationalUnit
 
ou: users
 
ou: users
  
dn: ou=groups,dc=it21,dc=int
+
dn: ou=groups,dc=it213,dc=int
 
objectClass: organizationalUnit
 
objectClass: organizationalUnit
 
ou: groups
 
ou: groups
  
dn: ou=hosts,dc=it21,dc=int
+
dn: ou=hosts,dc=it213,dc=int
 
objectClass: organizationalUnit
 
objectClass: organizationalUnit
 
ou: hosts
 
ou: hosts
  
dn: cn=it,ou=groups,dc=it21,dc=int
+
dn: ou=sudo,dc=it213,dc=int
objectClass: posixGroup
+
objectClass: organizationalUnit
cn: it
+
ou: sudo
gidNumber: 3001
 
 
</pre>
 
</pre>
==Anlegen==
+
EOF
ldapadd -xD cn=admin,dc=it21,dc=int -w 123Start$ -f struktur.ldif
 
adding new entry "ou=users,dc=it21,dc=int"
 
 
 
adding new entry "ou=groups,dc=it21,dc=int"
 
 
 
adding new entry "ou=hosts,dc=it21,dc=int"
 
 
 
adding new entry "cn=it,ou=groups,dc=it21,dc=int"
 
  
 +
== Anlegen ==
 +
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif
  
 +
= Benutzer und Gruppen =
 +
* apt install -y ldapscripts
  
 
+
== Konfiguration ==
==Starten des slapd==
+
* vim /etc/ldapscripts/ldapscripts.conf
systemctl start slapd
 
 
 
==Stoppen des slapd==
 
systemctl stop slapd
 
 
 
==Neustarten des slapd==
 
systemctl restart slapd
 
 
 
==Auf welchem Port lauscht der slapd==  
 
netstat -lntp | grep slapd
 
tcp        0      0 0.0.0.0:389            0.0.0.0:*               LISTEN    499/slapd
 
==Welche PID hat der slapd==
 
pgrep slapd
 
499
 
500
 
501
 
 
 
=Abfragen=
 
==anonym==
 
  ldapsearch -x -LLL -H  ldap://127.0.0.1 -b  dc=linuggs,dc=de
 
==gebunden interaktiv==
 
ldapsearch -x -LLL -D "cn=admin, dc=linuggs, dc=de" -W -H  ldap://127.0.0.1 -b  dc=linuggs,dc=de
 
==gebunden automatisch==
 
ldapsearch -x -LLL -D "cn=admin, dc=linuggs, dc=de" -w sysadm  -H  ldap://127.0.0.1 -b  dc=linuggs,dc=de
 
 
 
=Defaultclientkonfiguration von LDAP=
 
*[[ldap.conf]]
 
 
 
=gruppe hinzufügen=
 
ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f group.ldif
 
adding new entry "cn=it,ou=groups,dc=linuggs,dc=de"
 
 
 
=user ldif anlegen=
 
 
<pre>
 
<pre>
dn: uid=leroy,ou=users,dc=linuggs,dc=de
+
SERVER="ldap://ldap.it213.int"
cn: leroy
+
SUFFIX="dc=it213,dc=int"
objectClass: account
+
GSUFFIX="ou=groups"
objectClass: posixAccount
+
USUFFIX="ou=users"
objectClass: shadowAccount
+
MSUFFIX="ou=hosts"
uid: leroy
+
BINDDN="cn=admin,dc=it213,dc=int"
uidNumber: 2001
+
USHELL="/bin/bash"
gidNumber: 3001
+
UHOMES="/home/%u"
homeDirectory: /home/leroy
+
CREATEHOMES="yes"
loginShell: /bin/bash
+
HOMESKEL="/etc/skel"
 +
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
 +
GIDSTART="10000" # Group ID
 +
UIDSTART="10000" # User ID
 +
MIDSTART="20000" # Machine ID
 +
GCLASS="posixGroup"  # Leave "posixGroup" here if not sure !
 +
PASSWORDGEN="pwgen"
 +
RECORDPASSWORDS="no"
 +
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
 +
LOGTOFILE="yes"
 +
LOGFILE="/var/log/ldapscripts.log"
 +
LOGTOSYSLOG="no"
 +
SYSLOGFACILITY="local4"
 +
SYSLOGLEVEL="info"
 +
LDAPSEARCHBIN="/usr/bin/ldapsearch"
 +
LDAPADDBIN="/usr/bin/ldapadd"
 +
LDAPDELETEBIN="/usr/bin/ldapdelete"
 +
LDAPMODIFYBIN="/usr/bin/ldapmodify"
 +
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
 +
LDAPPASSWDBIN="/usr/bin/ldappasswd"
 +
LDAPSEARCHOPTS="-o ldif-wrap=no"
 +
GETENTPWCMD=""
 +
GETENTGRCMD=""
 +
GTEMPLATE=""
 +
UTEMPLATE=""
 +
MTEMPLATE=""
 
</pre>
 
</pre>
  
=user hinzufügen=
+
* echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f user.ldif
+
* chmod 600 /etc/ldapscripts/ldapscripts.passwd
adding new entry "uid=leroy,ou=user,dc=linuggs,dc=de"
 
=ldapscripts=
 
*[[ldapscripts handling]]
 
  
=Openldap posix accounts=
+
== Gruppen ==
*[[openldap posix accounts]]
+
* ldapaddgroup it
==ldapsearch==
+
* ldapaddgroup sudo
root@maria:~# ldapsearch -x -LLL -b dc=linuggs,dc=de 'uid=thomas' cn gidNumber
 
dn: uid=thomas,ou=People,dc=linuggs,dc=de
 
cn: thomas will
 
gidNumber: 5000
 
  
=apache2 ldap=
+
== Benutzer ==
*[[apache2 ldap]]
+
* ldapadduser thomas it
 +
* ldapadduser tina it
  
=ssl=
+
== Passwort ==
==certifikate generieren==
+
* ldapsetpasswd thomas
 +
* ldapsetpasswd tina
  
==ssl.ldif erstellen==
+
== Gruppe zuweisen ==
<pre>
+
* ldapaddusertogroup thomas sudo
dn: cn=config
+
* ldapaddusertogroup tina sudo
  
add: olcTLSCACertificateFile
+
= SSSD Anbindung =
olcTLSCACertificateFile: /etc/ldap/ssl/xin-ca.crt
+
* apt install sssd libnss-sss libpam-sss libsss-sudo
-
 
add: olcTLSCertificateFile
 
olcTLSCertificateFile: /etc/ldap/ssl/xin-ca-maria.xinux.org.crt
 
-
 
add: olcTLSCertificateKeyFile
 
olcTLSCertificateKeyFile: /etc/ldap/ssl/xin-ca-maria.xinux.org.key
 
</pre>
 
  
==konfig hinzufügen==
+
== Konfiguration ==
 +
* vim /etc/sssd/sssd.conf
 
<pre>
 
<pre>
ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
+
[sssd]
SASL/EXTERNAL authentication started
+
config_file_version = 2
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+
services = nss, pam, sudo
SASL SSF: 0
+
domains = it213.int
modifying entry "cn=config
+
 
 +
[domain/it213.int]
 +
id_provider = ldap
 +
auth_provider = ldap
 +
access_provider = permit
 +
sudo_provider = ldap
 +
ldap_uri = ldap://ldap.it213.int
 +
ldap_search_base = dc=it213,dc=int
 +
ldap_sudo_search_base = ou=sudo,dc=it213,dc=int
 +
ldap_id_use_start_tls = false
 +
ldap_auth_disable_tls_never_use_in_production = true
 +
ldap_tls_reqcert = never
 
</pre>
 
</pre>
==ldaps freischalten==
+
;[[Erklärungen sssd-1]]
*/etc/default/slapd
 
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
 
==slapd restart==
 
systemctl restart slapd
 
==slapd ssl check==
 
*netstat -lntp | grep 636
 
tcp        0      0 0.0.0.0:636            0.0.0.0:*              LISTEN      2204/slapd     
 
tcp6      0      0 :::636                  :::*                    LISTEN      2204/slapd
 
  
=Links=
+
* chmod 600 /etc/sssd/sssd.conf
*https://help.ubuntu.com/lts/serverguide/openldap-server.html
+
* systemctl restart sssd
*https://help.ubuntu.com/community/OpenLDAPServer
 
*http://www.plone-entwicklerhandbuch.de/plone-entwicklerhandbuch/authentifizierung/ldap
 
*http://www.zytrax.com/books/ldap/
 
*https://wiki.debian.org/LDAP/OpenLDAPSetup
 
*https://darkstar.gernox.de/2012/10/28/openldap/
 
*http://www.openldap.org/doc/admin24/
 
*https://wiki.debian.org/LDAP/OpenLDAPSetup
 
*http://askubuntu.com/questions/481917/apache2-4-7-ldap-url-authentication-on-ubuntu-14-04
 
  
=Servertools=
+
== NSS ==
==slapdadd==
+
;Nur Kontrolle
User zur SLAPD Datenbank hinzufügen
+
*cat /etc/nsswitch.conf
 +
<pre>
  
slapadd -b dc=linuggs,dc=de -l muster.ldif
+
passwd:        files systemd sss
 +
group:          files systemd sss
 +
shadow:        files systemd sss
 +
gshadow:        files systemd
  
*-b: Baseroot
+
hosts:         files dns
*-l: Informationen werden aus der angegebenen Datei gelsen. Nicht vom Standard-Input
+
networks:       files
  
slapadd -b dc=linuggs,dc=de -f slapd.conf
+
protocols:      db files
 +
services:      db files sss
 +
ethers:        db files
 +
rpc:            db files
  
*-f: eine alternative slapd.conf benutzen
+
netgroup:       nis sss
 
+
sudoers: files  sss
==slapcat==
+
automount:  sss
Der Befehl slapcat ermöglicht die Speicherung der aktuellen LDAP-Daten in einer Textdatei im LDIF-Format
+
</pre>
  
slapcat > ldapdaten.txt
+
== PAM ==
 +
* pam-auth-update --enable sss mkhomedir

Aktuelle Version vom 2. April 2026, 10:55 Uhr

Installation

passwort nach wahl festlegen
  • apt update
  • DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils

Grundkonfiguration

  • dpkg-reconfigure slapd
Debconf Question Recommended Input
Omit OpenLDAP server configuration? No
DNS domain name: it213.int
Organization name: it213
Administrator password: 123Start$
Database backend to use: MDB
Remove database when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No

ldap.conf setzen

  • vim /etc/ldap/ldap.conf
BASE    dc=it213,dc=int
URI     ldap://ldap.it213.int
ldap_version    3

Kontrolle

  • ldapsearch -x -LLL

Grundstruktur

Erstellen

  • cat <<EOF > /root/struktur.ldif
dn: ou=users,dc=it213,dc=int
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=it213,dc=int
objectClass: organizationalUnit
ou: groups

dn: ou=hosts,dc=it213,dc=int
objectClass: organizationalUnit
ou: hosts

dn: ou=sudo,dc=it213,dc=int
objectClass: organizationalUnit
ou: sudo

EOF

Anlegen

  • ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif

Benutzer und Gruppen

  • apt install -y ldapscripts

Konfiguration

  • vim /etc/ldapscripts/ldapscripts.conf
SERVER="ldap://ldap.it213.int"
SUFFIX="dc=it213,dc=int"
GSUFFIX="ou=groups"
USUFFIX="ou=users"
MSUFFIX="ou=hosts"
BINDDN="cn=admin,dc=it213,dc=int"
USHELL="/bin/bash"
UHOMES="/home/%u"
CREATEHOMES="yes"
HOMESKEL="/etc/skel"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
MIDSTART="20000" # Machine ID
GCLASS="posixGroup"   # Leave "posixGroup" here if not sure !
PASSWORDGEN="pwgen"
RECORDPASSWORDS="no"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
LOGTOFILE="yes"
LOGFILE="/var/log/ldapscripts.log"
LOGTOSYSLOG="no"
SYSLOGFACILITY="local4"
SYSLOGLEVEL="info"
LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"
LDAPSEARCHOPTS="-o ldif-wrap=no"
GETENTPWCMD=""
GETENTGRCMD=""
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""
  • echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
  • chmod 600 /etc/ldapscripts/ldapscripts.passwd

Gruppen

  • ldapaddgroup it
  • ldapaddgroup sudo

Benutzer

  • ldapadduser thomas it
  • ldapadduser tina it

Passwort

  • ldapsetpasswd thomas
  • ldapsetpasswd tina

Gruppe zuweisen

  • ldapaddusertogroup thomas sudo
  • ldapaddusertogroup tina sudo

SSSD Anbindung

  • apt install sssd libnss-sss libpam-sss libsss-sudo

Konfiguration

  • vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = it213.int

[domain/it213.int]
id_provider = ldap
auth_provider = ldap
access_provider = permit
sudo_provider = ldap
ldap_uri = ldap://ldap.it213.int
ldap_search_base = dc=it213,dc=int
ldap_sudo_search_base = ou=sudo,dc=it213,dc=int
ldap_id_use_start_tls = false
ldap_auth_disable_tls_never_use_in_production = true
ldap_tls_reqcert = never
Erklärungen sssd-1
  • chmod 600 /etc/sssd/sssd.conf
  • systemctl restart sssd

NSS

Nur Kontrolle
  • cat /etc/nsswitch.conf

passwd:         files systemd sss
group:          files systemd sss
shadow:         files systemd sss
gshadow:        files systemd

hosts:          files dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers: files  sss
automount:  sss

PAM

  • pam-auth-update --enable sss mkhomedir
Abgerufen von „http://wiki.ixheim.de/index.php?title=Zentrale_Benutzerverwaltung_mit_OpenLDAP_und_SSS&oldid=68348