GHSWiki

Gothenburg Hackerspace Wiki

User Tools

Site Tools


ghs:services:ldap:notes

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

ghs:services:ldap:notes [2014/05/31 03:01]
klondike [Initial setup]
ghs:services:ldap:notes [2014/12/18 16:26] (current)
klondike
Line 1: Line 1:
 +====== LDAP notes ======
 This are some notes about the installation of openldap as it is now. This are some notes about the installation of openldap as it is now.
  
 The "​official"​ documentation will be available at [[https://​gbg.hackerspace.se/​ghs/​services/​ldap/​| LDAP]]. The "​official"​ documentation will be available at [[https://​gbg.hackerspace.se/​ghs/​services/​ldap/​| LDAP]].
  
-====== Packages and uses ======+===== Packages and uses =====
 For the ldap server we are using these flags: For the ldap server we are using these flags:
 net-nds/​openldap -berkdb crypt cxx experimental icu ipv6 ssl syslog -kerberos samba sasl slp ssl net-nds/​openldap -berkdb crypt cxx experimental icu ipv6 ssl syslog -kerberos samba sasl slp ssl
Line 13: Line 14:
 net-misc/​openssh ldap net-misc/​openssh ldap
  
-====== SSL details ​======+===== SSL details =====
 We use SSL certificates provided by CAcert (in particular class 3 certificates for enhanced security). You can download the CA cert at [[https://​www.cacert.org/​certs/​class3.crt| CAcert,org Class 3 certificate]]. We use SSL certificates provided by CAcert (in particular class 3 certificates for enhanced security). You can download the CA cert at [[https://​www.cacert.org/​certs/​class3.crt| CAcert,org Class 3 certificate]].
  
 The SHA1 fingerprint should be: AD:​7C:​3F:​64:​FC:​44:​39:​FE:​F4:​E9:​0B:​E8:​F4:​7C:​6C:​FA:​8A:​AD:​FD:​CE The SHA1 fingerprint should be: AD:​7C:​3F:​64:​FC:​44:​39:​FE:​F4:​E9:​0B:​E8:​F4:​7C:​6C:​FA:​8A:​AD:​FD:​CE
  
-====== Config details ​======+===== Config details =====
  
-===== Openldap tools =====+==== Openldap tools ====
 For the openldap tools we use these settings at /​etc/​openldap/​ldap.conf:​ For the openldap tools we use these settings at /​etc/​openldap/​ldap.conf:​
  
 <file /​etc/​openldap/​ldap.conf>​ <file /​etc/​openldap/​ldap.conf>​
 BASE    dc=gbg,​dc=hackerspace,​dc=se BASE    dc=gbg,​dc=hackerspace,​dc=se
-URI     ​ldaps://​ldap1.vega.gbg.hackerspace.se ldaps://​ldap2.vega,gbg.hackerspace.se+URI     ​ldaps://​ldap1.vega.gbg.hackerspace.se ldaps://​ldap2.vega.gbg.hackerspace.se
 TLS_CACERT /​etc/​ldap_ca.pem TLS_CACERT /​etc/​ldap_ca.pem
 </​file>​ </​file>​
Line 33: Line 34:
 Also the ldapsearch command seems to be ignoring the URI, we still don't know why it tries to use localhost. Also the ldapsearch command seems to be ignoring the URI, we still don't know why it tries to use localhost.
  
-===== sys-auth/​nss-pam-ldapd ​=====+==== sys-auth/​nss-pam-ldapd ====
 The nslcd configuration is as follows on the /​etc/​nslcd.conf file: The nslcd configuration is as follows on the /​etc/​nslcd.conf file:
 <file /​etc/​nslcd.conf>​ <file /​etc/​nslcd.conf>​
Line 121: Line 122:
 </​file>​ </​file>​
  
-===== openssh with LPK =====+==== openssh with LPK ====
 We just add these options to the sshd_config We just add these options to the sshd_config
 <file /​etc/​ssh/​sshd_config>​ <file /​etc/​ssh/​sshd_config>​
Line 141: Line 142:
 The nslcd.conf causes trouble and limits us so we avoid using it The nslcd.conf causes trouble and limits us so we avoid using it
  
-===== slapd =====+==== slapd ====
 We still have to implement propper access policies, despite that we nowadays use these settings on /​etc/​openldap/​slapd.conf We still have to implement propper access policies, despite that we nowadays use these settings on /​etc/​openldap/​slapd.conf
 <file /​etc/​openldap/​slapd.conf>​ <file /​etc/​openldap/​slapd.conf>​
Line 269: Line 270:
 </​file>​ </​file>​
  
-====== Initial setup ======+===== Initial setup =====
  
 In order to be able to use ldap we need to setup the database root entry and from there any OrganizationalUnits and entries we are going to use. Our original ldif file looks as follows: In order to be able to use ldap we need to setup the database root entry and from there any OrganizationalUnits and entries we are going to use. Our original ldif file looks as follows:
Line 310: Line 311:
 </​code>​ </​code>​
  
-====== Example group ldif ======+===== Example group ldif =====
 <code ldif> <code ldif>
 dn: cn=test,​ou=Group,​dc=gbg,​dc=hackerspace,​dc=se dn: cn=test,​ou=Group,​dc=gbg,​dc=hackerspace,​dc=se
Line 319: Line 320:
 </​code>​ </​code>​
  
-====== Example user ldif ======+===== Example user ldif =====
 <code ldif> <code ldif>
 dn: uid=test,​ou=People,​dc=gbg,​dc=hackerspace,​dc=se dn: uid=test,​ou=People,​dc=gbg,​dc=hackerspace,​dc=se
Line 347: Line 348:
 </​code>​ </​code>​
  
-====== Testing ​======+===== Testing =====
 ldapsearch -D "​uid=test,​ou=People,​dc=gbg,​dc=hackerspace,​dc=se"​ -ZZ -W -H ldap://​ldap1.vega.gbg.hackerspace.se ldapsearch -D "​uid=test,​ou=People,​dc=gbg,​dc=hackerspace,​dc=se"​ -ZZ -W -H ldap://​ldap1.vega.gbg.hackerspace.se
 ldapsearch -D "​cn=Manager,​dc=gbg,​dc=hackerspace,​dc=se"​ -ZZ -W -H ldap://​ldap1.vega.gbg.hackerspace.se ldapsearch -D "​cn=Manager,​dc=gbg,​dc=hackerspace,​dc=se"​ -ZZ -W -H ldap://​ldap1.vega.gbg.hackerspace.se
  
-====== TODO ======+===== TODO =====
  
 I have to find a good way to mark admin accounts so I can restrict access to certain hosts I have to find a good way to mark admin accounts so I can restrict access to certain hosts
 I need to set up SASL and kerberos. I need to set up SASL and kerberos.
ghs/services/ldap/notes.1401498065.txt.gz · Last modified: 2014/05/31 03:01 by klondike