search

helderco / univ-asr

Simulation for a small business network and systems. For a class in Network Security and Management.
MIT License
0 stars 2 forks source link

Configurar LDAP #3

Closed helderco closed 11 years ago

helderco commented 11 years ago

Será utilizado no ownCloud (#4) e no FTPS.

mluis commented 11 years ago

1) Install software

yum -y install openldap openldap-clients openldap-servers

2) Define root password for ldap

slappasswd

New password: imbcc Re-enter new password: imbcc {SSHA}w/8jfPhz+6AiUf5qsfCiqmGUcmpsraJj

3) Create olcRootPW

cd /etc/openldap/slapd.d/cn\=config

vi olcDatabase\={2}bdb.ldif

olcRootPW: {SSHA}w/8jfPhz+6AiUf5qsfCiqmGUcmpsraJj

4) Edit more options:

olcSuffix: dc=imbcc,dc=pt ... olcRootDN: cn=Manager,dc=imbcc,dc=pt ... olcRootPW: {SSHA}w/8jfPhz+6AiUf5qsfCiqmGUcmpsraJj

5)

vi olcDatabase\={1}monitor.ldif

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=manager,dc=imbcc,dc=pt" read by * none

6)

chkconfig slapd on

service slapd start

7) Create dc=imbcc,dc=pt. Edit imbcc.ldif

dn: dc=imbcc,dc=pt objectClass: dcObject objectClass: organization dc: imbcc o : imbcc

ldapadd -f imbcc.ldif -D cn=Manager,dc=imbcc,dc=pt -w imbcc

8) Add an Organizational Unit.

vi imbccOU.ldif

dn: ou=IMBCC,dc=imbcc,dc=pt objectClass: organizationalUnit ou: IMBCC

ldapadd -f imbccOU.ldif -D cn=Manager,dc=imbcc,dc=pt -w imbcc

9) Add users to ldap

vi margarida\ altas.ldif

dn: cn=Margarida Altas,ou=IMBCC,dc=imbcc,dc=pt cn: Margarida Altas sn: Altas objectClass: inetOrgPerson userPassword: margarida uid: margarida

vi nelia\ furtado.ldif

dn: cn=Nelia Furtado,ou=IMBCC,dc=imbcc,dc=pt cn: Nelia Furtado sn: Furtado objectClass: inetOrgPerson userPassword: nelia uid: nelia

vi paulo\ santos.ldif

dn: cn=Paulo Santos,ou=IMBCC,dc=imbcc,dc=pt cn: Paulo Santos sn: Santos objectClass: inetOrgPerson userPassword: paulos uid: paulos

vi paulo\ torres.ldif

dn: cn=Paulo Torres,ou=IMBCC,dc=imbcc,dc=pt cn: Paulo Torres sn: Torres objectClass: inetOrgPerson userPassword: paulo uid: paulo

vi rui\ pacheco.ldif

dn: cn=Rui Pacheco,ou=IMBCC,dc=imbcc,dc=pt cn: Rui Pacheco sn: Pacheco objectClass: inetOrgPerson userPassword: rui uid: rui

10) Create RHA and WD groups:

vi rha.ldif

rha.ldif dn: cn=Recursos Humanos e Administracao,ou=IMBCC,dc=imbcc,dc=pt cn: RHA objectClass: groupOfNames member: cn=Paulo Torres,ou=IMBCC,dc=imbcc,dc=pt member: cn=Margarida Altas,ou=IMBCC,dc=imbcc,dc=pt

vi wd.ldif

dn: cn=Web Design,ou=IMBCC,dc=imbcc,dc=pt cn: WD objectClass: groupOfNames member: cn=Paulo Santos,ou=IMBCC,dc=imbcc,dc=pt member: cn=Nelia Furtado,ou=IMBCC,dc=imbcc,dc=pt member: cn=Rui Pacheco,ou=IMBCC,dc=imbcc,dc=pt

11) For each .ldif do:

ldapadd -f -D cn=Manager,dc=imbcc,dc=pt -w imbcc

mluis commented 11 years ago

Penso que se podem colocar todas as confs num só ficheiro e carregá-lo com o ldapadd.

helderco commented 11 years ago

Eu não vou numa receita chef editar ficheiros... não tens ficheiros de configuração já editados?

helderco commented 11 years ago

Já está a inserir registo a registo :)

# Stop service before writing config files
service "slapd" do
  action [:enable, :stop]
end

# Root user
manager = "cn=Manager,#{node.openldap.basedn}"
password = "imbcc"

# Configuration directory
config_dir = "/etc/openldap/slapd.d/cn=config"

# Configure
ruby_block "slapd_config" do
  block do
    password_hash = Mixlib::ShellOut.new(%Q[slappasswd -s imbcc]).run_command.stdout.strip!
    Chef::Log.info("Generated new LDAP root password: #{password_hash}")

    rc = Chef::Util::FileEdit.new("#{config_dir}/olcDatabase={2}bdb.ldif")
    rc.search_file_replace_line(/olcSuffix:/, "olcSuffix: #{node.openldap.basedn}")
    rc.search_file_replace_line(/olcRootDN:/, "olcRootDN: #{manager}")
    rc.insert_line_after_match(/olcRootDN/, "olcRootPW: #{password_hash}")
    rc.write_file

    rc = Chef::Util::FileEdit.new("#{config_dir}/olcDatabase={1}monitor.ldif")
    rc.search_file_replace(/dn.base="cn=[\w]+,dc=[\w-]+,dc=[\w]+"/, "dn.base=\"#{manager}\"")
    rc.write_file
  end
  not_if "grep olcRootPW #{config_dir}/olcDatabase={2}bdb.ldif"
end

# Start service
service "slapd" do
  action [:start]
end

Só falta os ldapadd, mas é fácil.

helderco commented 11 years ago

Done... isto adiciona todos os registos com ldapadd:

# Add entries
%w{imbcc users}.each do |ldif|
  cookbook_file "/tmp/#{ldif}.ldif" do
    source "#{ldif}.ldif"
  end
  execute "add_#{ldif}" do
    cwd "/tmp"
    command "ldapadd -f #{ldif}.ldif -D #{manager} -w #{password}"
    not_if "bash -c 'ldapsearch -x -LLL -b $(head -1 #{ldif}.ldif | cut -d\\  -f2)'", :cwd => '/tmp'
  end
end