Openldap : Différence entre versions

De Wiki_DR13
Aller à : navigation, rechercher
Ligne 90 : Ligne 90 :
 
   
 
   
 
  #######################################################################
 
  #######################################################################
# Specific Directives for database #1, of type bdb:
+
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
+
# Database specific directives apply to this databasse until another
# 'database' directive occurs
+
# 'database' directive occurs
database        bdb
+
database        bdb
 
+
# The base of your directory in database #1
+
# The base of your directory in database #1
suffix          "ou=People,dc=cnrs,dc=fr"
+
suffix          "ou=People,dc=cnrs,dc=fr"  
 
+
# rootdn directive for specifying a superuser on the database. This is needed
+
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
+
# for syncrepl.
rootdn          "cn=admin,ou=People,dc=cnrs,dc=fr"
+
rootdn          "cn=admin,ou=People,dc=cnrs,dc=fr"
#rootpw          {SHA}T6ZDXBVFfbdydJAYiaDpYVysUz8=
+
rootpw          "secret"
rootpw          "mo2passe"
+
 
+
# Where the database file are physically stored for database #1
#updatedn        "cn=updateDR15,ou=People,dc=cnrs,dc=fr"
+
directory      "/var/lib/ldap-people"
 
+
# Where the database file are physically stored for database #1
+
# For the Debian package we use 2MB as default but be sure to update this
directory      "/var/lib/ldap-people"
+
# value if you have plenty of RAM
 
+
# FAIRE DES TESTS EN FONCTION DE VOTRE SERVEUR
# For the Debian package we use 2MB as default but be sure to update this
+
# value if you have plenty of RAM
+
#dbconfig set_cachesize 0 2097152 0
#dbconfig set_cachesize 0 2097152 0
+
#dbconfig set_cachesize 0 268435456 0
#dbconfig set_cachesize 0 268435456 0
+
#dbconfig set_cachesize 0 1073741824 0
dbconfig set_cachesize 0 536870912 0
+
#dbconfig set_cachesize 0 1073741824 0
+
#Pour mon serveur virtuel avec 1 Go de Ram et 2 CPU virtuels :
 
+
dbconfig set_cachesize 0 536870912 0
 
+
dbconfig set_flags    DB_LOG_AUTOREMOVE
+
dbconfig set_flags    DB_LOG_AUTOREMOVE
 
+
# Sven Hartge reported that he had to set this value incredibly high
+
# Number of objects that can be locked at the same time.
# to get slapd running at all. See http://bugs.debian.org/303057
+
dbconfig set_lk_max_objects 1500
# for more information.
+
# Number of locks (both requested and granted)
 
+
dbconfig set_lk_max_locks 1500
# Number of objects that can be locked at the same time.
+
# Number of lockers
dbconfig set_lk_max_objects 1500
+
dbconfig set_lk_max_lockers 1500
# Number of locks (both requested and granted)
+
dbconfig set_lk_max_locks 1500
+
# Indexing options for database #1
# Number of lockers
+
index objectClass                      eq,pres
dbconfig set_lk_max_lockers 1500
+
index ou,cn,mail,surname,givenname      eq,pres,sub
 
+
index uid                              eq,pres
# Indexing options for database #1
+
index entryCSN,entryUUID                eq,pres
index objectClass                      eq,pres
+
index cnrsDelegation                    eq,pres,sub
index ou,cn,mail,surname,givenname      eq,pres,sub
+
index uid                              eq,pres
+
index entryCSN,entryUUID                eq,pres
+
# Save the time that the entry gets modified, for database #1
index cnrsDelegation                    eq,pres,sub
+
lastmod        on
 
+
 
+
#overlay syncprov
# Save the time that the entry gets modified, for database #1
+
lastmod        on
+
#id du client (numero DR)
 
+
syncrepl rid=XXX  XXX =numeroDR
#overlay syncprov
 
 
 
#id du client (numero DR?)
 
syncrepl rid=013
 
 
         provider=ldap://ldap.dr15.cnrs.fr:389
 
         provider=ldap://ldap.dr15.cnrs.fr:389
 
         searchbase="ou=People,dc=cnrs,dc=fr"
 
         searchbase="ou=People,dc=cnrs,dc=fr"
Ligne 153 : Ligne 149 :
 
         updatedn="cn=admin,ou=people,dc=cnrs,dc=fr"
 
         updatedn="cn=admin,ou=people,dc=cnrs,dc=fr"
 
         bindmethod=simple
 
         bindmethod=simple
         binddn="cn=sync-dr13,ou=people,dc=cnrs,dc=fr"
+
         binddn="cn=sync-drXXX,ou=people,dc=cnrs,dc=fr"
         credentials="?un106blE"
+
         credentials="Mot de passe"
 +
 +
# Where to store the replica logs for database #1
 +
# replogfile    /var/lib/ldap/replog
 +
 +
# The userPassword by default can be changed
 +
# by the entry owning it if they are authenticated.
 +
# Others should not be able to see it, except the
 +
# admin entry below
 +
# These access lines apply to database #1 only
 +
access to attrs=userPassword,shadowLastChange
 +
        by dn="cn=admin,ou=People,dc=cnrs,dc=fr" write
 +
        by anonymous auth
 +
        by self write
 +
        by * none
 +
 +
# Ensure read access to the base for things like
 +
# supportedSASLMechanisms.  Without this you may
 +
# have problems with SASL not knowing what
 +
# mechanisms are available and the like.
 +
# Note that this is covered by the 'access to *'
 +
# ACL below too but if you change that as people
 +
# are wont to do you'll still need this if you
 +
# want SASL (and possible other things) to work
 +
# happily.
 +
access to dn.base="" by * read
 +
 +
# The admin dn has full write access, everyone else
 +
# can read everything.
 +
access to *
 +
        by dn="cn=admin,ou=People,dc=cnrs,dc=fr" write
 +
        by * read
 +
 +
# For Netscape Roaming support, each user gets a roaming
 +
# profile for which they have write access to
 +
#access to dn=".*,ou=Roaming,o=morsnet"
 +
#        by dn="cn=admin,dc=cnrs,dc=fr" write
 +
#        by dnattr=owner write
 +
 
 +
 
 +
Demarrez le demon :
  
# Where to store the replica logs for database #1
+
# slapd
# replogfile    /var/lib/ldap/replog
 
  
# The userPassword by default can be changed
+
La replication devrait commencer avec le serveur de Bordeaux, vous pouvez le suivre en fait des requetes sur la base :
# by the entry owning it if they are authenticated.
+
# ldapsearch -x -b "ou=People,dc=cnrs,dc=fr"  
# Others should not be able to see it, except the
+
Attention, la requete peut etre longue, elle liste la totalite du personnel de la delegation
# admin entry below
 
# These access lines apply to database #1 only
 
access to attrs=userPassword,shadowLastChange
 
        by dn="cn=admin,ou=People,dc=cnrs,dc=fr" write
 
        by anonymous auth
 
        by self write
 
        by * none
 
#by dn="cn=updateDR15,ou=People,dc=cnrs,dc=fr" write
 
# Ensure read access to the base for things like
 
# supportedSASLMechanisms.  Without this you may
 
# have problems with SASL not knowing what
 
# mechanisms are available and the like.
 
# Note that this is covered by the 'access to *'
 
# ACL below too but if you change that as people
 
# are wont to do you'll still need this if you
 
# want SASL (and possible other things) to work
 
# happily.
 
access to dn.base="" by * read
 
  
# The admin dn has full write access, everyone else
 
# can read everything.
 
access to *
 
        by dn="cn=admin,ou=People,dc=cnrs,dc=fr" write
 
        by * read
 
  
# For Netscape Roaming support, each user gets a roaming
+
Attention !
# profile for which they have write access to
 
#access to dn=".*,ou=Roaming,o=morsnet"
 
#        by dn="cn=admin,dc=cnrs,dc=fr" write
 
#        by dnattr=owner write
 

Version du 22 juin 2007 à 14:36

Installation

On travaille dans root : 

#cd /root

Préparation de la machine et des dependances : 

 #apt-get install libdb4.4 libdb4.4-dev libssl-dev openssl make gcc libsasl2-dev

Recuperation et décompression du logiciel : 

#wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.3.36.tgz
#tar xvzf openldap-2.3.36.tgz



[root@ldap root]#cd openldap-2.3.36
[root@ldap openldap-2.3.36]# CPPFLAGS=-DSLAPD_MULTIMASTER ./configure --enable-bdb=yes --enable-crypt=yes --with-tls=yes  --enable-spaswd=yes \
--enable-cleartext=yes --enable-dyngroup=yes  --enable-dynlist=yes --enable-refint=yes --enable-sasl=no  \
--prefix=/usr --libexecdir=/usr/sbin --sysconfdir=/etc --localstatedir=/var/lib

Comme il est ecrit on fait : 

[root@ldap openldap-2.3.36]# make depend

Puis on compile et on installe : 

[root@ldap openldap-2.3.36]# make -j 4
[root@ldap openldap-2.3.36]# make install

Il faut maintenant recuperer le fichier schema du cnrs et l'ajouter a notre annuaire : 

# wget http://xxx/cnrs.schema.gz
# gunzip cnrs.schema.gz
# mv cnrs.schema /etc/openldap/schema

Editons le fichier de config afin de préparer le serveur : 

# vim /etc/openldap/slapd.conf

Voici mon fichier commenté : 

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

#######################################################################
# Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/cnrs.schema
include         /etc/openldap/schema/dyngroup.schema
 

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel       0

# Where the dynamically loaded modules are stored
#modulepath     /usr/lib/ldap
#moduleload     back_bdb
#moduleload      dyngroup

#overlay         dynlist
#dynlist-attrset  groupOfURLs memberURL member

# The maximum number of entries that is returned for a search operation
sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend         bdb
checkpoint 512 30

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        bdb

# The base of your directory in database #1
suffix          "ou=People,dc=cnrs,dc=fr" 

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn          "cn=admin,ou=People,dc=cnrs,dc=fr"
rootpw          "secret"

# Where the database file are physically stored for database #1
directory       "/var/lib/ldap-people"

# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
# FAIRE DES TESTS EN FONCTION DE VOTRE SERVEUR

#dbconfig set_cachesize 0 2097152 0
#dbconfig set_cachesize 0 268435456 0
#dbconfig set_cachesize 0 1073741824 0

#Pour mon serveur virtuel avec 1 Go de Ram et 2 CPU virtuels :
dbconfig set_cachesize 0 536870912 0

dbconfig set_flags    DB_LOG_AUTOREMOVE

# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500

# Indexing options for database #1
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uid                               eq,pres
index entryCSN,entryUUID                eq,pres
index cnrsDelegation                    eq,pres,sub


# Save the time that the entry gets modified, for database #1
lastmod         on

#overlay syncprov

#id du client (numero DR)
syncrepl rid=XXX  XXX =numeroDR
       provider=ldap://ldap.dr15.cnrs.fr:389
       searchbase="ou=People,dc=cnrs,dc=fr"
       type=refreshAndPersist
       interval=00:00:15:00
       scop=sub
       schemachecking=off
       updatedn="cn=admin,ou=people,dc=cnrs,dc=fr"
       bindmethod=simple
       binddn="cn=sync-drXXX,ou=people,dc=cnrs,dc=fr"
       credentials="Mot de passe"

# Where to store the replica logs for database #1
# replogfile    /var/lib/ldap/replog

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,ou=People,dc=cnrs,dc=fr" write
        by anonymous auth
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read 

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,ou=People,dc=cnrs,dc=fr" write
        by * read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
#        by dn="cn=admin,dc=cnrs,dc=fr" write
#        by dnattr=owner write


Demarrez le demon : 

# slapd

La replication devrait commencer avec le serveur de Bordeaux, vous pouvez le suivre en fait des requetes sur la base : 

# ldapsearch -x -b "ou=People,dc=cnrs,dc=fr"

Attention, la requete peut etre longue, elle liste la totalite du personnel de la delegation


Attention !

Récupérée de « https://wiki.dr13.cnrs.fr/wiki/index.php?title=Openldap&oldid=706 »