Openldap
Révision datée du 22 juin 2007 à 14:29 par Julien.garnier (discussion | contributions)
Installation
On travaille dans root :
#cd /root
Préparation de la machine et des dependances :
#apt-get install libdb4.4 libdb4.4-dev libssl-dev openssl make gcc libsasl2-dev
Recuperation et décompression du logiciel :
#wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.3.36.tgz #tar xvzf openldap-2.3.36.tgz
[root@ldap root]#cd openldap-2.3.36 [root@ldap openldap-2.3.36]# CPPFLAGS=-DSLAPD_MULTIMASTER ./configure --enable-bdb=yes --enable-crypt=yes --with-tls=yes --enable-spaswd=yes \ --enable-cleartext=yes --enable-dyngroup=yes --enable-dynlist=yes --enable-refint=yes --enable-sasl=no \ --prefix=/usr --libexecdir=/usr/sbin --sysconfdir=/etc --localstatedir=/var/lib
Comme il est ecrit on fait :
[root@ldap openldap-2.3.36]# make depend
Puis on compile et on installe :
[root@ldap openldap-2.3.36]# make -j 4 [root@ldap openldap-2.3.36]# make install
Il faut maintenant recuperer le fichier schema du cnrs et l'ajouter a notre annuaire :
# wget http://xxx/cnrs.schema.gz # gunzip cnrs.schema.gz # mv cnrs.schema /etc/openldap/schema
Editons le fichier de config afin de préparer le serveur :
# vim /etc/openldap/slapd.conf
Voici mon fichier commenté :
# This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/cnrs.schema include /etc/openldap/schema/dyngroup.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 0 # Where the dynamically loaded modules are stored #modulepath /usr/lib/ldap #moduleload back_bdb #moduleload dyngroup #overlay dynlist #dynlist-attrset groupOfURLs memberURL member # The maximum number of entries that is returned for a search operation sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb checkpoint 512 30 #######################################################################
- Specific Directives for database #1, of type bdb:
- Database specific directives apply to this databasse until another
- 'database' directive occurs
database bdb
- The base of your directory in database #1
suffix "ou=People,dc=cnrs,dc=fr"
- rootdn directive for specifying a superuser on the database. This is needed
- for syncrepl.
rootdn "cn=admin,ou=People,dc=cnrs,dc=fr"
- rootpw {SHA}T6ZDXBVFfbdydJAYiaDpYVysUz8=
rootpw "mo2passe"
- updatedn "cn=updateDR15,ou=People,dc=cnrs,dc=fr"
- Where the database file are physically stored for database #1
directory "/var/lib/ldap-people"
- For the Debian package we use 2MB as default but be sure to update this
- value if you have plenty of RAM
- dbconfig set_cachesize 0 2097152 0
- dbconfig set_cachesize 0 268435456 0
dbconfig set_cachesize 0 536870912 0
- dbconfig set_cachesize 0 1073741824 0
dbconfig set_flags DB_LOG_AUTOREMOVE
- Sven Hartge reported that he had to set this value incredibly high
- to get slapd running at all. See http://bugs.debian.org/303057
- for more information.
- Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
- Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
- Number of lockers
dbconfig set_lk_max_lockers 1500
- Indexing options for database #1
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uid eq,pres index entryCSN,entryUUID eq,pres index cnrsDelegation eq,pres,sub
- Save the time that the entry gets modified, for database #1
lastmod on
- overlay syncprov
- id du client (numero DR?)
syncrepl rid=013
provider=ldap://ldap.dr15.cnrs.fr:389
searchbase="ou=People,dc=cnrs,dc=fr"
type=refreshAndPersist
interval=00:00:15:00
scop=sub
schemachecking=off
updatedn="cn=admin,ou=people,dc=cnrs,dc=fr"
bindmethod=simple
binddn="cn=sync-dr13,ou=people,dc=cnrs,dc=fr"
credentials="?un106blE"
- Where to store the replica logs for database #1
- replogfile /var/lib/ldap/replog
- The userPassword by default can be changed
- by the entry owning it if they are authenticated.
- Others should not be able to see it, except the
- admin entry below
- These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,ou=People,dc=cnrs,dc=fr" write
by anonymous auth
by self write
by * none
- by dn="cn=updateDR15,ou=People,dc=cnrs,dc=fr" write
- Ensure read access to the base for things like
- supportedSASLMechanisms. Without this you may
- have problems with SASL not knowing what
- mechanisms are available and the like.
- Note that this is covered by the 'access to *'
- ACL below too but if you change that as people
- are wont to do you'll still need this if you
- want SASL (and possible other things) to work
- happily.
access to dn.base="" by * read
- The admin dn has full write access, everyone else
- can read everything.
access to *
by dn="cn=admin,ou=People,dc=cnrs,dc=fr" write
by * read
- For Netscape Roaming support, each user gets a roaming
- profile for which they have write access to
- access to dn=".*,ou=Roaming,o=morsnet"
- by dn="cn=admin,dc=cnrs,dc=fr" write
- by dnattr=owner write
