English | 
DeutschInstall And Configure OpenLDAP On CentOS 5 - Page 2
Want to support HowtoForge? Become a subscriber!
12) To add a group also use an ldif formatted file (in this case group.ldif)[root@kike openldap]# cat group.ldif dn: cn=users,dc=ldap-kike,dc=com,dc=uy
13) We also add to LDAP ldapadd as follows:[root@kike openldap]# ldapadd -a -x -D 'cn=Manager,dc=ldap-kike,dc=com,dc=uy' -W -f group.ldif To test if successfully added: [root@kike openldap]# id usuario1 uid=10000(usuario1) gid=10000(users) groups=10000(users) We see that the user is in group "users."
14) Now create the user home and copy files from skel.[root@kike openldap]# mkdir /home/usuario1 [root@kike openldap]# rsync -a /etc/skel/ /home/usuario1 [root@kike openldap]# chown -R usuario1.users /home/usuario1 [root@kike openldap]# chmod 700 /home/usuario1 [root@kike openldap]# ls -la /home/usuario1 total 20
15) Log a userOnce completed we will check if everything works fine. In the example the OpenLDAP server is running on a computer with the IP address 192.168.150.24, and we attempt a connection to that computer from another with the command ssh (double check that the sshd daemon is running on the server where you installed openldap). $ ssh -l usuario1 192.168.150.24 usuario1@192.168.150.24′s password: Last login: Sat Jan 15 21:24:50 2010 from 192.168.150.207 [usuario1@kike ~]$ id uid=10000(usuario1) gid=10000(users) grupos=10000(users) [usuario1@kike ~]$ pwd /home/usuario1 The user is logged on the server authenticated by the OpenLDAP server.
16) If you need to add another user CAREFULLY edit the file user.ldif used previously.[root@kike openldap]# cat user.ldif dn: uid=usuario2,dc=ldap-kike,dc=com,dc=uy Add it to the LDAP database: [root@kike openldap]# ldapadd -x -D 'cn=Manager,dc=ldap-kike,dc=com,dc=uy' -W -f user.ldif Enter LDAP Password: adding new entry "uid=usuario2,dc=ldap-kike,dc=com,dc=uy" Then we create the home and will copy the files from skel, change permissions as we did with the other user.
17) To add the user to the group users:# cat group.ldif dn: cn=users,dc=ldap-kike,dc=com,dc=uy
18) To update the LDAP database using the command ldapmodify[root@kike openldap]# ldapmodify -x -D 'cn=Manager,dc=ldap-kike,dc=com,dc=uy' -W -f group.ldif Enter LDAP Password: modifying entry "cn=users,dc=ldap-kike,dc=com,dc=uy" Ok, check the data with ldapsearch: [root@kike openldap]# ldapsearch -h 127.0.0.1 -x -b "dc=ldap-kike,dc=com,dc=uy" …… …… We verify that everything is working properly: [root@kike openldap]# id usuario2 uid=10001(usuario2) gid=10000(users) groups=10000(users)
19) Basic LDAP SecurityWith ACLs we can add minimum security controls to restrict access to the LDAP database, so that users cannot see the passwords of other users (shadow style). Add to the file sldap.conf: access to attrs=userPassword by dn="cn=Manager,dc=ldap-kike,dc=com,dc=uy" write by self write by anonymous auth by * none access to dn.base="" by * read access to * by dn="cn=Manager,dc=ldap-kike,dc=com,dc=uy" write by * read Restart LDAP: [root@kike openldap]# service ldap restart Now, if we run: ldapsearch -h 127.0.0.1 -x -b "dc=ldap-kike,dc=com,dc=uy" We are NOT able to observe all user passwords, only you, if you authenticate to LDAP. ldapsearch -h 127.0.0.1 -x -b "dc=ldap-kike,dc=com,dc=uy" -D "uid=usuario2,dc=ldap-kike,dc=com,dc=uy" -W # usuario1, ldap-kike.com.uy
TASKS TO BE CARRIED OUT:It would be interesting to use an LDAP replica server so you can serve the user in case of fall of the devil or the computer fails.
|
print: 
Recent comments
16 hours 58 min ago
1 day 2 hours ago
1 day 3 hours ago
1 day 6 hours ago
1 day 11 hours ago
1 day 11 hours ago
1 day 13 hours ago
1 day 23 hours ago
2 days 4 hours ago
2 days 6 hours ago