rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:sldap_2_5

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
doc:appunti:linux:sa:sldap_2_5 [2023/12/02 11:17] – [Restore from the backup file] niccolodoc:appunti:linux:sa:sldap_2_5 [2023/12/02 12:31] (current) – [Enable SSL] niccolo
Line 14: Line 14:
  
 FIXME La **[[https://discourse.ubuntu.com/t/service-migrating-from-openldap-2-4-x-to-2-5-x/23807|Service - Migrating from OpenLDAP 2.4.x to 2.5.x]]** non ha funzionato; fallisce quando si tenta di ricaricare il database **dc=rigacci,dc=org.ldif** con il comando **slapadd**. FIXME La **[[https://discourse.ubuntu.com/t/service-migrating-from-openldap-2-4-x-to-2-5-x/23807|Service - Migrating from OpenLDAP 2.4.x to 2.5.x]]** non ha funzionato; fallisce quando si tenta di ricaricare il database **dc=rigacci,dc=org.ldif** con il comando **slapadd**.
 +
 +Per ripristinare il servizio si sono eseguite ex-nove tutte le operazoni necessarie, in particolare:
 +
 +  * Caricato lo schema **mozillaAbPersonAlpha**.
 +  * Creato il database #2 per gestire il suffisso **ou=Addressbook,dc=rigacci,dc=org**.
 +  * Creata la organizationalUnit **Addressbook**.
 +  * Creata la inetOrgPerson **cn=guest**.
 +  * Caricate tutte le entry objectClass **mozillaAbPersonAlpha**.
  
 ===== (Re)installation from scratch ===== ===== (Re)installation from scratch =====
Line 34: Line 42:
  
 Reading the dump of database #0, you can see that the **cn=config** database has the **olcRootDN: cn=admin,cn=config**, but it does not have an **olcRootPW**, so you cannot modify the config database connecting with a login/password pair. See below on how to modify the **cn=config** database (e.g. to add a new database backend). Reading the dump of database #0, you can see that the **cn=config** database has the **olcRootDN: cn=admin,cn=config**, but it does not have an **olcRootPW**, so you cannot modify the config database connecting with a login/password pair. See below on how to modify the **cn=config** database (e.g. to add a new database backend).
 +
 +===== Enable SSL =====
 +
 +Create a self signed certificate or get it from some provider, like **[[https://letsencrypt.org/|Let's Encrypt]]**. Copy the files into **/etc/ldap/ssl/** and give them permissions for the //openldap// user.
 +
 +Create the following file **config-ssl.ldif**:
 +
 +<file>
 +dn: cn=config
 +changetype: modify
 +replace: olcTLSCertificateFile
 +olcTLSCertificateFile: /etc/ldap/ssl/fullchain.pem
 +-
 +replace: olcTLSCertificateKeyFile
 +olcTLSCertificateKeyFile: /etc/ldap/ssl/privkey.pem
 +-
 +replace: olcTLSCACertificatePath
 +olcTLSCACertificatePath: /etc/ssl/cert
 +</file>
 +
 +and load it into the slapd 2.5 configuration:
 +
 +<code>
 +ldapmodify -Y EXTERNAL -H ldapi:/// -f config-ssl.ldif
 +</code>
 +
 +Enable ldaps into **/etc/default/slapd**:
 +
 +<file>
 +SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
 +</file>
 +
 +Restart the slapd service.
  
 ===== Adding a second (new) database ===== ===== Adding a second (new) database =====
Line 218: Line 259:
 </file> </file>
  
 +==== Testing an ldapsearch ====
 +
 +Finally you can test if the LDAP database is working doing a full search with **ldapsearch**:
 +
 +<code bash>
 +ldapsearch -W \
 +    -H ldap://127.0.0.1/ \
 +    -D "cn=guest,ou=Addressbook,dc=rigacci,dc=org" \
 +    -b 'ou=Addressbook,dc=rigacci,dc=org'
 +</code>
 +
 +The **ldap** protocol is on port **389/tcp**, **ldaps** is on **636/tcp**.
 ===== Web References ===== ===== Web References =====
  
doc/appunti/linux/sa/sldap_2_5.1701512225.txt.gz · Last modified: 2023/12/02 11:17 by niccolo