meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
ldap:openldap [2018/07/31 08:48] – created niziakldap:openldap [2018/08/01 12:05] (current) niziak
Line 1: Line 1:
 +====== Utils ======
 +  * OpenLDAP + phpLDAPAdmin Docker
 +    * Tags: [[https://hub.docker.com/r/osixia/openldap/tags/|osixia/openldap:1.2.1]]
 +    * Latest release: 1.2.1 - OpenLDAP 2.4.44 
 +    * Readme:[[https://github.com/osixia/docker-openldap|github]]
 +    * [[https://github.com/osixia/docker-openldap/blob/stable/example/docker-compose.yml|docker-compose.yml]]
 +  * OpenLDAP Backup [[https://github.com/osixia/docker-openldap-backup]]
 +  * [[http://directory.apache.org/studio/download/download-linux.html|Apache Directory Studio]]
 +  * LDAP Account Manager 
 +    * Docker: https://hub.docker.com/r/mwaeckerlin/lam/
 +    * <code bash>docker run -d -p 8123:80 --name lam mwaeckerlin/lam</code>
 +      * goto **LAM configuration** / **Edit general settings**, login with default password **lam** and Change master password. Then go back and still with password lam go to Edit server profiles to setup your OpenLDAP 
 +      * user: Manager, password: lam
  
 ====== cn=config ====== ====== cn=config ======
  
-Historically OpenLDAP has been statically configured, that is, to make a change to the configuration the slapd.conf file was modified and slapd stopped and started. In the case of larger users this could take a considerable period of time and had become increasingly unacceptable as an operational method+Historically OpenLDAP has been statically configured, that is, to make a change to the configuration the slapd.conf file was modified and slapd stopped and started. In the case of larger users this could take a considerable period of time and had become increasingly unacceptable as an operational method
 + 
 +Typically in your OpenLDAP installation you have at least two trees: 
 +  * One is the DIT ("data information tree") where you enter your nodes 
 +    * access by "cn=admin,dc=example,dc=org" 
 +    * default password "admin" 
 +  * One is **cn=config**, where the configuration information is put (which can be manipulated with just the same LDAP commands, as itself is setup as a DIT!). 
 +    * access by "cn=admin,cn=config" 
 +    * default password "config" 
 +    * **BaseDN: 'cn=config'** - use [[http://directory.apache.org/studio/|Apache Directory Studio]] to connect 
 + 
 +===== ACL ===== 
 + 
 +[[https://www.openldap.org/doc/admin24/access-control.html]] 
 + 
 +Order matters in ACL rules. LDAP will stop looking on the first match. So new acl entries should be inserted before default ones. 
 + 
 +Default entries: 
 +<code> 
 +olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=example,dc=org" write by anonymous auth by * none 
 +olcAccess: {1}to * by self read by dn="cn=admin,dc=example,dc=org" write by * none 
 +</code> 
 +  * olcAccess: {0}to attrs=userPassword,shadowLastChange 
 +    * by self write  
 +    * by dn="cn=admin,dc=example,dc=org" write  
 +    * by anonymous auth  
 +    * by * none 
 +  * olcAccess: {1}to *  
 +    * by self read  
 +    * by dn="cn=admin,dc=example,dc=org" write  
 +    * by * none 
 + 
 + 
 + 
 +Giving user: **uid=nextcloudsystemuser,ou=it,dc=grinn-global,dc=com** rights: 
 +  * Entry to edit: **olcDatabase={1}mdb,cn=config** 
 +  * Attribute to add: **olcAccess** 
 +  * to by dn.exact="uid=nextcloudsystemuser,ou=it,dc=grinn-global,dc=com" read 
 + 
 + 
 +==== Examples ==== 
 + 
 + 
 +<code>olcAccess: {1}to dn.base="" by * read</code> 
 + 
 +  * Give user access to modify photo: <code>olcAccess: to attrs=jpegPhoto by self write by * read</codE>