OpenLDAP¶
/etc/ldap/slapd.d/cn=config/cn=schema # schema location
slapcat # show content of DB object
/usr/sbin/slapcat -v -l dump.ldif # backup SLAPD database
# Install
sudo apt-get install slapd ldap-utils
dpkg-reconfigure slapd
Omit OpenLDAP server configuration? No
DNS domain name? mydomain.com
Organization name? any name
Administrator password? password
Database backend? HDB | BDB
Remove the database when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No
RESTART SLAPD (or container)
ldapsearch -D "cn=admin,dc=mycorp,dc=com" -w password -b "dc=mycorp,dc=com"
ldapsearch -H ldap://localhost:389 -D "cn=admin,dc=mycorp,dc=com" -w password -b "dc=mycorp,dc=com"
IMPORTANT DELETE ALL
ldapdelete -D cn=admin,dc=mycorp,dc=com -w password -r "dc=mycorp,dc=com"
##########
##############################################
# Создадим группу пользователей с названием «users» при помощи команды ldapmodify
ldapmodify -D "cn=admin,dc=mydomain,dc=com" -w password
dn: ou=users,dc=mydomain,dc=com
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: users
description: Domain Users
Всё, начиная с «dn: » вводим руками. После ввода строки описания («description: Domain Users») нажимаем Enter два раза. Если всё введено без ошибок, вы должны увидеть такое сообщение: adding new entry "ou=Users,dc=mydomain,dc=com"
# Нажимаем Ctrl+C для выхода
ldapadd -D cn=admin,dc=mycorp,dc=com -w password -f addgroup.ldif
##################################################
# Create user
slappasswd # generate hash pass
ldapmodify -D "cn=admin,dc=mydomain,dc=com" -w password
or
nano adduser.ldif
dn: uid=jdoe,cn=John Doe,ou=users,dc=mydomain,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: John Doe
ou: users
uid: jdoe
givenName: John
sn: Doe
userPassword: {SSHA}hsxkIVICZSSQsUOQf4xWZutr0t44HSFP
ldapmodify -D "cn=admin,dc=mycorp,dc=com" -w password -f adduser.ldif
######################################################################
# Modify ldif-file:
dn: cn=John Doe,ou=users,dc=mycorp,dc=com
changetype: modify
add: userPassword
userPassword: {SSHA}hsxkIlskflksfOQf4xWZutr0t44HSFP
######################################################################
############
# Commands #
############
::
ldapsearch -D "cn=admin,dc=mydomain,dc=com"
-w <pass> # bind password (for simple authentication)
-W # prompt for bind password
-a deref one of never (default), always, search, or find
-A retrieve attribute names only (no values)
-b basedn base dn for search
-c continuous operation mode (do not stop on errors)
-E [!]<ext>[=<extparam>] search extensions (! indicates criticality)
[!]domainScope (domain scope)
!dontUseCopy (Don't Use Copy)
[!]mv=<filter> (RFC 3876 matched values filter)
[!]pr=<size>[/prompt|noprompt] (RFC 2696 paged results/prompt)
[!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...]
(RFC 2891 server side sorting)
[!]subentries[=true|false] (RFC 3672 subentries)
[!]sync=ro[/<cookie>] (RFC 4533 LDAP Sync refreshOnly)
rp[/<cookie>][/<slimit>] (refreshAndPersist)
[!]vlv=<before>/<after>(/<offset>/<count>|:<value>)
(ldapv3-vlv-09 virtual list views)
[!]deref=derefAttr:attr[,...][;derefAttr:attr[,...][;...]]
[!]<oid>[=:<b64value>] (generic control; no response handling)
-f file read operations from `file'
-F prefix URL prefix for files (default: file:///tmp/)
-l limit time limit (in seconds, or "none" or "max") for search
-L print responses in LDIFv1 format
-LL print responses in LDIF format without comments
-LLL print responses in LDIF format without comments
and version
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-s scope one of base, one, sub or children (search scope)
-S attr sort the results by attribute `attr'
-t write binary values to files in temporary directory
-tt write all values to files in temporary directory
-T path write files to directory specified by path (default: /tmp)
-u include User Friendly entry names in the output
-z limit size limit (in entries, or "none" or "max") for search
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
Backup data¶
backup.sh:
#!/bin/sh
LDAPBK=ldap_$( date +%H-%M_%d-%m-%Y ).ldif
BACKUPDIR=/var/backups
/usr/sbin/slapcat -v -l $BACKUPDIR/$LDAPBK
gzip -9 $BACKUPDIR/$LDAPBK
Restore data¶
stop slapd daemon:
/etc/init.d/slapd stop
delete old database (make sure you are in right directory to use rm):
cd /var/lib/ldap rm -rf *
Restore database from LDIF file:
/usr/sbin/slapadd -l backup.ldif
run slapd daemon:
/etc/init.d/slapd start