Lezione Lab 05
Transcript
Lezione Lab 05
Implementazione dell’ autenticazione con LDAP Esercitazione ! Informazioni preliminari " # " " # : /etc/openldap/slapd.conf /etc/openldap/ldap.conf /etc/ldap.conf $ /etc/init.d/ldap $ % & $ ldap://<server>/<base_dn>?<filtro>?<scope> '$ ldapsearch ldapadd/modify/delete ldappasswd slapcat slapadd slappasswd slapdn … Rete di riferimento ( ) + , . & " 0 * ( ) * ( ) * - ( ) ( ) 1 / * - ) * Avvio e configurazione del servizio base ) 2 /etc/openldap/slapd.conf o 3 - … [CUT] ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=master,dc=univr,dc=it" rootdn "cn=Manager,dc=master,dc=univr,dc=it" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass index ou,cn,mail,surname,givenname index uidNumber,gidNumber,loginShell index uid,memberUid index nisMapName,nisMapEntry ) ) ' ) eq,pres eq,pres,sub eq,pres eq,pres,sub eq,pres,sub $ $> slaptest $ $> slapd –d3 $ root.ldif dn: dc=master,dc=univr,dc=it dc: master objectClass: dcObject objectClass: organizationalUnit ou: masterUnit $ ) o o $> slapadd –l root.ldif ' $ $> chown ldap:ldap /var/lib/ldap/* $ $> /etc/init.d/ldap start ) dir1: dir.ldif ) ) dn: dc=dir1,dc=master,dc=univr,dc=it ou: dir1 objectClass: organizationalUnit ) ) o ) ) $ () * ) $ ldapadd –x –D cn=Manager,dc=master,dc=univr,dc=it –W –f dir.ldif $ $> ldapsearch –x -b dc=master,dc=univr,dc=it –h 127.0.0.1 ! () * /etc/openldap/ldap.conf People, Groups e Services (branches.ldif) dn: ou=People,dc=dir1,dc=master,dc=univr,dc=it ou: People objectClass: organizationalUnit dn: ou=Groups,dc=dir1,dc=master,dc=univr,dc=it ou: Groups objectClass: organizationalUnit dn: ou=Services,dc=dir1,dc=master,dc=univr,dc=it ou: Services objectClass: organizationalUnit ) ) ldapadd slapadd $ group.ldif dn: cn=staff1,ou=Groups,dc=dir1,dc=master,dc=univr,dc=it gidNumber: 8901 objectClass: top objectClass: posixGroup cn: staff1 ) ) ldapadd slapadd $ user.ldif dn: uid=user1,ou=People,dc=dir1,dc=master,dc=univr,dc=it uid: user1 cn: Paolo Rossi userPassword: {SSHA}gDAxp9h3kaoiV7vpnldQTnvnc62hMdX1 uidNumber: 5001 gidNumber: 8901 objectClass: account objectClass: posixAccount objectClass: shadowAccount shadowMax: 999999 shadowLastChange: 111180 shadowWarning: 7 shadowFlag: 134539460 loginShell: /bin/bash homeDirectory: /home/user1 gecos: Paolo Rossi ' ) $ $> chown ldap:ldap /var/lib/ldap/* ) 1 o ! ! # 4 ) ) 5 5 $ /etc/ldap.conf $ o $> system-config-authentication ) ( * ! ! ) '$ o o o '$ ldapsearch –xD uid=user1,ou=People,dc=dir1,dc=master,dc=univr,dc=it –W $> id user1 2 /home/user1 user1 ) $ dn: dc=dir3,dc=master,dc=univr,dc=it ! user1 objectClass: referral objectClass: extensibleObject dc: dir3 ref: ldap://192.168.2.32/dc=dir3,dc=master,dc=univr,dc=it??sub ) ) ldapsearch -xC 0 ' 2 6 ) & 78 9 $ o $> export PATH=/usr/java/jre1.5.0_02/bin/:$PATH - $ ) o ) ! $> /root/ldap/ldapbrowser/lbe.sh 2 (" ):2 ;* ! ) 0 ! o $ ldapsearch –x uid=user1 + Schemi degli objectClass Utilizzati objectclass ( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an organizational unit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY DESC 'Additional attributes for shadow passwords' MUST uid MAY ( userPassword $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ description ) ) objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top STRUCTURAL DESC 'Abstraction of a group of accounts' MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) )