Lezione Lab 05

Implementazione dell’ autenticazione con LDAP
Esercitazione
!
Informazioni preliminari
"
#
"
"
#
:
/etc/openldap/slapd.conf
/etc/openldap/ldap.conf
/etc/ldap.conf
$ /etc/init.d/ldap
$
% &
$ ldap://<server>/<base_dn>?<filtro>?<scope>
'$
ldapsearch
ldapadd/modify/delete
ldappasswd
slapcat
slapadd
slappasswd
slapdn
…
Rete di riferimento
( )
+
,
.
&
"
0
*
( ) *
( ) *
-
( )
( )
1
/
*
-
)
*
Avvio e configurazione del servizio base
)
2
/etc/openldap/slapd.conf
o
3
-
…
[CUT]
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database
bdb
suffix
"dc=master,dc=univr,dc=it"
rootdn
"cn=Manager,dc=master,dc=univr,dc=it"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw
secret
rootpw
{crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory
/var/lib/ldap
# Indices to maintain for this database
index objectClass
index ou,cn,mail,surname,givenname
index uidNumber,gidNumber,loginShell
index uid,memberUid
index nisMapName,nisMapEntry
)
)
'
)
eq,pres
eq,pres,sub
eq,pres
eq,pres,sub
eq,pres,sub
$ $> slaptest
$ $> slapd –d3
$ root.ldif
dn: dc=master,dc=univr,dc=it
dc: master
objectClass: dcObject
objectClass: organizationalUnit
ou: masterUnit
$
)
o
o
$> slapadd –l root.ldif
'
$ $> chown ldap:ldap /var/lib/ldap/*
$ $> /etc/init.d/ldap start
)
dir1: dir.ldif
)
)
dn: dc=dir1,dc=master,dc=univr,dc=it
ou: dir1
objectClass: organizationalUnit
)
)
o
)
)
$
() *
)
$
ldapadd –x –D cn=Manager,dc=master,dc=univr,dc=it –W –f dir.ldif
$ $> ldapsearch –x -b dc=master,dc=univr,dc=it –h 127.0.0.1
! () *
/etc/openldap/ldap.conf
People, Groups e Services (branches.ldif)
dn: ou=People,dc=dir1,dc=master,dc=univr,dc=it
ou: People
objectClass: organizationalUnit
dn: ou=Groups,dc=dir1,dc=master,dc=univr,dc=it
ou: Groups
objectClass: organizationalUnit
dn: ou=Services,dc=dir1,dc=master,dc=univr,dc=it
ou: Services
objectClass: organizationalUnit
)
)
ldapadd
slapadd
$ group.ldif
dn: cn=staff1,ou=Groups,dc=dir1,dc=master,dc=univr,dc=it
gidNumber: 8901
objectClass: top
objectClass: posixGroup
cn: staff1
)
)
ldapadd
slapadd
$ user.ldif
dn: uid=user1,ou=People,dc=dir1,dc=master,dc=univr,dc=it
uid: user1
cn: Paolo Rossi
userPassword: {SSHA}gDAxp9h3kaoiV7vpnldQTnvnc62hMdX1
uidNumber: 5001
gidNumber: 8901
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
shadowMax: 999999
shadowLastChange: 111180
shadowWarning: 7
shadowFlag: 134539460
loginShell: /bin/bash
homeDirectory: /home/user1
gecos: Paolo Rossi
'
)
$ $> chown ldap:ldap /var/lib/ldap/*
)
1
o
!
!
#
4
)
)
5
5
$
/etc/ldap.conf
$
o
$> system-config-authentication
)
(
*
!
!
)
'$
o
o
o
'$
ldapsearch –xD uid=user1,ou=People,dc=dir1,dc=master,dc=univr,dc=it –W
$> id user1
2
/home/user1
user1
)
$
dn: dc=dir3,dc=master,dc=univr,dc=it
!
user1
objectClass: referral
objectClass: extensibleObject
dc: dir3
ref: ldap://192.168.2.32/dc=dir3,dc=master,dc=univr,dc=it??sub
)
)
ldapsearch -xC
0
'
2
6
)
&
78
9 $
o $> export PATH=/usr/java/jre1.5.0_02/bin/:$PATH
- $
)
o
)
!
$> /root/ldap/ldapbrowser/lbe.sh
2
(" ):2
;*
!
)
0
!
o
$
ldapsearch –x uid=user1 +
Schemi degli objectClass Utilizzati
objectclass ( 2.5.6.5 NAME 'organizationalUnit'
DESC 'RFC2256: an organizational unit'
SUP top STRUCTURAL
MUST ou
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator
$ preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ st $ l $
description ) )
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY
DESC 'Abstraction of an account with POSIX attributes'
MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
MAY ( userPassword $ loginShell $ gecos $ description ) )
objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY
DESC 'Additional attributes for shadow passwords'
MUST uid
MAY ( userPassword $ shadowLastChange $ shadowMin $
shadowMax $ shadowWarning $ shadowInactive $
shadowExpire $ shadowFlag $ description ) )
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top STRUCTURAL
DESC 'Abstraction of a group of accounts'
MUST ( cn $ gidNumber )
MAY ( userPassword $ memberUid $ description ) )