Openldap: Difference between revisions
No edit summary |
No edit summary |
||
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==cn=config== | == cn=config == | ||
We use the cn=config configuration option in all of Pandora. Ostensibly, since this means the configuration is stored in the ldap database itself, changes can be made without restarting the server. What this means in practice is that we no longer have a specific configuration file, we now have a bunch of ldif files in the cn=config directory. | We use the cn=config configuration option in all of Pandora. Ostensibly, since this means the configuration is stored in the ldap database itself, changes can be made without restarting the server. What this means in practice is that we no longer have a specific configuration file, we now have a bunch of ldif files in the cn=config directory. | ||
Line 21: | Line 21: | ||
====New Server==== | ====New Server==== | ||
The easiest way build out a server is to bring over an ldif file dumped from another server. Once you have imported it, LDAP nullifies the password hash so you will have to regenerate it. Its good practice to take a backup of the slapd.d directory from clean state, however its not strictly necessary since its part of the default install. | The easiest way build out a server is to bring over an ldif file dumped from another server. Once you have imported it, LDAP nullifies the password hash so you will have to regenerate it. Its good practice to take a backup of the slapd.d directory from clean state, however its not strictly necessary since its part of the default install. | ||
Line 29: | Line 30: | ||
First create a new password hash like so: | First create a new password hash like so: | ||
[root@ | [root@server-01 ~]# slappasswd | ||
New password: | New password: | ||
Re-enter new password: | Re-enter new password: | ||
{SSHA} | {SSHA}XXXXXXXXXXXX | ||
There are two different admin accounts for OpenLDAP. One is the Manager which gives admin access to the directory and the other is for cn=config that allows you to modify OpenLDAP's configuration with ldifs (or an ldap editor like apache directory studio). | There are two different admin accounts for OpenLDAP. One is the Manager which gives admin access to the directory and the other is for cn=config that allows you to modify OpenLDAP's configuration with ldifs (or an ldap editor like apache directory studio). | ||
To modify the manager edit '''/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif''' and look for these two lines: | To modify the manager edit '''/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif''' and look for these two lines: | ||
olcRootDN: cn=Manager,dc= | olcRootDN: cn=Manager,dc=domain,dc=com | ||
olcRootPW: {SSHA} | olcRootPW: {SSHA}XXXX= | ||
Replace olcRootPW's entry with your new hash. | Replace olcRootPW's entry with your new hash. | ||
Line 46: | Line 47: | ||
== Setting up audit logging == | == Setting up audit logging == | ||
This is a work in progress. We've got it | This is a work in progress. We've got it working in a client but there are some unanswered questions: | ||
# who made the change? | # who made the change? | ||
Line 62: | Line 63: | ||
olcModuleLoad: auditlog | olcModuleLoad: auditlog | ||
then add it : | then add it (run this command as root so that -Y EXTERNAL works): | ||
ldapadd -Y EXTERNAL -H ldapi:/// -f auditlog_setup_module.ldif | ldapadd -Y EXTERNAL -H ldapi:/// -f auditlog_setup_module.ldif | ||
Line 83: | Line 84: | ||
then restart ldap and tail you audit file. | then restart ldap and tail you audit file. | ||
== backup script == | |||
<pre> | |||
#!/bin/sh | |||
DATE=`date +%Y%m%d%H%M%S` | |||
MAXAGE=15 | |||
echo Ldap backup on ${HOSTNAME} at ${DATE} | |||
echo removing old filess MAXAGE is ${MAXAGE} | |||
/bin/find /home/ldap/backup/ -mtime +${MAXAGE} -exec ls -la {} \; | |||
echo "Backing up dc=domain,dc=com" | |||
/usr/sbin/slapcat -f /etc/openldap/slapd.conf -b "dc=domain,dc=com" > /home/ldap/backup/ldap..${DATE}.ldif && gzip /home/ldap/backup/ldap.domain.com.${DATE}.ldif | |||
ls -la /home/ldap/backup/ldap.domain.com.${DATE}.ldif.gz | |||
echo "Backing up cn=Config" | |||
/usr/sbin/slapcat -n0 > /home/ldap/backup/ldap.config.${DATE}.ldif | |||
gzip /home/ldap/backup/ldap.config.${DATE}.ldif | |||
ls -la /home/ldap/backup/ldap.config.${DATE}.ldif.gz | |||
</pre> | |||
== references == | |||
https://documentation.fusiondirectory.org/en/documentation/replication_syncrepl |
Latest revision as of 21:25, 21 April 2015
cn=config
We use the cn=config configuration option in all of Pandora. Ostensibly, since this means the configuration is stored in the ldap database itself, changes can be made without restarting the server. What this means in practice is that we no longer have a specific configuration file, we now have a bunch of ldif files in the cn=config directory.
To make a change, all you have to do is make the change in the ldif file and restart slapd.
If you need to make a change without restarting the server, use ldapmodify to change the cn=config database. I haven't done this, but it is possible and should be documented here when someone does it.
Dumping/Restoring Configs
Warning Make sure slapd has been stopped before performing any slap* commands ( slapcat, slapadd etc... )
To dump the cn=config database into an ldif file, use the following.
slapcat -n0 -F /etc/openldap/slapd.d > /tmp/config-in-portable-format.ldif
To restore, make sure the /etc/openldap/slapd.d is empty ( backup the old directory in case something goes wrong ). Make sure that the directory exists.
slapadd -n0 -F /etc/openldap/slapd.d -l /tmp/config-in-portable-format.ldif
New Server
The easiest way build out a server is to bring over an ldif file dumped from another server. Once you have imported it, LDAP nullifies the password hash so you will have to regenerate it. Its good practice to take a backup of the slapd.d directory from clean state, however its not strictly necessary since its part of the default install.
Changing the admin passwords
To change the administrative password, you have to generate a hash and then add it into the online configuration database.
First create a new password hash like so:
[root@server-01 ~]# slappasswd New password: Re-enter new password: {SSHA}XXXXXXXXXXXX
There are two different admin accounts for OpenLDAP. One is the Manager which gives admin access to the directory and the other is for cn=config that allows you to modify OpenLDAP's configuration with ldifs (or an ldap editor like apache directory studio).
To modify the manager edit /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif and look for these two lines:
olcRootDN: cn=Manager,dc=domain,dc=com olcRootPW: {SSHA}XXXX=
Replace olcRootPW's entry with your new hash.
To change cn=config's password edit /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif and modify olcRootPW entry.
Setting up audit logging
This is a work in progress. We've got it working in a client but there are some unanswered questions:
- who made the change?
- how do you control changes are recorded ? all some writes? reads?
- how big will the log grow? can I rotate the log out hot ?
The how so far
create a file:
auditlog_setup_module.ldif
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: auditlog
then add it (run this command as root so that -Y EXTERNAL works):
ldapadd -Y EXTERNAL -H ldapi:/// -f auditlog_setup_module.ldif
create another file:
auditlog_setup_overlay.ldif
dn: olcOverlay=auditlog,olcDatabase={2}bdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcAuditLogConfig olcOverlay: auditlog olcAuditlogFile: /tmp/auditlog.ldif
note that we figured out that olcDatabase={2} is the database that has our important user data in it.
then add it:
ldapadd -Y EXTERNAL -H ldapi:/// -f auditlog_setup_overlay.ldif
then restart ldap and tail you audit file.
backup script
#!/bin/sh DATE=`date +%Y%m%d%H%M%S` MAXAGE=15 echo Ldap backup on ${HOSTNAME} at ${DATE} echo removing old filess MAXAGE is ${MAXAGE} /bin/find /home/ldap/backup/ -mtime +${MAXAGE} -exec ls -la {} \; echo "Backing up dc=domain,dc=com" /usr/sbin/slapcat -f /etc/openldap/slapd.conf -b "dc=domain,dc=com" > /home/ldap/backup/ldap..${DATE}.ldif && gzip /home/ldap/backup/ldap.domain.com.${DATE}.ldif ls -la /home/ldap/backup/ldap.domain.com.${DATE}.ldif.gz echo "Backing up cn=Config" /usr/sbin/slapcat -n0 > /home/ldap/backup/ldap.config.${DATE}.ldif gzip /home/ldap/backup/ldap.config.${DATE}.ldif ls -la /home/ldap/backup/ldap.config.${DATE}.ldif.gz
references
https://documentation.fusiondirectory.org/en/documentation/replication_syncrepl