# openldap

**Repository Path**: ninggf/openldap

## Basic Information

- **Project Name**: openldap
- **Description**: docker-compose file and manual for openldap
- **Primary Language**: Docker
- **License**: Not specified
- **Default Branch**: main
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2024-03-11
- **Last Updated**: 2024-04-16

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# OPENLDAP

以下为常用命令:

1. `ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b cn=config`: 系统命令.
2. `ldapsearch -x -D'cn=admin,dc=dorabao,dc=com' -w admin -b dc=com`: 域命令

## 启用 memberof

### 配置refint与memberof模块

1. 配置文件
```shell
$ cat > add_modules.ldif <<EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleLoad: refint.so
olcModuleLoad: memberof.so
olcModulePath: /opt/bitnami/openldap/lib/openldap
EOF
```
2. 启用: `$ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add_modules.ldif`
3. 查看结果: `$ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b cn=module{1},cn=config`
   ```ldif
   # module{1}, config
   dn: cn=module{1},cn=config
   objectClass: olcModuleList
   cn: module{1}
   olcModulePath: /opt/bitnami/openldap/lib/openldap
   olcModuleLoad: {0}refint.so
   olcModuleLoad: {1}memberof.so
   ```

### 启用refint模块

1. 配置文件
```shell
$ cat > enable_refint.ldif <<EOF
dn: olcOverlay=refint,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
olcOverlay: refint
EOF
```
2. 启用: `$ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_refint.ldif`

### 启用memberof模块

1. 配置文件
```shell
$ cat > enable_memberof.ldif <<EOF
dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: memberof
olcMemberOfRefint: TRUE
olcMemberOfDangling: ignore
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
EOF
```
2. 启用: `$ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_memberof.ldif`

> 尽是保证按`refint`->`memberof`顺序启用.


### 确认模块正确启用

使用命令`$ ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b olcDatabase={2}mdb,cn=config olcOverlay=*`,确保能看到`refint`与`memberof`模块信息.

## 添加自定义schema

### 添加自定义属性与对象

1. 用户状态(启用/锁定（禁用）)

LDIF:

```shell
$ cat > myScheme.ldif <<EOF
dn: cn=custom,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: custom
olcAttributeTypes: {0}( 1.1.2.1.100 NAME 'userStatus' DESC 'if the user is locked' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcObjectClasses: {0}( 1.1.2.2.100 NAME 'user' DESC 'network user' AUXILIARY MUST userStatus )
EOF
```

命令: `$ldapadd -Q -Y EXTERNAL -H ldapi:/// -f myScheme.ldif`

### 修改或添加

```shell
$ cat > myScheme1.ldif <<EOF
dn: cn={4}custom,cn=schema,cn=config
changetype: modify
replace: olcObjectClasses
olcObjectClasses: {0}( 1.1.2.2.100 NAME 'user' DESC 'network user' AUXILIARY MUST userStatus )
EOF
```

> 传送至[官方文档](https://www.openldap.org/doc/admin24/schema.html)

## 添加域

LDIF:

```shell
$ cat > add_dc.ldif <<EOF
dn: dc=dorabao,dc=com
objectclass: domain
dc: dorabao
EOF
```
命令:

`$ ldapadd -x -D'cn=admin,dc=dorabao,dc=com' -w admin -f add_dc.ldif`

## 添加组

配置文件:

```shell
$ cat > add_group.ldif <<EOF
dn: ou=Group,dc=dorabao,dc=com
objectclass: organizationalUnit
ou: Group
EOF
```

命令:

`$ ldapadd -x -D'cn=admin,dc=dorabao,dc=com' -w admin -f add_group.ldif`

## 添加用户部门

LDIF:

```shell
$ cat > add_people.ldif <<EOF
dn: ou=People,dc=dorabao,dc=com
objectclass: organizationalUnit
ou: People
EOF
```
命令:

`$ ldapadd -x -D'cn=admin,dc=dorabao,dc=com' -w admin -f add_people.ldif`


## 添加用户

LDIF:

```shell
$ cat > add_user.ldif <<EOF
dn: uid=test1,ou=People,dc=dorabao,dc=com
objectclass: account
objectclass: user
uid: test1
userStatus: 1
EOF
```

命令:

`$ ldapadd -x -D'cn=admin,dc=dorabao,dc=com' -w admin -f add_user.ldif`

### 将用户添加到新分组

LDIF:

```shell
$ cat > add_to_group.ldif <<EOF
dn: cn=testgroup,ou=Group,dc=dorabao,dc=com
objectclass: groupOfNames
cn: testgroup
member: uid=test1,ou=People,dc=dorabao,dc=com
EOF
```

命令: `$ ldapadd -x -D'cn=admin,dc=dorabao,dc=com' -w admin -f add_to_group.ldif`

确认用户已经在组中:

`$ ldapsearch -x -D'cn=admin,dc=dorabao,dc=com' -w admin -b dc=dorabao,dc=com uid=test1 memberof`

输出以下内容，说明用户已经添加到组中:

```ldif
# test1, People, dorabao.com
dn: uid=test1,ou=People,dc=dorabao,dc=com
memberOf: cn=testgroup,ou=Group,dc=dorabao,dc=com
```

### 将用户添加到已有分组

LDIF:

```shell
$ cat > add_user2.ldif <<EOF
dn: uid=test2,ou=People,dc=dorabao,dc=com
objectclass: account
uid: test2
EOF
```

命令: `$ ldapadd -x -D'cn=admin,dc=dorabao,dc=com' -w admin -f add_user2.ldif`

LDIF:

```shell
$ cat > add_to_group2.ldif <<EOF
dn: cn=testgroup,ou=Group,dc=dorabao,dc=com
changetype: modify
add: member
member: uid=test2,ou=People,dc=dorabao,dc=com
EOF
```

命令: `$ ldapmodify -x -D'cn=admin,dc=dorabao,dc=com' -w admin -f add_to_group2.ldif`

确认用户已经在组中:

1. `$ ldapsearch -x -D'cn=admin,dc=dorabao,dc=com' -w admin -b dc=dorabao,dc=com cn=testgroup`
2. `$ ldapsearch -x -D'cn=admin,dc=dorabao,dc=com' -w admin -b dc=dorabao,dc=com uid=test2 memberof`

### 有密码的用户(网络用户，nis)

使用`$ slappasswd -h {SSHA} -s 123456`生成用户密码.

LDIF(密码为`123456`):

```shell
$ cat > add_user3.ldif <<EOF
dn: cn=user3,ou=People,dc=dorabao,dc=com
objectclass: shadowAccount
objectclass: inetOrgPerson
uid: user3
cn: User3
sn: Smith
displayName: Bill Smith
mobile: 18049920020
mail: windywany@164.com
userPassword: {SSHA}M90YYHNr8iYtPe+uvhL4Qe4AIWAsrcxM
shadowInactive: 0
EOF
```

命令: `$ ldapadd -x -D'cn=admin,dc=dorabao,dc=com' -w admin -f add_user3.ldif`

### 修改用户密码

LDIF(密码为`Abc123`):

```shell
$ cat > update_pwd.ldif <<EOF
dn: cn=user3,ou=People,dc=dorabao,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}el/452U6bNPt/5SD+k+tETL1kKbjG5AK
EOF
```

命令:`$ ldapmodify -x -D "cn=user3,ou=People,dc=dorabao,dc=com" -W -f update_pwd.ldif`

> 以上命令会报错（Insufficient access (50)）

## 访问权限

### 修改超级管理员用户名与密码

LDIF(密码为`123456`):

```shell
$ cat > update_admin_pwd.ldif <<EOF
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}NAsp886ektRC2cMSPu4yZ/lxJlnByaH6
EOF
```

命令: `$ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f update_admin_pwd.ldif`

### 允许用户自己修改密码

查询当用ACL: `$ ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b olcDatabase={2}mdb,cn=config olcAccess`

LDIF(根据情况决定使用`add`还是`replace`):

```shell
$ cat > acl_1.ldif <<EOF
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to dn.children="ou=people,dc=dorabao,dc=com" attrs=userPassword,email,mobile,displayName
  by self write
  by anonymous auth
olcAccess: {1}to dn.subtree="dc=dorabao,dc=com" 
  by dn="cn=admin,ou=people,dc=dorabao,dc=com" manage
  by self read
  by anonymous auth
olcAccess: {2}to *
  by dn="cn=admin,dc=dorabao,dc=com" manage
  by * none
EOF
```

命令: `$ ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f acl_1.ldif`

此时可以尝试修改一下`user3`的密码:`$ ldapmodify -x -D "cn=user3,ou=People,dc=dorabao,dc=com" -W -f update_pwd.ldif`