DevDungeon Wiki

User Tools

Site Tools

Trace:
other:ldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
other:ldap [2021/04/03 20:21]
nanodano [OpenLDAP] 		other:ldap [2021/04/03 22:04] (current)
nanodano [web2ldap]
Line 1: Line 1:
-===== LDAP =====+====== LDAP ======
  
 [[https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol|Lightweight Directory Access Protocol]] or LDAP is useful for authenticating and authorizing users. It's convenient for having a central location to manage users and groups that many different applications can use. [[https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol|Lightweight Directory Access Protocol]] or LDAP is useful for authenticating and authorizing users. It's convenient for having a central location to manage users and groups that many different applications can use.
Line 35: Line 35:
  
 Here are instructions on setup OpenLDAP on Debian with LetsEncrypt SSL certificates. Here are instructions on setup OpenLDAP on Debian with LetsEncrypt SSL certificates.
 +Also refer to the Debian wiki page: [[https://wiki.debian.org/LDAP/OpenLDAPSetup]].
 +For a list of all man pages that comes with slapd, refer to [[https://manpages.debian.org/jessie/slapd/index.html]].
  
 <code bash> <code bash>
Line 86: Line 88:
 </code> </code>
  
-TODO: Setup certbot auto renew, with a post hook to restart slapd+If you want to setup certbot to auto-renew certificatesadd it into your crontab. 
 + 
 +<code> 
 +crontab -e  # As root 
 + 
 +# And add the following line to renew at 4:24am on 3rd day of month 
 +24 4 3 * *  certbot renew --post-hook "systemctl restart slapd
 +</code>
  
 At this point you can use StartTLS on the ldap:// port. At this point you can use StartTLS on the ldap:// port.
Line 99: Line 108:
  
  
-Now you connect using no encryption, StartTLS, or LDAPS.+Now you connect using no encryption, StartTLS, or LDAPS and you can add new organizational units and users with the admin user.
  
-Then you can add new organizational units and users. 
- 
-Add a new user with Apache Directory Studio, add an org unit first, with rdn: ou=hackers. Here are the raw ldif codes it generates. 
- 
-<code ldif | add_ou.ldif> 
-dn: ou=hackers,dc=devdungeon,dc=com 
-changetype: add 
-ou: hackers 
-objectClass: organizationalUnit 
-objectClass: top 
-</code> 
- 
-Then create a new entry with simpleSecurityObject (for password and cn) and organizationalRole for the structural 
- 
-<code ldif | add_user.ldif> 
-dn: cn=nanodano,ou=hackers,dc=devdungeon,dc=com 
-changetype: add 
-cn: nanodano 
-objectClass: organizationalRole 
-objectClass: top 
-objectClass: simpleSecurityObject 
-userPassword:: e2NTSEF9UUlUdmFHQmRIR29RVTBFakl2UGdUL3VNc2ZjRmg2STJaeW4zQOE9PQ= 
- = 
-</code> 
- 
-If you need a hashed password to provide to the ''userPassword'' value, you can use ''slappasswd'': 
- 
-<code bash> 
-slappasswd 
-</code> 
  
 ===== Tools ===== ===== Tools =====
Line 168: Line 147:
 </code> </code>
  
-You can also use ''ldapadd'' and ''ldapmodify'' to add or change users and configs.+You can also use ''ldapmodify'' to add or change users and configs. See the "LDIF examples" section below for more details.
  
 <code bash> <code bash>
- 
 ldapmodify -H ldapi:/// -Y EXTERNAL -f change.ldif ldapmodify -H ldapi:/// -Y EXTERNAL -f change.ldif
 +# or
 +ldapmodify -H ldapi:/// -f change.ldif -D cn=admin,dc=devdungeon,dc=com -W
 </code> </code>
  
Line 182: Line 162:
 ==== Apache Directory Studio ==== ==== Apache Directory Studio ====
  
-[[https://directory.apache.org/studio/|Apache Directory Studio]], a desktop application for interacting with any LDAP server.+[[https://directory.apache.org/studio/|Apache Directory Studio]], a desktop application for interacting with any LDAP server. It didn't work with Java 14 and I needed OpenJDK 11 as of March 2021. Download OpenJDK from [[https://adoptopenjdk.net]]. 
 + 
 +To add a new server connection, go to ''New LDAP Browser | LDAP Connection''
 +Use Simple Authentication, NOTE: When setting up the connection, and it asks about ''Edit Options'', you might choose ''Always use REPLACE'' otherwise you might get errors when trying to modify certain values with an error like "noSuchAttribute"
 + 
 +To add a user, right click on the top level object and add New Entry (Create from Scratch). 
 +Give it two object classes: ''organizationalRole'' and ''simpleSecurityObject''
 +Give it RDN of ''cn'' and then it will ask for a password. 
 + 
  
 ==== JXplorer ==== ==== JXplorer ====
 +
 +[[http://jxplorer.org|JXplorer]] is a GUI application for interacting with LDAP servers, though it's not the best. It does not seem to support StartTLS, only plain-text and LDAPS. I have not used it a ton, but I found it to be kind of weak and Apache Directory Studio seems much more featured.
  
 ==== web2ldap ==== ==== web2ldap ====
  
-Libraries+[[https://www.web2ldap.de|web2ldap]] is a web application for managing LDAP servers. 
 + 
 +To install it in Debian, 
 + 
 +<code bash> 
 +sudo apt install python3-venv rustc python3-dev libsasl2-dev libldap2-dev libssl-dev 
 +python3 -m pip install web2ldap 
 +</code> 
 + 
 +To run, it, simply invoke the script provided by the pip package: 
 + 
 +<code bash> 
 +web2ldap 
 +</code> 
 + 
 +Then connect to it in a browser, using the address it outputs. For example. [[http://localhost:1760/web2ldap]] 
 + 
 +Click connect to a server, then click on 'Bind' and do Simple bind, bind as `admin` and then choose identification search, e.g. ''dc=devdungeon,dc=com'' and login. 
 + 
 +When you CLICK into an OU or group, your whole context changes. When you click "new Entry", it will add that entry in the location based on your breadcrumbs at the top. Be careful it's not nesting it under something unexpected. 
 + 
 +To move a user, go to Tree, view user, and click Rename on right side. Change superior DN to include the new OU info. 
  
 ==== Python Library ==== ==== Python Library ====
 +
 +The [[https://www.python-ldap.org/|python-ldap]] package lets you interact with LDAP servers in Python.
 +
 +To install it:
  
 <code bash> <code bash>
Line 198: Line 215:
 </code> </code>
  
 +To use it:
  
-<code python ldap_test.py>+<code python ldap_test.py>
 # `apt install python3-ldap` or `pip install python-ldap` # `apt install python3-ldap` or `pip install python-ldap`
 from getpass import getpass from getpass import getpass
Line 236: Line 254:
 ==== Java Library ==== ==== Java Library ====
  
-https://directory.apache.org/api/+There is a Java library provided by the Apache Directory project: [[https://directory.apache.org/api/]]. You can use this to interact with LDAP servers in Java.
  
  
 ===== LDIF examples ===== ===== LDIF examples =====
  
-LDIF files are used to make changes to the LDAP server. They seem pretty gnarly at first, but you get used to them and they actually becomes a nice convenient way of documenting changes via code.+LDIF files are used to make changes to the LDAP server. They seem pretty gnarly at first, but you get used to them and they actually becomes a nice convenient way of documenting changes via code. You can use a tool like Apache Directory Studio to make changes via a GUI rather than using LDIF files. Apache Directory Studio will also generate the LDIF in the console so you can save the change as an LDIF file if you wanted to.
  
 You can pass LDIF files directly as a heredoc or as a separate file: You can pass LDIF files directly as a heredoc or as a separate file:
  
 <code bash> <code bash>
-# Pass a file+# Pass a file with `-f`. Use `-Y EXTERNAL` for server configs.
 ldapmodify -H ldapi:/// -Y EXTERNAL -f change.ldif ldapmodify -H ldapi:/// -Y EXTERNAL -f change.ldif
 +# Or bind using an admin account with `-W -D <dn>`
 +ldapmodify -H ldapi:/// -f change.ldif -D cn=admin,dc=devdungeon,dc=com -W
  
 # Pass the ldif directly # Pass the ldif directly
Line 261: Line 281:
 EOF EOF
 </code> </code>
 +
 +==== Add an OU ====
 +
 +<code ldif add_ou.ldif>
 +dn: ou=hackers,dc=devdungeon,dc=com
 +changetype: add
 +ou: hackers
 +objectClass: organizationalUnit
 +objectClass: top
 +</code>
 +
 +==== Add a user ====
 +
 +To add a user, create a new entry with simpleSecurityObject (for password and cn) and organizationalRole for the structural
 +
 +<code ldif add_user.ldif>
 +dn: cn=nanodano,ou=hackers,dc=devdungeon,dc=com
 +changetype: add
 +cn: nanodano
 +objectClass: organizationalRole
 +objectClass: top
 +objectClass: simpleSecurityObject
 +# Salted SHA password provided by `slappasswd`
 +userPassword: {SSHA}s123K9t/R9Y79Sb1VZINlXVzjjD31TJp
 +</code>
 +
 +
 +
 +
 +==== Delete an OU ====
 +
 +<code ldif delete_ou.ldif>
 +dn: ou=admins,dc=devdungeon,dc=com
 +changetype: delete
 +</code>
 +
 +==== Delete a user ====
 +
 +<code ldif delete_user.ldif>
 +dn: cn=nanodano,dc=devdungeon,dc=com
 +changetype: delete
 +</code>
 +
 +==== Update TLS certificates ====
 +
 +When updating the certificates, you are modifying ''cn=config'' and not a regular organizational unit.
 +
 +<code ldif update_certs.ldif>
 +# If using `ldapmodify`, use auth option of `-Y EXTERNAL`
 +# instead of `-W -D cn=admin,dc=devdungeon,dc=com`
 +# since it affects the server config directly
 +dn: cn=config
 +changetype: modify
 +replace: olcTLSCertificateFile
 +olcTLSCertificateFile: /etc/letsencrypt/live/ldap.devdungeon.com/cert.pem
 +-
 +replace: olcTLSCertificateKeyFile
 +olcTLSCertificateKeyFile: /etc/letsencrypt/live/ldap.devdungeon.com/privkey.pem
 +</code>
 +
 +
  
other/ldap.1617481290.txt.gz · Last modified: 2021/04/03 20:21 by nanodano

Page Tools

Valid HTML5 Valid CSS