4 changed files with 155 additions and 0 deletions
@ -0,0 +1,27 @@ |
|||
### Info |
|||
Ce dossier contient un script permettant d'installer la config OpenLDAP sur un |
|||
serveur VPS-like (Archlinux). |
|||
|
|||
**Attention ! Le script supprime toute base OpenLDAP déjà présente sur le système !** |
|||
|
|||
### Dépendances |
|||
|
|||
- `pacman -S openldap` |
|||
|
|||
### Usage |
|||
|
|||
``` |
|||
$ git clone https://gitea.planet-casio.com/devs/VPS-config.git |
|||
$ cd VPS-config/ldap |
|||
$ sudo install.sh |
|||
``` |
|||
|
|||
Puis suivre les instructions. |
|||
|
|||
### Ajouter manuellement un compte |
|||
|
|||
``` |
|||
$ ldapadd -x -D 'cn=ldap-root,o=planet-casio' -W |
|||
``` |
|||
|
|||
Puis suivre la doc sur [le Wiki](/devs/VPS-config/wiki/LDAP). Finir par `^D`. |
|||
@ -0,0 +1,51 @@ |
|||
#!/usr/bin/env bash |
|||
|
|||
# stop service if running |
|||
echo "stop service if running" |
|||
systemctl stop slapd.service |
|||
|
|||
# deleting old databases |
|||
echo "deleting old databases" |
|||
rm -f /var/lib/openldap/openldap-data/*.mdb |
|||
|
|||
# copy default config |
|||
echo "copy default config" |
|||
cp -f ./slapd.conf /etc/openldap/slapd.conf |
|||
|
|||
# remove root password |
|||
echo "remove root password" |
|||
sed -i "/rootpw/ d" /etc/openldap/slapd.conf |
|||
|
|||
# add new root password |
|||
echo "add new root password" |
|||
echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf |
|||
|
|||
# copy default config |
|||
echo "copy default config" |
|||
cp /var/lib/openldap/openldap-data/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG |
|||
|
|||
# remove old config files |
|||
echo "remove old config files" |
|||
rm -rf /etc/openldap/slapd.d/* |
|||
|
|||
# create a db if there is none |
|||
echo "create a db if there is none" |
|||
systemctl start slapd.service && systemctl stop slapd.service |
|||
|
|||
# generate new config files |
|||
echo "generate new config files" |
|||
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ |
|||
|
|||
# change ownership of slapd.d |
|||
echo "change ownership of slapd.d" |
|||
chown -R ldap:ldap /etc/openldap/slapd.d |
|||
|
|||
# start service |
|||
echo "start service" |
|||
systemctl start slapd.service |
|||
|
|||
# add organization |
|||
echo "add organization" |
|||
ldapadd -x -D 'cn=ldap-root,o=planet-casio' -W -f ./organization |
|||
|
|||
echo "Installation done. Service is running" |
|||
@ -0,0 +1,4 @@ |
|||
dn: o=planet-casio |
|||
objectClass: organization |
|||
o: planet-casio |
|||
description: Planète Casio |
|||
@ -0,0 +1,73 @@ |
|||
# |
|||
# See slapd.conf(5) for details on configuration options. |
|||
# This file should NOT be world readable. |
|||
# |
|||
include /etc/openldap/schema/core.schema |
|||
include /etc/openldap/schema/cosine.schema |
|||
include /etc/openldap/schema/inetorgperson.schema |
|||
include /etc/openldap/schema/nis.schema |
|||
|
|||
# Define global ACLs to disable default read access. |
|||
|
|||
# Do not enable referrals until AFTER you have a working directory |
|||
# service AND an understanding of referrals. |
|||
#referral ldap://root.openldap.org |
|||
|
|||
pidfile /run/openldap/slapd.pid |
|||
argsfile /run/openldap/slapd.args |
|||
|
|||
# Load dynamic backend modules: |
|||
# modulepath /usr/lib/openldap |
|||
# moduleload back_mdb.la |
|||
# moduleload back_ldap.la |
|||
|
|||
# Sample security restrictions |
|||
# Require integrity protection (prevent hijacking) |
|||
# Require 112-bit (3DES or better) encryption for updates |
|||
# Require 63-bit encryption for simple bind |
|||
# security ssf=1 update_ssf=112 simple_bind=64 |
|||
|
|||
# Sample access control policy: |
|||
# Root DSE: allow anyone to read it |
|||
# Subschema (sub)entry DSE: allow anyone to read it |
|||
# Other DSEs: |
|||
# Allow self write access |
|||
# Allow authenticated users read access |
|||
# Allow anonymous users to authenticate |
|||
# Directives needed to implement policy: |
|||
# access to dn.base="" by * read |
|||
# access to dn.base="cn=Subschema" by * read |
|||
# access to * |
|||
# by self write |
|||
# by users read |
|||
# by anonymous auth |
|||
# |
|||
# if no access controls are present, the default policy |
|||
# allows anyone and everyone to read anything but restricts |
|||
# updates to rootdn. (e.g., "access to * by * read") |
|||
# |
|||
# rootdn can always read and write EVERYTHING! |
|||
|
|||
####################################################################### |
|||
# MDB database definitions |
|||
####################################################################### |
|||
|
|||
database mdb |
|||
maxsize 1073741824 |
|||
suffix "o=planet-casio" |
|||
rootdn "cn=ldap-root,o=planet-casio" |
|||
# Cleartext passwords, especially for the rootdn, should |
|||
# be avoid. See slappasswd(8) and slapd.conf(5) for details. |
|||
# Use of strong authentication encouraged. |
|||
rootpw secret |
|||
# The database directory MUST exist prior to running slapd AND |
|||
# should only be accessible by the slapd and slap tools. |
|||
# Mode 700 recommended. |
|||
directory /var/lib/openldap/openldap-data |
|||
# Indices to maintain |
|||
index objectClass eq |
|||
index uid pres,eq |
|||
index mail pres,sub,eq |
|||
index cn pres,sub,eq |
|||
index sn pres,sub,eq |
|||
index dc eq |
|||
Loading…
Reference in new issue