4 changed files with 155 additions and 0 deletions
+ 27
- 0
ldap/README.md
View File
| @@ -0,0 +1,27 @@ | |||
| ### Info | |||
| Ce dossier contient un script permettant d'installer la config OpenLDAP sur un | |||
| serveur VPS-like (Archlinux). | |||
| **Attention ! Le script supprime toute base OpenLDAP déjà présente sur le système !** | |||
| ### Dépendances | |||
| - `pacman -S openldap` | |||
| ### Usage | |||
| ``` | |||
| $ git clone https://gitea.planet-casio.com/devs/VPS-config.git | |||
| $ cd VPS-config/ldap | |||
| $ sudo install.sh | |||
| ``` | |||
| Puis suivre les instructions. | |||
| ### Ajouter manuellement un compte | |||
| ``` | |||
| $ ldapadd -x -D 'cn=ldap-root,o=planet-casio' -W | |||
| ``` | |||
| Puis suivre la doc sur [le Wiki](/devs/VPS-config/wiki/LDAP). Finir par `^D`. | |||
+ 51
- 0
ldap/install.sh
View File
| @@ -0,0 +1,51 @@ | |||
| #!/usr/bin/env bash | |||
| # stop service if running | |||
| echo "stop service if running" | |||
| systemctl stop slapd.service | |||
| # deleting old databases | |||
| echo "deleting old databases" | |||
| rm -f /var/lib/openldap/openldap-data/*.mdb | |||
| # copy default config | |||
| echo "copy default config" | |||
| cp -f ./slapd.conf /etc/openldap/slapd.conf | |||
| # remove root password | |||
| echo "remove root password" | |||
| sed -i "/rootpw/ d" /etc/openldap/slapd.conf | |||
| # add new root password | |||
| echo "add new root password" | |||
| echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf | |||
| # copy default config | |||
| echo "copy default config" | |||
| cp /var/lib/openldap/openldap-data/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG | |||
| # remove old config files | |||
| echo "remove old config files" | |||
| rm -rf /etc/openldap/slapd.d/* | |||
| # create a db if there is none | |||
| echo "create a db if there is none" | |||
| systemctl start slapd.service && systemctl stop slapd.service | |||
| # generate new config files | |||
| echo "generate new config files" | |||
| slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ | |||
| # change ownership of slapd.d | |||
| echo "change ownership of slapd.d" | |||
| chown -R ldap:ldap /etc/openldap/slapd.d | |||
| # start service | |||
| echo "start service" | |||
| systemctl start slapd.service | |||
| # add organization | |||
| echo "add organization" | |||
| ldapadd -x -D 'cn=ldap-root,o=planet-casio' -W -f ./organization | |||
| echo "Installation done. Service is running" | |||
+ 4
- 0
ldap/organization
View File
| @@ -0,0 +1,4 @@ | |||
| dn: o=planet-casio | |||
| objectClass: organization | |||
| o: planet-casio | |||
| description: Planète Casio | |||
+ 73
- 0
ldap/slapd.conf
View File
| @@ -0,0 +1,73 @@ | |||
| # | |||
| # See slapd.conf(5) for details on configuration options. | |||
| # This file should NOT be world readable. | |||
| # | |||
| include /etc/openldap/schema/core.schema | |||
| include /etc/openldap/schema/cosine.schema | |||
| include /etc/openldap/schema/inetorgperson.schema | |||
| include /etc/openldap/schema/nis.schema | |||
| # Define global ACLs to disable default read access. | |||
| # Do not enable referrals until AFTER you have a working directory | |||
| # service AND an understanding of referrals. | |||
| #referral ldap://root.openldap.org | |||
| pidfile /run/openldap/slapd.pid | |||
| argsfile /run/openldap/slapd.args | |||
| # Load dynamic backend modules: | |||
| # modulepath /usr/lib/openldap | |||
| # moduleload back_mdb.la | |||
| # moduleload back_ldap.la | |||
| # Sample security restrictions | |||
| # Require integrity protection (prevent hijacking) | |||
| # Require 112-bit (3DES or better) encryption for updates | |||
| # Require 63-bit encryption for simple bind | |||
| # security ssf=1 update_ssf=112 simple_bind=64 | |||
| # Sample access control policy: | |||
| # Root DSE: allow anyone to read it | |||
| # Subschema (sub)entry DSE: allow anyone to read it | |||
| # Other DSEs: | |||
| # Allow self write access | |||
| # Allow authenticated users read access | |||
| # Allow anonymous users to authenticate | |||
| # Directives needed to implement policy: | |||
| # access to dn.base="" by * read | |||
| # access to dn.base="cn=Subschema" by * read | |||
| # access to * | |||
| # by self write | |||
| # by users read | |||
| # by anonymous auth | |||
| # | |||
| # if no access controls are present, the default policy | |||
| # allows anyone and everyone to read anything but restricts | |||
| # updates to rootdn. (e.g., "access to * by * read") | |||
| # | |||
| # rootdn can always read and write EVERYTHING! | |||
| ####################################################################### | |||
| # MDB database definitions | |||
| ####################################################################### | |||
| database mdb | |||
| maxsize 1073741824 | |||
| suffix "o=planet-casio" | |||
| rootdn "cn=ldap-root,o=planet-casio" | |||
| # Cleartext passwords, especially for the rootdn, should | |||
| # be avoid. See slappasswd(8) and slapd.conf(5) for details. | |||
| # Use of strong authentication encouraged. | |||
| rootpw secret | |||
| # The database directory MUST exist prior to running slapd AND | |||
| # should only be accessible by the slapd and slap tools. | |||
| # Mode 700 recommended. | |||
| directory /var/lib/openldap/openldap-data | |||
| # Indices to maintain | |||
| index objectClass eq | |||
| index uid pres,eq | |||
| index mail pres,sub,eq | |||
| index cn pres,sub,eq | |||
| index sn pres,sub,eq | |||
| index dc eq | |||
Loading…