https://wiki.irenala.edu.mg/index.php?action=history&feed=atom&title=OpenLDAP
OpenLDAP - Historique des versions
2026-06-01T22:06:50Z
Historique pour cette page sur le wiki
MediaWiki 1.22.6
//wiki.irenala.edu.mg/index.php?title=OpenLDAP&diff=4329&oldid=prev
Santatra : Page créée avec « == Description du serveur == * OS: CentOS 7 x86_64 * Outils principaux: OpenLDAP et OpenSSL == Installatio et configuration == yum install openldap-servers openldap-clien... »
2015-12-21T06:14:33Z
<p>Page créée avec « == Description du serveur == * OS: CentOS 7 x86_64 * Outils principaux: OpenLDAP et OpenSSL == Installatio et configuration == yum install openldap-servers openldap-clien... »</p>
<p><b>Nouvelle page</b></p><div>== Description du serveur ==<br />
* OS: CentOS 7 x86_64<br />
* Outils principaux: OpenLDAP et OpenSSL<br />
== Installatio et configuration ==<br />
yum install openldap-servers openldap-clients rsyslog<br />
vim /etc/sysconfig/slapd<br />
SLAPD_URLS="ldapi:/// ldap:///"<br />
SLAPD_OPTIONS="-4"<br />
* Configuration de rsyslog:<br />
vim /etc/rsyslog.conf<br />
# Send slapd(8c) logs to /var/log/slapd.log<br />
if $programname == 'slapd' then /var/log/slapd.log<br />
& ~<br />
systemctl restart rsyslog.service<br />
* Définition du mot de passe '''root''' pour la configuration:<br />
vim /root/LDAP/olcRootPW.ldif<br />
dn: olcDatabase={0}config,cn=config<br />
changetype: modify<br />
replace: olcRootPW<br />
olcRootPW: {SSHA}69iaXumzEio/JQTg1DOni/tnzsZ0FYCf<br />
* Application de la configuration et vérification:<br />
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/olcRootPW.ldif<br />
ldapsearch -W -x -D cn=config -b cn=config "(objectclass=olcGlobal)"<br />
ldapsearch -W -x -D cn=config -b olcDatabase={0}config,cn=config<br />
ldapsearch -W -x -D cn=config -b olcDatabase={-1}frontend,cn=config<br />
ldapsearch -W -x -D cn=config -b olcDatabase={1}monitor,cn=config<br />
ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config<br />
* Déficnition des bases de données:<br />
vim /root/LDAP/BASE.ldif<br />
dn: olcDatabase={1}monitor,cn=config<br />
changetype: modify<br />
replace: olcAccess<br />
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=mg" read by * none<br />
-<br />
dn: olcDatabase={2}hdb,cn=config<br />
changetype: modify<br />
replace: olcSuffix<br />
olcSuffix: dc=mg<br />
-<br />
dn: olcDatabase={2}hdb,cn=config<br />
changetype: modify<br />
replace: olcRootDN<br />
olcRootDN: cn=admin,dc=mg<br />
* Application:<br />
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/BASE.ldif<br />
ldapsearch -W -x -D cn=config -b cn=config | grep -b1 cn=admin<br />
* Définition du mot de pass '''administrateur''':<br />
vim /root/LDAP/admin_olcRootPW.ldif<br />
dn: olcDatabase={2}hdb,cn=config<br />
changetype: modify<br />
add: olcRootPW<br />
olcRootPW: {SSHA}moVXokSVz9/pcZpdyJ0EYlzutrnt4iK1<br />
* Application:<br />
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/admin_olcRootPW.ldif<br />
ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config<br />
* Paramétrage supplémentaire:<br />
vim /root/LDAP/GLOBAL_olcIdleTimeout.ldif<br />
dn: cn=config<br />
changetype: modify<br />
add: olcIdleTimeout<br />
olcIdleTimeout: 15<br />
* Application:<br />
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/GLOBAL_olcIdleTimeout.ldif<br />
ldapsearch -W -x -D cn=config -b cn=config "(objectclass=olcGlobal)"<br />
<br />
== Configuration de TLS ==<br />
* Modification de l'expiration du CA:<br />
vim /etc/pki/tls/misc/CA<br />
#CADAYS="-days 1095" # 3 years<br />
CADAYS="-days 30660" # 2015 - 2099<br />
* Création d'un nouveau CA:<br />
/etc/pki/tls/misc/CA -newca<br />
ls -la /etc/pki/CA/*<br />
* Modification de l'expiration du certificat:<br />
vim /etc/pki/tls/openssl.cnf<br />
# default_days = 365 # how long to certify for<br />
default_days = 7300 # 2015 - 2025<br />
* Génération des différentes clés:<br />
cd /root/LDAP<br />
/etc/pki/tls/misc/CA -newreq<br />
ls -la ./new*.pem<br />
/etc/pki/tls/misc/CA -sign<br />
ls -la ./new*.pem<br />
openssl rsa < ./newkey.pem > /etc/pki/CA/key.pem<br />
ls -la /etc/pki/CA/*key*<br />
mkdir /etc/pki/openldap<br />
mkdir /etc/pki/openldap/certs<br />
mkdir /etc/pki/openldap/private<br />
* Installation des certificats:<br />
cp -a /etc/pki/CA/key.pem /etc/pki/openldap/private/key.pem<br />
cp -a ./newcert.pem /etc/pki/openldap/certs/cert.pem<br />
cp -a /etc/pki/CA/cacert.pem /etc/pki/openldap/certs/CAcert.pem<br />
* Application des droits nécessaires:<br />
chown root.ldap /etc/pki/openldap/private/key.pem<br />
chown root.ldap /etc/pki/openldap/certs/cert.pem<br />
chown root.ldap /etc/pki/openldap/certs/CAcert.pem<br />
chmod 640 /etc/pki/openldap/private/key.pem<br />
chmod 640 /etc/pki/openldap/certs/cert.pem<br />
chmod 640 /etc/pki/openldap/certs/CAcert.pem<br />
ls -la /etc/pki/openldap/*<br />
rm /etc/pki/CA/key.pem ./new*.pem<br />
* Configuration de la partie client:<br />
vim /etc/openldap/ldap.conf<br />
BASE dc=irenala,dc=edu,dc=mg<br />
URI ldap://ldap.irenala.edu.mg <br />
TLS_CACERTDIR /etc/openldap/certs<br />
TLS_REQCERT allow<br />
# Turning this off breaks GSSAPI used with krb5 when rdns = false<br />
SASL_NOCANON on<br />
* Paramétrage du serveur pour le support TLS:<br />
vim /root/LDAP/tls-config.ldif<br />
dn: cn=config<br />
changetype: modify<br />
add: olcTLSCipherSuite<br />
olcTLSCipherSuite: HIGH<br />
-<br />
replace: olcTLSCertificateFile<br />
olcTLSCertificateFile: /etc/pki/openldap/certs/cert.pem<br />
-<br />
replace: olcTLSCertificateKeyFile<br />
olcTLSCertificateKeyFile: /etc/pki/openldap/private/key.pem<br />
-<br />
add: olcTLSCACertificateFile<br />
olcTLSCACertificateFile: /etc/pki/openldap/certs/CAcert.pem<br />
-<br />
replace: olcTLSProtocolMin<br />
olcTLSProtocolMin: 3.1<br />
* Appication de la configuration:<br />
ldapmodify -W -x -D cn=config -f ./tls-config.ldif<br />
ldapsearch -W -x -D cn=config -b cn=config "(objectclass=olcGlobal)"<br />
vim /etc/sysconfig/slapd<br />
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"<br />
* Test de la configuration:<br />
slaptest -u<br />
* Prise en compte des certificats par le système:<br />
tail -n 23 /etc/pki/openldap/certs/CAcert.pem > /etc/pki/ca-trust/source/anchors/CAcert.pem<br />
cat /etc/pki/ca-trust/source/anchors/CAcert.pem<br />
update-ca-trust<br />
head -n 23 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem<br />
systemctl restart slapd<br />
* Vérification:<br />
netstat -tulpen | egrep "389|636"<br />
openssl s_client -connect ldap.irenala.edu.mg:636 -showcerts -state<br />
chown ldap:ldap /etc/openldap/certs/server.key<br />
chmod 400 /etc/openldap/certs/server.key<br />
* Désactivation des accès anonymes:<br />
vim /root/LDAP/anonymous_bind.ldif<br />
dn: cn=config<br />
changetype: modify<br />
add: olcDisallows<br />
olcDisallows: bind_anon<br />
-<br />
add: olcRequires<br />
olcRequires: authc<br />
* Application de la configuration:<br />
ldapmodify -W -x -D cn=config -f /root/LDAP/anonymous_bind.ldif<br />
ldapsearch -W -x -D cn=config -b cn=config "(objectclass=olcGlobal)"<br />
* Activation des indexations pour améliorer la performance:<br />
vim /root/LDAP/DbIndex.ldif<br />
dn: olcDatabase={2}bdb,cn=config<br />
changetype: modify<br />
add: olcDbIndex<br />
olcDbIndex: objectClass eq,pres<br />
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub<br />
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres<br />
olcDbIndex: uid,memberUid eq,pres,sub<br />
* Application des configurations:<br />
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/DbIndex.ldif<br />
ldapsearch -W -x -D cn=config -b olcDatabase={2}bdb,cn=config<br />
* Mise en place des ACLs pour sécuriser les accès:<br />
vim /root/LDAP/acl.ldif<br />
dn: olcDatabase={2}hdb,cn=config<br />
changetype: modify<br />
replace: olcAccess<br />
olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowMax,shadowWarning by self write by dn="cn=admin,dc=mg" write by dn="cn=ldapquerier,dc=mg" read by anonymous auth by * none<br />
olcAccess: {1}to dn="cn=admin,dc=mg" by self write by * none<br />
olcAccess: {2}to dn="cn=ldapquerier,dc=mg" by self write by dn="cn=admin,dc=mg" write by * none<br />
olcAccess: {3}to dn.regex="cn=([^,]+),ou=Group,dc=mg" by self write by dn="cn=admin,dc=mg" write by dn="cn=ldapquerier,dc=mg" read by dn.exact,expand="uid=$1,ou=People,dc=mg" read by * none<br />
olcAccess: {4}to dn.regex="uid=([^,]+),ou=People,dc=mg" by self write by dn="cn=admin,dc=mg" write by dn="cn=ldapquerier,dc=mg" read by dn.exact,expand="uid=$1,ou=People,dc=mg" read by * none<br />
olcAccess: {5}to * by self write by dn.base="cn=admin,dc=mg" write by * read<br />
* Application et vérification:<br />
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/acl.ldif<br />
ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config<br />
* Configuration de la génération des traces:<br />
vim /root/LDAP/olcLogLevel.ldif<br />
dn: cn=config<br />
changetype: modify<br />
add: olcLogLevel<br />
olcLogLevel: stats<br />
* Application de la configuration:<br />
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/olcLogLevel.ldif<br />
* Modification du niveau:<br />
vim /root/LDAP/olcLogLevel_off.ldif<br />
dn: cn=config<br />
changetype: modify<br />
delete: olcLogLevel<br />
olcLogLevel: stats<br />
-<br />
add: olcLogLevel<br />
olcLogLevel: none<br />
* Application:<br />
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/olcLogLevel_off.ldif</div>
Santatra