Update README.md
This commit is contained in:
parent
cdb25ae1ee
commit
1b67f10504
101
README.md
101
README.md
@ -52,11 +52,12 @@ root@example:/# ldapsearch -x -H ldap://localhost -b "dc=example,dc=com" -s base
|
||||
|
||||
## _Create an Administrator account_
|
||||
|
||||
In order to create users with different attributes and permits, we need to create a new admin account besides the root one that comes by default.\
|
||||
We will refer to the Administrator account as admin, and in a few cases, the root account as the set by default.
|
||||
In order to create users with different attributes and permits, we need to create a new admin account besides the root one that comes with slapd by default.\
|
||||
We will refer to the LDAP Administrator account as **admin or administrative account**, and to the **root account** simply the one sat by default.
|
||||
When running any <ins>*Administrative task*</ins> that requires the usage of either the admin or root account, like creating an Organizational Unit (ou) or a new user, both accounts will have set the same privileges, meaning both will work, but <ins>*it is strongly recommended to use the admin or administrative one created here.*</ins> An easy way to differentiate them it's setting different passwords for each one, as we will see...
|
||||
|
||||
**`why is this needed?`** _unnecesary long explanation, but just in case:_ in openLDAP, by default a special administrative account is created as core base to execute first hand tasks, however aside being able to bypass ACLs (Access Control Lists), and therefore any other account created, being allowed to authenthicate for operations like ldapadd, ldapmodify and ldapsearch, etc. it has not an actual entry in the dc=example,dc=com tree (our parentDN). This account it is only configured as olcRootDN in the core base directory/database, cn=config (/etc/ldap/slapd.d/'cn=config') and nothing more. It does not create the corresponding entry in any data tree, therefore the server cannot locate the full entry cn=admin,dc=example,dc=com because it does not exists. In pragmatic terms, we need to create an administrative account for our DN and our parentDN, the later being our domain name as previously explained.
|
||||
tl;dr cn=admin,dc=example,dc=com is only a rootDN and not a admin data entry directory which is what we need to setup Access Control Lists (ACLs) as well as setup password schemas.
|
||||
<!--**`why is this needed?`** unnecesary long explanation: in openLDAP, by default a special administrative account is created as core base to execute first hand tasks, however aside being able to bypass ACLs (Access Control Lists), and therefore any other account created, being allowed to authenthicate for operations like ldapadd, ldapmodify and ldapsearch, etc. it has not an actual entry in the dc=example,dc=com tree (our parentDN). This account it is only configured as olcRootDN in the core base directory/database, cn=config (/etc/ldap/slapd.d/'cn=config') and nothing more. It does not create the corresponding entry in any data tree, therefore the server cannot locate the full entry cn=admin,dc=example,dc=com because it does not exists. In pragmatic terms, we need to create an administrative account for our DN and our parentDN, the later being our domain name as previously explained.
|
||||
tl;dr cn=admin,dc=example,dc=com is only a rootDN and not a admin data entry directory which is what we need to setup Access Control Lists (ACLs) as well as setup password schemas.-->
|
||||
|
||||
Generate a password hash for our administrator user, 1234 here being the password
|
||||
```
|
||||
@ -100,51 +101,11 @@ description: LDAP administrator
|
||||
```
|
||||
That's all, our administrator user was properly done.
|
||||
|
||||
## _Users administrative tasks_
|
||||
## _First administrative tasks_
|
||||
|
||||
### <ins>_Reset root password_</ins>
|
||||
### <ins>_Create our first Organizational Unit (ou) with a new user_</ins>
|
||||
|
||||
Build line by line, the **.ldif** file we will need to reset root password, starting with the following command:
|
||||
```
|
||||
root@example:/# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcSuffix=dc=example,dc=com)' dn > rootpw.ldif
|
||||
```
|
||||
which writes to the rootpw.ldif file, the current rootDN (Distinguised Name): `dn: olcDatabase={1}mdb,cn=config`\
|
||||
The next command will add the 'changetype' (modify, add, etc.) and what object are we working with:
|
||||
```
|
||||
root@example:/# echo -e 'changetype: modify\nreplace: olcRootPW: ' >> rootpw.ldif
|
||||
root@example:/etc/ldap# cat rootpw.ldif
|
||||
dn: olcDatabase={1}mdb,cn=config
|
||||
|
||||
changetype: modify
|
||||
replace: olcRootPW
|
||||
```
|
||||
We run a simple sed command to delete blank lines
|
||||
```
|
||||
root@example:/# sed '/^$/d' rootpw.ldif > chrootpw.ldif
|
||||
root@example:/# cat chrootpw.ldif
|
||||
dn: olcDatabase={1}mdb,cn=config
|
||||
changetype: modify
|
||||
replace: olcRootPW
|
||||
```
|
||||
It's time to write our new password (_newpasswd_):
|
||||
```
|
||||
root@example:/# slappasswd -s 1234
|
||||
{SSHA}2xbd33S4ZumAZW4Oks0GJidBFJYEVBPz
|
||||
```
|
||||
The last line it's our password 1234 hashed in SSHA cryptography. We will need to copy and paste it in the following command:
|
||||
```
|
||||
root@example:/# echo "olcRootPW: {SSHA}2xbd33S4ZumAZW4Oks0GJidBFJYEVBPz" >> chrootpw.ldif
|
||||
```
|
||||
The file that describes the variables needed to change our root password, **chrootpw.ldif** should be ready, we finally run:
|
||||
```
|
||||
root@example:/etc/ldap# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
|
||||
modifying entry "olcDatabase={1}mdb,cn=config"
|
||||
```
|
||||
If successful, the output will show the modified entry.
|
||||
|
||||
### <ins>_Add users_</ins>
|
||||
|
||||
create a new LDAP directory called Supergirls (LDAP OU) with the following data
|
||||
Prepare a new LDAP directory (ou) called Supergirls with the following data
|
||||
```
|
||||
root@example:/# vim add_ou.ldif
|
||||
dn: ou=Supergirls,dc=example,dc=com
|
||||
@ -152,7 +113,7 @@ objectClass: organizationalUnit
|
||||
ou: Supergirls
|
||||
```
|
||||
|
||||
create it in our LDAP server, when asked for the root password, remember in the dockerfile by default is _admin_
|
||||
Execute the .ldif file to create it in the LDAP server, and when asked for the **root password**, remember in the dockerfile by default is _admin_
|
||||
```
|
||||
root@example:/# ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f add_ou.ldif
|
||||
Enter LDAP Password:
|
||||
@ -233,7 +194,7 @@ mail: marisa.kirisame@example.com
|
||||
|
||||
### <ins>_Modify user password_</ins>
|
||||
|
||||
In this examples, we are changing user uid marisa from ou Supergirls **password**.\
|
||||
In this examples, we are changing the special attribute password of the user marisa from ou Supergirls, using the old password.\
|
||||
\
|
||||
In order to change the password interactively (writing in the prompt when asked), we can run this command:
|
||||
```
|
||||
@ -253,7 +214,7 @@ _newpasswd_ being the new password we want to use. We can also notice the hashed
|
||||
|
||||
### <ins>_Reset user password_</ins>
|
||||
|
||||
In the likely common event that we forgot the password of an specific user, we need to reset it.\
|
||||
In the likely common event that we forgot the old password of an specific user, we need to reset it.\
|
||||
In this example we forgot the password of the user uid marisa, we can reset it with this command:
|
||||
```
|
||||
root@example:/etc/ldap# ldappasswd -H ldap:/// -x -D "cn=admin,dc=example,dc=com" -W -S "uid=marisa,ou=Supergirls,dc=example,dc=com"
|
||||
@ -315,4 +276,44 @@ gidNumber: 5000
|
||||
homeDirectory: /home/marisa
|
||||
```
|
||||
|
||||
### <ins>_Reset root password_</ins>
|
||||
|
||||
Build line by line, the **.ldif** file we will need to reset root password, starting with the following command:
|
||||
```
|
||||
root@example:/# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcSuffix=dc=example,dc=com)' dn > rootpw.ldif
|
||||
```
|
||||
which writes to the rootpw.ldif file, the current rootDN (Distinguised Name): `dn: olcDatabase={1}mdb,cn=config`\
|
||||
The next command will add the 'changetype' (modify, add, etc.) and what object are we working with:
|
||||
```
|
||||
root@example:/# echo -e 'changetype: modify\nreplace: olcRootPW: ' >> rootpw.ldif
|
||||
root@example:/etc/ldap# cat rootpw.ldif
|
||||
dn: olcDatabase={1}mdb,cn=config
|
||||
|
||||
changetype: modify
|
||||
replace: olcRootPW
|
||||
```
|
||||
We run a simple sed command to delete blank lines
|
||||
```
|
||||
root@example:/# sed '/^$/d' rootpw.ldif > chrootpw.ldif
|
||||
root@example:/# cat chrootpw.ldif
|
||||
dn: olcDatabase={1}mdb,cn=config
|
||||
changetype: modify
|
||||
replace: olcRootPW
|
||||
```
|
||||
It's time to write our new password (_newpasswd_):
|
||||
```
|
||||
root@example:/# slappasswd -s 1234
|
||||
{SSHA}2xbd33S4ZumAZW4Oks0GJidBFJYEVBPz
|
||||
```
|
||||
The last line it's our password 1234 hashed in SSHA cryptography. We will need to copy and paste it in the following command:
|
||||
```
|
||||
root@example:/# echo "olcRootPW: {SSHA}2xbd33S4ZumAZW4Oks0GJidBFJYEVBPz" >> chrootpw.ldif
|
||||
```
|
||||
The file that describes the variables needed to change our root password, **chrootpw.ldif** should be ready, we finally run:
|
||||
```
|
||||
root@example:/etc/ldap# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
|
||||
modifying entry "olcDatabase={1}mdb,cn=config"
|
||||
```
|
||||
If successful, the output will show the modified entry.
|
||||
|
||||
<!--ldappasswd -H ldap://server_domain_or_IP -x -D "cn=admin,dc=example,dc=com" -W -S "uid=bob,ou=people,dc=example,dc=com"-->
|
||||
Loading…
Reference in New Issue
Block a user