Update README.md
This commit is contained in:
parent
6456f2f5f0
commit
b6a6ccaf1b
33
README.md
33
README.md
@ -50,37 +50,12 @@ root@example:/# ldapsearch -x -H ldap://localhost -b "dc=example,dc=com" -s base
|
||||
# base <dc=example,dc=com> with scope baseObject
|
||||
...
|
||||
```
|
||||
## _Create an Administrator account_
|
||||
|
||||
<!-- optional tests to understand what are LDAP directories (LDAP OU)
|
||||
prepare new test LDAP directories (LDAP OU) and create two attributes/branches with People and Group
|
||||
```
|
||||
root@example:/# vim base.ldif
|
||||
dn: ou=People,dc=example,dc=com
|
||||
objectClass: organizationalUnit
|
||||
ou: People
|
||||
In order to create users with different attributes and permits, we need to create a new admin account besides the root one that comes by default.\
|
||||
We will refer to the Administrator account as admin, and in a few cases, the root account as the set by default.\
|
||||
|
||||
dn: ou=Groups,dc=example,dc=com
|
||||
objectClass: organizationalUnit
|
||||
ou: Group
|
||||
```
|
||||
|
||||
create the test directory in our LDAP server, the password in the dockerfile by default is _admin_
|
||||
```
|
||||
root@example:/# ldapadd -x -D cn=admin,dc=example,dc=com -W -f base.ldif
|
||||
Enter LDAP Password:
|
||||
adding new entry "ou=People,dc=example,dc=com"
|
||||
|
||||
adding new entry "ou=Groups,dc=example,dc=com"
|
||||
```
|
||||
|
||||
verify the entries in the LDAP server
|
||||
```
|
||||
root@example:/# ldapsearch -x -LLL -b dc=example,dc=com 'ou=People' dn
|
||||
dn: ou=People,dc=example,dc=com
|
||||
root@example:/# ldapsearch -x -LLL -b dc=example,dc=com 'ou=Groups' dn
|
||||
dn: ou=Groups,dc=example,dc=com
|
||||
```
|
||||
now we have an **Organizational Unit (ou=People, ou=Group, etc.)** with users and groups within an LDAP directory structure correctly created -->
|
||||
**`why is this needed?`** _unnecesary long explanation, but just in case:_ in openLDAP, by default a special administrative account is created as core base to execute first hand tasks, however aside being able to bypass ACLs (Access Control Lists), and therefore any other account created, being allowed to authenthicate for operations like ldapadd, ldapmodify and ldapsearch, etc. it has not an actual entry in the dc=example,dc=com tree (our parentDN). This account it is only configured as olcRootDN in the core base directory/database, cn=config (/etc/ldap/slapd.d/'cn=config') and nothing more. It does not create the corresponding entry in any data tree, therefore the server cannot locate the full entry cn=admin,dc=example,dc=com because it does not exists. In pragmatic terms, we need to create an administrative account for our DN and our parentDN, the later being our domain name as previously explained.
|
||||
|
||||
## _Users administrative tasks_
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user