API tools faq
paste
Advertisement
alvarovaca

LDAP Sancho

alvarovaca
Dec 19th, 2020 (edited)
287
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 6.32 KB | None | 0 0
raw download clone embed print report
  1. # Instalación y configuración inicial de OpenLDAP
  2.  
  3. root@sancho:~# hostname -f
  4. sancho.alvaro.gonzalonazareno.org
  5.  
  6. root@sancho:~# apt update && apt upgrade && apt install slapd ldap-utils
  7.  
  8. root@sancho:~# netstat -tlnp
  9. Active Internet connections (only servers)
  10. Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
  11. tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      5019/slapd
  12. tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      662/mysqld
  13. tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      509/systemd-resolve
  14. tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      595/sshd: /usr/sbin
  15. tcp6       0      0 :::389                  :::*                    LISTEN      5019/slapd
  16. tcp6       0      0 :::22                   :::*                    LISTEN      595/sshd: /usr/sbin
  17.  
  18. root@sancho:~# ldapsearch -x -b "dc=alvaro,dc=gonzalonazareno,dc=org"
  19.  
  20. # alvaro.gonzalonazareno.org
  21. dn: dc=alvaro,dc=gonzalonazareno,dc=org
  22. objectClass: top
  23. objectClass: dcObject
  24. objectClass: organization
  25. o: alvaro.gonzalonazareno.org
  26. dc: alvaro
  27.  
  28. # admin, alvaro.gonzalonazareno.org
  29. dn: cn=admin,dc=alvaro,dc=gonzalonazareno,dc=org
  30. objectClass: simpleSecurityObject
  31. objectClass: organizationalRole
  32. cn: admin
  33. description: LDAP administrator
  34.  
  35. # search result
  36. search: 2
  37. result: 0 Success
  38.  
  39. # Configuración LDAPs
  40.  
  41. root@freston:~# scp -p /etc/ssl/certs/gonzalonazareno.crt ubuntu@sancho:
  42. root@freston:~# scp -p /etc/ssl/certs/openstack.crt ubuntu@sancho:
  43. root@freston:~# scp -p /etc/ssl/private/openstack.key ubuntu@sancho:
  44.  
  45. root@sancho:~# ls -l /home/ubuntu/
  46. total 20
  47. -rw-r--r-- 1 ubuntu ubuntu  3634 Dec 15 16:22 gonzalonazareno.crt
  48. -rw-r--r-- 1 ubuntu ubuntu 10097 Dec 15 13:27 openstack.crt
  49. -r--r-x--- 1 ubuntu ubuntu  3247 Dec 14 11:53 openstack.key
  50.  
  51. root@sancho:~# chown root:root /home/ubuntu/gonzalonazareno.crt
  52. root@sancho:~# chown root:root /home/ubuntu/openstack.crt
  53. root@sancho:~# chown root:root /home/ubuntu/openstack.key
  54. root@sancho:~# chmod 400 /home/ubuntu/openstack.key
  55.  
  56. root@sancho:~# mv /home/ubuntu/gonzalonazareno.crt /etc/ssl/certs/
  57. root@sancho:~# mv /home/ubuntu/openstack.crt /etc/ssl/certs/
  58. root@sancho:~# mv /home/ubuntu/openstack.key /etc/ssl/private/
  59.  
  60. root@sancho:~# ls -l /etc/ssl/certs/ | egrep '(openstack|gonzalonazareno)'
  61. -rw-r--r-- 1 root root   3634 Dec 15 16:22 gonzalonazareno.crt
  62. -rw-r--r-- 1 root root  10097 Dec 15 13:27 openstack.crt
  63.  
  64. root@sancho:~# ls -l /etc/ssl/private/
  65. total 4
  66. -r-------- 1 root root 3247 Dec 14 11:53 openstack.key
  67.  
  68. root@sancho:~# setfacl -m u:openldap:r-x /etc/ssl/private
  69. root@sancho:~# setfacl -m u:openldap:r-x /etc/ssl/private/openstack.key
  70.  
  71. root@sancho:~# nano ldaps.ldif
  72.  
  73. dn: cn=config
  74. changetype: modify
  75. replace: olcTLSCACertificateFile
  76. olcTLSCACertificateFile: /etc/ssl/certs/gonzalonazareno.crt          
  77. -
  78. replace: olcTLSCertificateKeyFile
  79. olcTLSCertificateKeyFile: /etc/ssl/private/openstack.key
  80. -
  81. replace: olcTLSCertificateFile
  82. olcTLSCertificateFile: /etc/ssl/certs/openstack.crt
  83.  
  84. root@sancho:~# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldaps.ldif
  85. SASL/EXTERNAL authentication started
  86. SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
  87. SASL SSF: 0
  88. modifying entry "cn=config"
  89.  
  90. root@sancho:~# nano /etc/default/slapd
  91.  
  92. SLAPD_SERVICES="ldap:/// ldapi:///"
  93.  
  94. SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
  95.  
  96. root@sancho:~# systemctl restart slapd
  97.  
  98. root@sancho:~# systemctl status slapd
  99. ● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
  100.      Loaded: loaded (/etc/init.d/slapd; generated)
  101.     Drop-In: /usr/lib/systemd/system/slapd.service.d
  102.              └─slapd-remain-after-exit.conf
  103.      Active: active (running) since Thu 2020-12-17 15:16:24 CET; 4s ago
  104.        Docs: man:systemd-sysv-generator(8)
  105.     Process: 5642 ExecStart=/etc/init.d/slapd start (code=exited, status=0/SUCCESS)
  106.       Tasks: 3 (limit: 533)
  107.      Memory: 3.8M
  108.      CGroup: /system.slice/slapd.service
  109.              └─5660 /usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap -F /etc/ldap/slapd.d
  110.  
  111. Dec 17 15:16:24 sancho systemd[1]: slapd.service: Succeeded.
  112. Dec 17 15:16:24 sancho systemd[1]: Stopped LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).
  113. Dec 17 15:16:24 sancho systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)...
  114. Dec 17 15:16:24 sancho slapd[5642]:  * Starting OpenLDAP slapd
  115. Dec 17 15:16:24 sancho slapd[5659]: @(#) $OpenLDAP: slapd  (Ubuntu) (Nov 16 2020 13:39:57) $
  116.                                             Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
  117. Dec 17 15:16:24 sancho slapd[5660]: slapd starting
  118. Dec 17 15:16:24 sancho slapd[5642]:    ...done.
  119. Dec 17 15:16:24 sancho systemd[1]: Started LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).
  120.  
  121. root@sancho:~# netstat -tlnp | egrep 'slapd'
  122. tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      5660/slapd
  123. tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      5660/slapd
  124. tcp6       0      0 :::636                  :::*                    LISTEN      5660/slapd
  125. tcp6       0      0 :::389                  :::*                    LISTEN      5660/slapd
  126.  
  127. root@sancho:~# cp /etc/ssl/certs/gonzalonazareno.crt /usr/local/share/ca-certificates/
  128.  
  129. root@sancho:~# update-ca-certificates
  130. Updating certificates in /etc/ssl/certs...
  131. rehash: warning: skipping duplicate certificate in gonzalonazareno.crt
  132. 1 added, 0 removed; done.
  133. Running hooks in /etc/ca-certificates/update.d...
  134. done.
  135.  
  136. root@sancho:~# ldapsearch -x -b "dc=alvaro,dc=gonzalonazareno,dc=org" -H ldaps://localhost:636
  137.  
  138. # alvaro.gonzalonazareno.org
  139. dn: dc=alvaro,dc=gonzalonazareno,dc=org
  140. objectClass: top
  141. objectClass: dcObject
  142. objectClass: organization
  143. o: alvaro.gonzalonazareno.org
  144. dc: alvaro
  145.  
  146. # admin, alvaro.gonzalonazareno.org
  147. dn: cn=admin,dc=alvaro,dc=gonzalonazareno,dc=org
  148. objectClass: simpleSecurityObject
  149. objectClass: organizationalRole
  150. cn: admin
  151. description: LDAP administrator
  152.  
  153. # search result
  154. search: 2
  155. result: 0 Success
  156.  
  157. root@sancho:~# nano /etc/ldap/ldap.conf
  158.  
  159. #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
  160.  
  161. URI     ldaps://localhost
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!