1
DBASE UPGRADE/RECOVERY:
2
cd /var/lib/openldap-data
6
Database consists from objects, each object specified by it's "dn".
7
Each object can has some attributes (and may be must have some, depending
8
on object). This attributes can also been objects.
10
a. suffix is database root, for example dn="o=DarkSoft" (here 'o' some
11
attribute and 'DarkSoft' it's value).
12
b. children "dn" must end with parrent dn (dn="uid=root,o=DarkSoft")
14
2. You must construct own object types and attributes by yourself or use
16
3. Some standard objects:
17
inetOrgPerson, Person, organization, country
19
uid - Personal Indetifier (may be user name, not number)
22
street - Street Address
24
ou - Organization Unit Name
28
5. Sample database element which can be added with ldapadd command:
30
objectclass: organization
33
dn: uid=csa,o=DarkSoft
34
objectclass: inetOrgPerson
36
userPassword: {MD5}cxbvNjegfihWUYtH+ThpUg==
37
cn:Suren A. Chilingaryan
41
a. objectclass specifies type of current object, can inherit several
43
b. Password can be generated using "slappasswd"
44
c. Latter goes some attributes, what can be latter also defined as
47
6. Comments on attributes
48
a. if you want specify attribute value with non printable characters,
49
you can do this in such way:
50
cn:: <something in BASE64 encoding>
51
b. also you can do so:
52
cn:< file:///path/to/file.jpeg
55
include <filename> includes standart object types & attributes
56
sizelimit <n> max entries returned from search
57
timelitmit <n> search timeout
58
referal ldap://server.org If can't find, see here
62
access to attr=userPassword
65
by dn="cn=root,o=DarkSoft" write
70
by dn="cn=root, o=DarkSoft" write
74
access to dn="(.*)? dc=..." attr=homePhone
75
by dn="(.*)? dc=..." search
79
<user>: anonymous,users,self,dn="..."
80
WARNING: users all users which authenticated on sasl server
81
using specified realm!!!
82
<access>: none,compare,search,read,write (each next includes all previous)
84
2. Next goes backend & database sections
85
database <type> & backend <type>
91
# simple authentication
92
rootdn "cn=root,o=DarkSoft"
93
rootpw {crypt}ijFYNcSNctBYg
97
a. suffix is database root object
98
b. rootdn is specifies root user (Yes user also object), this user
99
can realy not present in database. OK, it was written in documentation,
100
but in reality rootdn is simple user, which doesn't require object in
101
database. But his privilages must been specified in access section.
103
'rootpw' specifies this user passord...
104
1. Simple, access by specifying, so called 'bind dn' (You must
105
specify 'rootdn' and this password.
106
rootpw secret (not crypted at all)
107
rootpw {crypt}ijFYNcSNctBYg (crypted passord)
108
rootpw {MD5}... (crypted with MD5 password)
111
2. SASL authentication based on users 'uid=<user name>@<realm>' in
112
'dn' terms. So called 'realm' is commonly host name, but may be
113
something else and you can specify it global section of "ldap.conf"
114
"sasl-realm hell.crd.yerphi.am" and omit in other places.
115
In this case 'rootdn' must be "uid=<username>". Passwords can be
116
set with 'saslpaswd'.
117
saslpasswd -c <username>
118
It will automaticaly generate 'realms' but you can specify what
119
you want with "-u" option.
121
3. You can specify several passwords ;)))
123
4. Indexes to generate ( for searches )
124
index ( <attrlist> | default ) pres,eq,approx,sub,none
126
pres - index is pressent
127
eq - index is equivalent
130
5. Sample configuration
131
include /usr/share/openldap/schema/core.schema
132
include /usr/share/openldap/schema/inetorgperson.schema
133
include /etc/openldap/schema/local.schema
134
include /etc/openldap/slapd.access.conf
135
access to * by * read
136
pidfile /var/run/slapd.pid
137
argsfile /var/run/slapd.args
138
modulepath /usr/lib/openldap
139
sasl-host hell.crd.yerphi.am
140
sasl-realm hell.crd.yerphi.am
143
rootdn "cn=root,o=DarkSoft"
144
rootpw {crypt}ijFYNcSNctBYg
145
directory /var/lib/ldap
146
index objectClass,uid,uidNumber,gidNumber eq
147
index cn,mail,surname,givenname eq,subinitial
149
access to attr=userPassword
152
by dn="cn=root,o=DarkSoft" write
157
by dn="cn=root, o=DarkSoft" write
163
ldapadd -f <entry file> [ -D <bind dn> -x -W ] or [ -Y CRAM-MD5 -U <user name> ]
164
[ -n <num> ] or [ -b <suffix> ]
166
-D <bind dn> -x -W - bind to server using simple authentication, using
168
-Y CRAM-MD5 -U <user name> - bind to server using SASL authentication
170
-n <num> - specifies database to use (from 1)
171
-b <suffix> - specifies to use database with given suffix
173
ldapmodify -f <entry file> ...
175
ldapdelete -f <entry file> ...
177
if "-f" not specified commands can be read from standart input
180
ldapsearch [auth params] [dbase params] '(objectclass=*)'
185
4. Graphic interfaces
187
directory_administrator
191
1. ldap_sasl_interactive_bind_s: Can't find object
192
I don't know why, but openldap can't find available sasl mechanisms, you
193
must specify it by hand, using "-Y" switch.
195
2. My sasl have "PLAIN" "DIGEST-MD5" "CRAM-MD5" mechanisms, but ldap says
196
"unknow authentication method" on "PLAIN", and something about incorrect
197
password on "DIGEST-MD5", "CRAM-MD5" works for me.
198
Sory, "DIGEST-MD5" also works if sasl-realm specified in "ldap.conf"
200
3. ldap_sasl_interactive_bind_s: No such attribute
201
supportedSASLMechanisms can't be accessed. Add "access to * by * read"
202
to global section in "sasld.conf".
203
It gives read access only to common objects don't listed in dbase section
205
4. ldap_sasl_interactive_bind_s: Authentication method not supported
206
ldap can't access on read to file /var/lib/sasl/sasl.db
208
5. "gq" generates incorect MD5 and SHA passwords, use instead slappasswd.
210
6. Warning! "users" is all users authenticated in sasl server in given realm
212
7. Warning! Then you uses '-D' for SASL authentication it gets corespondent
213
users in very strange way.
215
8. I can't find way to pass credits beetween users & coresponding dn's. I mean
216
for example user 'csa' authorized truth SASL, but I not seen they how to pass
217
this authorisation to dn="uid=csa,o=DarkSoft".
219
9. No comments can be added in access configuration
221
10. -d 393 the best for debugging pruposes
b'\\ No newline at end of file'