suffix-change, simplified steps, password-recovery

This commit is contained in:
Denis Knauf 2018-04-01 21:37:44 +02:00
parent 52f3274f41
commit 59dd497c98
6 changed files with 86 additions and 16 deletions

13
00.suffix.ldif.sh Executable file
View file

@ -0,0 +1,13 @@
#!/bin/sh
basedn=`cat basedn`
cat <<EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: $basedn
-
replace: olcRootDN
olcRootDN: cn=admin,$basedn
EOF

View file

@ -1,4 +1,5 @@
dn: cn=config dn: cn=config
changetype: modify
add: olcPasswordHash add: olcPasswordHash
olcPasswordHash: {CRYPT} olcPasswordHash: {CRYPT}
- -

View file

@ -20,7 +20,7 @@ objectClass: simpleSecurityObject
objectClass: organizationalRole objectClass: organizationalRole
cn: root cn: root
description: LDAP administrator description: LDAP administrator
userPassword:: `slappasswd -h '{CRYPT}' -c '$5$rounds=8000$%.16s' -s "$pw" | base64 -w0` userPassword:: `/usr/sbin/slappasswd -h '{CRYPT}' -c '$5$rounds=8000$%.16s' -s "$pw" | base64 -w0`
structuralObjectClass: organizationalRole structuralObjectClass: organizationalRole
dn: ou=People,$basedn dn: ou=People,$basedn

View file

@ -11,7 +11,7 @@ pw=`pwgen 8 1`
echo "# Password: $pw" >&2 echo "# Password: $pw" >&2
cat <<EOF cat <<EOF
dn: cn=$1,ou=People,`cat basedn` dn: uid=$1,ou=People,`cat basedn`
objectClass: top objectClass: top
objectClass: simpleSecurityObject objectClass: simpleSecurityObject
objectClass: organizationalPerson objectClass: organizationalPerson

View file

@ -0,0 +1,20 @@
#!/bin/sh
if ! [ 4 -eq $# ]
then
echo "Usage: $0 \$userdn" >&2
echo "random password will be printed. Use ldappasswd for changing it" >&2
exit 1
fi
user="$1"
pw=`pwgen 8 1`
echo "# Password: $pw" >&2
cat <<EOF
dn: $1
changeType: modify
replace: userPassword
userPassword:: `/usr/sbin/slappasswd -h '{CRYPT}' -c '$5$rounds=8000$%.16s' -s "$pw" | base64 -w0`
EOF

View file

@ -1,12 +1,43 @@
Add your basedn to basedn (eg: `echo o=denkn,c=at > basedn`). Pre
===
For initialization, first shutdown slapd and delete the content of `/var/lib/ldap/` (you will loose all of your data!), Install slapd and ldap-utils:
then use:
./00.root.ldif.sh | slapadd -b `cat basedn` -v sudo aptitude install slapd ldap-utils
chown -R openldap:openldap /var/lib/ldap/
Now you can start slapd with your fresh config. It will ask for eg. domain, password.
If your domain is `example.net`, your basedn will be `dc=example,dc=net`.
If you want to use an other basedn, for example `o=example,c=de`,
debian/ubuntu will not provide any way to do that.
Thats because while these steps your database will be lost and you can choose your basedn.
Add your basedn to file `basedn`:
echo dc=example,dc=net > basedn
Init
====
Usefull defaults for security (better Passwordhashes):
ldapmodify -H ldapi:// -Y EXTERNAL -f 10.acls.ldif
ldapmodify -H ldapi:// -Y EXTERNAL -f 20.passwordhash.ldif
BaseDN
======
These steps will erase your database.
If you do not want to change your BaseDN, skip this step.
The next step will print your new password on STDERR, so note it.
You can change it any time.
./00.suffix.ldif.sh | sudo ldapmodify -H ldapi:// -Y external
./30.root.ldif.sh | sudo -u openldap -i slapadd -vb `cat basedn`
Clientconfig
============
Add these lines to `/etc/ldap/ldap.conf`: Add these lines to `/etc/ldap/ldap.conf`:
@ -15,19 +46,24 @@ Add these lines to `/etc/ldap/ldap.conf`:
URI ldapi:// URI ldapi://
EOF EOF
Via `ldapadd -Y EXTERNAL` you can add any other ldif. Add an user
===========
For adding 10 and 20 use: [BROKEN, do it manually in `/etc/...`]
ldapmodify -Y EXTERNAL -f 10.acls.ldif
ldapmodify -Y EXTERNAL -f 20.passwordhash.ldif
For adding an user run: For adding an user run:
./90.user.ldif.sh username givenname surname emailaddr | ldapadd -Y EXTERNAL ./90.user.ldif.sh "$username" "$givenname" "$surname" "$emailaddr" | ldapadd -H ldapi:// -Y EXTERNAL
It will print the password on STDERR. It will print the password on STDERR.
The DN will be uid=$username,$basedn
Changing Passwords
==================
For changing password use: For changing password use:
ldappasswd -xASD YOURDN ldappasswd -xASD $yourdn
If you forgot your password, the administator can change the password via:
./99.passwordrecovery.ldif.sh $yourdn| sudo ldapmodify -H ldapi:// -Y external