LDAP/Ebuild

    1. Установка пакета
    2. Настройка пакета
      1. Схема
      2. Конфигурационный файл
      3. Каталог конфигурации (slapd.d)
    3. Заполнение LDAP
      1. Составление ldif
      2. Добавление данных в LDAP
    4. Права

Установка пакета

Флаги: 

USE="berkdb crypt gdbm perl samba ssl tcpd -debug -ipv6 -kerberos -minimal -odbc -overlays -sasl (-selinux) -slp -smbkrb5passwd"

Обязательноe отсутствие флага minimal

Настройка пакета

Схема

Копирование нашей схемы в каталог /etc/openldap/schema:

trueoffice.scheme 

# This is a LDAPv3 schema for company attributes.
# Tested on OpenLDAP 2.3.43
# Posted by Alexandr Ivanchenko <Alexandr.Ivanchenko@trueoffice.ru>
##############

attributeType (
 1.3.6.1.4.1.2163420.1.1
 NAME 'toBirthday'
 DESC 'user birthday'
 EQUALITY caseIgnoreMatch
 SUBSTR caseIgnoreSubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64}
 SINGLE-VALUE )

attributeType (
 1.3.6.1.4.1.2163420.1.2
 NAME 'toMail'
 DESC 'user`s email supplied by server'
 SUP mail )

attributeType (
 1.3.6.1.4.1.2163420.1.3
 NAME 'toNotifyMail'
 DESC 'email for notifications'
 SUP mail
 SINGLE-VALUE )

attributeType (
 1.3.6.1.4.1.2163420.1.4
 NAME 'toDistrict'
 DESC 'users district'
 EQUALITY caseIgnoreMatch
 SUBSTR caseIgnoreSubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )

attributeType (
 1.3.6.1.4.1.2163420.1.5
 NAME 'toSubway'
 DESC 'users nearest subway stations'
 EQUALITY caseIgnoreMatch
 SUBSTR caseIgnoreSubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )

attributeType (
 1.3.6.1.4.1.2163420.1.6
 NAME 'toMailAlias'
 DESC 'user`s email supplied by server'
 SUP mail )

attributeType (
 1.3.6.1.4.1.2163420.1.7
 NAME 'toGender'
 DESC 'user`s gender'
 EQUALITY caseIgnoreMatch
 SUBSTR caseIgnoreSubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{1} )

objectClass (
 1.3.6.1.4.1.2163420.2.1
 NAME 'toAccount'
 DESC 'company account'
 AUXILIARY
 MUST toNotifyMail
 MAY ( toBirthday $ toMail $ toSubway $ toDistrict $ toMailAlias $ toGender ) )

Конфигурационный файл

Запрос параметров suffix и rootpw:

slapd.conf 

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/rnmc.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

database	bdb
suffix		"<suffix>"
checkpoint	32	30 
rootdn		"cn=admin,<suffix>"
rootpw		<rootpw>
directory	/var/lib/openldap-data
index	objectClass	eq

Каталог конфигурации (slapd.d)

Создание каталога: 

# mkdir /etc/openldap/slapd.d/
# chown ldap:ldap /etc/openldap/slapd.d/

Удаление всего, что лежит в папке /var/lib/openldap-data/ кроме DB_CONFIG: 

# rm `ls -1 /var/lib/openldap-data/ | grep -v DB_CONFIG | gawk {'print "/var/lib/openldap-data/" $0'} | xargs`

Конфигурация файла настроек LDAP: 

# sed -e 's/<suffix>/'${suffix}'/' -e 's/<rootpw>/'${pwd1}'/' /usr/libexec/trueoffice/slapd.conf.sample > /etc/openldap/slapd.conf

Конфигурация файла параметров запуска LDAP: 

# sed -e 's/<host>/'${host}'/' /usr/libexec/trueoffice/slapd-conf > /etc/conf.d/slapd

Очищение каталога конфигурации: 

# rm -rf /etc/openldap/slapd.d/*

Создание каталога конфигурации: 

# /usr/lib/openldap/slapd -u ldap -g ldap -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

Заполнение LDAP

Составление ldif

add.ldif 

dn: <suffix>
o: <company>
objectClass: organization
objectClass: top

dn: ou=users,<suffix>
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=groups,<suffix>
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=computers,<suffix>
objectClass: top
objectClass: organizationalUnit
ou: computers

dn: ou=system,<suffix>
objectClass: top
objectClass: organizationalUnit
ou: system

dn: ou=sites,ou=system,<suffix>
objectClass: top
objectClass: organizationalUnit
ou: sites

dn: cn=manager,ou=system,<suffix>
objectClass: top
objectClass: inetOrgPerson
cn: manager
sn: manager
userPassword: <pass>

dn: cn=samba,ou=system,<suffix>
objectClass: top
objectClass: inetOrgPerson
cn: samba
sn: samba
userPassword: <pass>

dn: cn=nss,ou=system,<suffix>
objectClass: top
objectClass: inetOrgPerson
cn: nss
sn: nss
userPassword: <pass>

dn: cn=mail,ou=system,<suffix>
objectClass: top
objectClass: inetOrgPerson
cn: mail
sn: mail
userPassword: <pass>

dn: cn=webmail,ou=sites,ou=system,<suffix>
objectClass: top
objectClass: inetOrgPerson
cn: webmail
sn: webmail
userPassword: <pass>

<suffix> — указывался ранее;

<pass> генерируется следующим образом 

# makepasswd -char 20

Затем все пароли выводятся на экран в формате <username>:<pass>

Добавление данных в LDAP

Составление структуры каталогов: 

# sed -e 's/<suffix>/'${suffix}'/' -e 's/<company>/'${suf2}'/' /usr/libexec/trueoffice/add.ldif | /usr/lib/openldap/slapd -h ldap://${host} -u ldap -g ldap -F /etc/openldap/slapd.d -Tadd

Права

access to attrs=toMail,toMailAlias
	by dn="cn=manager,ou=system,<suffix>" write
	by dn="cn=mail,ou=system,<suffix>" read
	by dn="cn=webmail,ou=sites,ou=system,<suffix>" read
	by * none

access to attrs=userPassword
	by dn="cn=manager,ou=system,<suffix>" write
	by self read
	by anonymous auth
	by dn="cn=mail,ou=system,<suffix>" read
	by dn="cn=nss,ou=system,<suffix>" read
	by * none

access to attrs=toNotifyMail
	by dn="cn=manager,ou=system,<suffix>" write
	by self read
	by dn.subtree="ou=sites,ou=system,<suffix>" read
	by dn="cn=mail,ou=system,<suffix>" read
	by users none
	by * none

access to attrs=cn,sn,givenName,initials,displayName,mail,jpegPhoto,employeeType,title,mobile,labeledUri,toBirthday
	by dn="cn=manager,ou=system,<suffix>" write
	by self read
	by dn="cn=nss,ou=system,<suffix>" read
	by dn.subtree="ou=sites,ou=system,<suffix>" read
	by dn.children="ou=system,<suffix>" none
	by users read
	by * none

access to attrs=sambaSID,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,sambaAcctFlags
	by dn="cn=manager,ou=system,<suffix>" write
	by self none
	by dn="cn=samba,ou=system,<suffix>" read
	by users none
	by * none

access to attrs=gidNumber,loginShell
	by dn="cn=manager,ou=system,<suffix>" write
	by dn="cn=nss,ou=system,<suffix>" read
	by * none

access to attrs=homeDirectory,uidNumber,objectClass
	by dn="cn=manager,ou=system,<suffix>" write
	by dn.subtree="ou=sites,ou=system,<suffix>" read
	by dn="cn=mail,ou=system,<suffix>" read
	by dn="cn=nss,ou=system,<suffix>" read
	by * none

access to attrs=homePhone,homePostalAddress
	by dn="cn=manager,ou=system,<suffix>" write
	by * none

access to attrs=uid
	by dn="cn=manager,ou=system,<suffix>" write
	by self read
	by dn="cn=mail,ou=system,<suffix>" none
	by dn.subtree="ou=system,<suffix>" read
	by * search

access to dn.subtree="ou=system,<suffix>"
	by self read
	by dn.subtree="ou=system,<suffix>" read
	by * auth

access to *
	by dn="cn=manager,ou=system,<suffix>" write
	by anonymous auth
	by self read
	by users read
	by * none