本文主要是介绍如何创建OpenLDAP成员组,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
原文连接:https://kifarunix.com/how-to-create-openldap-member-groups/
How to Create OpenLDAP Member Groups
By koromicha -November 15, 201904213
While assigning specific access rights or permissions to users whose access to various organization systems or resources are controlled via directory or identity management tools like OpenLDAP or FreeIPA, it is more feasible and less time consuming to manage this as a group. In this guide, we are going to learn how to Create OpenLDAP Member Groups to enable you to control what a specific group of members are authorized to do on a given organization system or resource.
How to Create OpenLDAP Member Groups
Before you can proceed with this guide, we assume that you already have an OpenLDAP server up and running. Otherwise, you can check our OpenLDAP guides by following the links below;
Install and Setup OpenLDAP on CentOS 8
How to Configure SUDO via OpenLDAP Server
Configure SSSD for OpenLDAP Authentication on CentOS 8
Well, so how do you create member groups on OpenLDAP?
Enabling OpenLDAP memberof Overlay
The OpenLDAP group membership is provided by the memberof overlay. An overlay is component of OpenLDAP that is used to perform functions similar to the functions provided by an OpenLDAP database backends.
Overlays can be dynamically loaded via the overlays modules or can be compiled directly into OpenLDAP database, slapd.
To check if the memberof overlay module has already been loaded.
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config -LLL | grep -i module
As you can see in the output below, only MDB database backend module is loaded.
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# module{0}, config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/libexec/openldap
olcModuleLoad: {0}back_mdb.la
...
Find the location of the memberof overlay module and confirm if matches the already specified path above. The path below might be different in your case.
find / -iname memberof.la
/usr/libexec/openldap/memberof.la
Therefore, update the slapd database with the memberof overlay module by creating an ldif file as shown below.
vim update-module.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof.la
Load the module into slapd.
ldapadd -Y EXTERNAL -H ldapi:/// -f update-module.ldif
If you do not want to update the existing module, you can add another module directory information tree.
vim load-memberof-module.ldif
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof.la
olcModulePath: /usr/libexec/openldap
ldapadd -Y EXTERNAL -H ldapi:/// -f load-memberof-module.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
Verify again that the module is loaded.
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config -LLL | grep -i module
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/libexec/openldap
olcModuleLoad: {0}back_mdb.la
olcModuleLoad: {1}memberof.la
...
Add memberof Overlay to SLAPD database
Now that the memberof overlay modules is loaded, you then need to update it on OpenLDAP database.
The overlay should be updated on a specific database backend. To locate your database backend, you can simply run the command. In our case, we are using MDB database hence grep mdb.
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase | grep mdb
Note the sequential order of your database schema.
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}mdb,cn=config
olcDatabase: {1}mdb
Create an LDIF file with your memberof overlay attributes as shown below.
vim add-memberof-overlay.ldif
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfRefInt: TRUE
olcMemberOfDangling: ignore
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
For more information on the overlay attributes used above, consult, man slapo-memberof.
Update the OpenLDAP database with memberof overlay attributes.
ldapadd -Y EXTERNAL -H ldapi:/// -f add-memberof-overlay.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=memberof,olcDatabase={1}mdb,cn=config"
Another important aspect of OpenLDAP group membership is the Referential Integrity. Consider the line olcMemberOfRefInt: TRUE. This line basically enables what is called referential integrity which ensures that the integrity of the database schema is kept. For example, if any attributes of a member are adjusted, all the groups on which the member belongs are also updated.
Referential Integrity is also managed by an overlay which has to be loaded via a module.
find / -iname refint.la/usr/libexec/openldap/refint.la
Since the module location is the same, you can simply load the refint module as follows;
vim add-refint.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: refint.la
ldapadd -Y EXTERNAL -H ldapi:/// -f add-refint.ldif
Read more on man slapo-refint.
Create OpenLDAP Member Groups
The OpenLDAP memberof overlay is now setup. The next step is to create member groups to enable you impose specific access control authorization.
Assuming you have the following users in your OpenLDAP database, for example;
uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
To create openldap member group with the above users as members, you can use an LDIF file as shown below;
vim member-group.ldif
Note that we have already created a Group OU, ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com, in our case. As such, this ldif will will simply create a group called admins with the above users as members.
dn: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: groupOfNames
cn: admins
member: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
member: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldapadd -Y EXTERNAL -H ldapi:/// -f member-group.ldif
Check that the group is created;
ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" cn=admins
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: groupOfNames
cn: admins
member: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
member: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
The memberOf attribute is automatically added to user entries to indicate a group that the user belongs to. You can search the members using the memberOf attribute.
ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" memberOf
Add OpenLDAP Users to Groups
You can as well add members to specific groups using the memberOf attribute. For example, to add the user, janedoe to the admins groups created above;
vim memberof.ldif
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
changetype: modify
add: memberOf
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
The update the slapd database;
ldapadd -Y EXTERNAL -H ldapi:/// -f memberof.ldif
ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" uid=* memberOf
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=comdn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=comdn: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=comdn: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
Well, you now have OpenLDAP groups and members added.
这篇关于如何创建OpenLDAP成员组的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
