如何创建OpenLDAP成员组

2023-10-11 21:32
文章标签 创建 成员 openldap

本文主要是介绍如何创建OpenLDAP成员组,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

原文连接:https://kifarunix.com/how-to-create-openldap-member-groups/
How to Create OpenLDAP Member Groups
By koromicha -November 15, 201904213
While assigning specific access rights or permissions to users whose access to various organization systems or resources are controlled via directory or identity management tools like OpenLDAP or FreeIPA, it is more feasible and less time consuming to manage this as a group. In this guide, we are going to learn how to Create OpenLDAP Member Groups to enable you to control what a specific group of members are authorized to do on a given organization system or resource.

How to Create OpenLDAP Member Groups
Before you can proceed with this guide, we assume that you already have an OpenLDAP server up and running. Otherwise, you can check our OpenLDAP guides by following the links below;

Install and Setup OpenLDAP on CentOS 8

How to Configure SUDO via OpenLDAP Server

Configure SSSD for OpenLDAP Authentication on CentOS 8

Well, so how do you create member groups on OpenLDAP?

Enabling OpenLDAP memberof Overlay
The OpenLDAP group membership is provided by the memberof overlay. An overlay is component of OpenLDAP that is used to perform functions similar to the functions provided by an OpenLDAP database backends.

Overlays can be dynamically loaded via the overlays modules or can be compiled directly into OpenLDAP database, slapd.

To check if the memberof overlay module has already been loaded.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config -LLL | grep -i module

As you can see in the output below, only MDB database backend module is loaded.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# module{0}, config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/libexec/openldap
olcModuleLoad: {0}back_mdb.la
...

Find the location of the memberof overlay module and confirm if matches the already specified path above. The path below might be different in your case.

find / -iname memberof.la
/usr/libexec/openldap/memberof.la

Therefore, update the slapd database with the memberof overlay module by creating an ldif file as shown below.

vim update-module.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof.la
Load the module into slapd.
ldapadd -Y EXTERNAL -H ldapi:/// -f update-module.ldif

If you do not want to update the existing module, you can add another module directory information tree.

vim load-memberof-module.ldif
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof.la
olcModulePath: /usr/libexec/openldap
ldapadd -Y EXTERNAL -H ldapi:/// -f load-memberof-module.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

Verify again that the module is loaded.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config -LLL | grep -i module
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/libexec/openldap
olcModuleLoad: {0}back_mdb.la
olcModuleLoad: {1}memberof.la
...

Add memberof Overlay to SLAPD database
Now that the memberof overlay modules is loaded, you then need to update it on OpenLDAP database.

The overlay should be updated on a specific database backend. To locate your database backend, you can simply run the command. In our case, we are using MDB database hence grep mdb.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config olcDatabase | grep mdb

Note the sequential order of your database schema.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}mdb,cn=config
olcDatabase: {1}mdb
Create an LDIF file with your memberof overlay attributes as shown below.
vim add-memberof-overlay.ldif
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof 
olcMemberOfRefInt: TRUE
olcMemberOfDangling: ignore
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

For more information on the overlay attributes used above, consult, man slapo-memberof.

Update the OpenLDAP database with memberof overlay attributes.

ldapadd -Y EXTERNAL -H ldapi:/// -f add-memberof-overlay.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=memberof,olcDatabase={1}mdb,cn=config"

Another important aspect of OpenLDAP group membership is the Referential Integrity. Consider the line olcMemberOfRefInt: TRUE. This line basically enables what is called referential integrity which ensures that the integrity of the database schema is kept. For example, if any attributes of a member are adjusted, all the groups on which the member belongs are also updated.

Referential Integrity is also managed by an overlay which has to be loaded via a module.

find / -iname refint.la/usr/libexec/openldap/refint.la

Since the module location is the same, you can simply load the refint module as follows;
vim add-refint.ldif

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: refint.la
ldapadd -Y EXTERNAL -H ldapi:/// -f add-refint.ldif

Read more on man slapo-refint.

Create OpenLDAP Member Groups
The OpenLDAP memberof overlay is now setup. The next step is to create member groups to enable you impose specific access control authorization.

Assuming you have the following users in your OpenLDAP database, for example;

uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

To create openldap member group with the above users as members, you can use an LDIF file as shown below;

vim member-group.ldif

Note that we have already created a Group OU, ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com, in our case. As such, this ldif will will simply create a group called admins with the above users as members.

dn: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: groupOfNames
cn: admins
member: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
member: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldapadd -Y EXTERNAL -H ldapi:/// -f member-group.ldif

Check that the group is created;

ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" cn=admins
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: groupOfNames
cn: admins
member: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
member: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

The memberOf attribute is automatically added to user entries to indicate a group that the user belongs to. You can search the members using the memberOf attribute.

ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" memberOf

Add OpenLDAP Users to Groups
You can as well add members to specific groups using the memberOf attribute. For example, to add the user, janedoe to the admins groups created above;

vim memberof.ldif
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
changetype: modify
add: memberOf
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com

The update the slapd database;

ldapadd -Y EXTERNAL -H ldapi:/// -f memberof.ldif
ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" uid=* memberOf
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=comdn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=comdn: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=comdn: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com

Well, you now have OpenLDAP groups and members added.

这篇关于如何创建OpenLDAP成员组的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/190965

相关文章

Android 悬浮窗开发示例((动态权限请求 | 前台服务和通知 | 悬浮窗创建 )

《Android悬浮窗开发示例((动态权限请求|前台服务和通知|悬浮窗创建)》本文介绍了Android悬浮窗的实现效果,包括动态权限请求、前台服务和通知的使用,悬浮窗权限需要动态申请并引导... 目录一、悬浮窗 动态权限请求1、动态请求权限2、悬浮窗权限说明3、检查动态权限4、申请动态权限5、权限设置完毕后

Python创建Excel的4种方式小结

《Python创建Excel的4种方式小结》这篇文章主要为大家详细介绍了Python中创建Excel的4种常见方式,文中的示例代码简洁易懂,具有一定的参考价值,感兴趣的小伙伴可以学习一下... 目录库的安装代码1——pandas代码2——openpyxl代码3——xlsxwriterwww.cppcns.c

使用Python在Excel中创建和取消数据分组

《使用Python在Excel中创建和取消数据分组》Excel中的分组是一种通过添加层级结构将相邻行或列组织在一起的功能,当分组完成后,用户可以通过折叠或展开数据组来简化数据视图,这篇博客将介绍如何使... 目录引言使用工具python在Excel中创建行和列分组Python在Excel中创建嵌套分组Pyt

解决IDEA使用springBoot创建项目,lombok标注实体类后编译无报错,但是运行时报错问题

《解决IDEA使用springBoot创建项目,lombok标注实体类后编译无报错,但是运行时报错问题》文章详细描述了在使用lombok的@Data注解标注实体类时遇到编译无误但运行时报错的问题,分析... 目录问题分析问题解决方案步骤一步骤二步骤三总结问题使用lombok注解@Data标注实体类,编译时

MySQL分表自动化创建的实现方案

《MySQL分表自动化创建的实现方案》在数据库应用场景中,随着数据量的不断增长,单表存储数据可能会面临性能瓶颈,例如查询、插入、更新等操作的效率会逐渐降低,分表是一种有效的优化策略,它将数据分散存储在... 目录一、项目目的二、实现过程(一)mysql 事件调度器结合存储过程方式1. 开启事件调度器2. 创

mysql外键创建不成功/失效如何处理

《mysql外键创建不成功/失效如何处理》文章介绍了在MySQL5.5.40版本中,创建带有外键约束的`stu`和`grade`表时遇到的问题,发现`grade`表的`id`字段没有随着`studen... 当前mysql版本:SELECT VERSION();结果为:5.5.40。在复习mysql外键约

Window Server创建2台服务器的故障转移群集的图文教程

《WindowServer创建2台服务器的故障转移群集的图文教程》本文主要介绍了在WindowsServer系统上创建一个包含两台成员服务器的故障转移群集,文中通过图文示例介绍的非常详细,对大家的... 目录一、 准备条件二、在ServerB安装故障转移群集三、在ServerC安装故障转移群集,操作与Ser

Window Server2016 AD域的创建的方法步骤

《WindowServer2016AD域的创建的方法步骤》本文主要介绍了WindowServer2016AD域的创建的方法步骤,文中通过图文介绍的非常详细,对大家的学习或者工作具有一定的参考学习价... 目录一、准备条件二、在ServerA服务器中常见AD域管理器:三、创建AD域,域地址为“test.ly”

Python在固定文件夹批量创建固定后缀的文件(方法详解)

《Python在固定文件夹批量创建固定后缀的文件(方法详解)》文章讲述了如何使用Python批量创建后缀为.md的文件夹,生成100个,代码中需要修改的路径、前缀和后缀名,并提供了注意事项和代码示例,... 目录1. python需求的任务2. Python代码的实现3. 代码修改的位置4. 运行结果5.

使用IntelliJ IDEA创建简单的Java Web项目完整步骤

《使用IntelliJIDEA创建简单的JavaWeb项目完整步骤》:本文主要介绍如何使用IntelliJIDEA创建一个简单的JavaWeb项目,实现登录、注册和查看用户列表功能,使用Se... 目录前置准备项目功能实现步骤1. 创建项目2. 配置 Tomcat3. 项目文件结构4. 创建数据库和表5.