Dhairekitori Sevhisi neLDAP [4]: ​​OpenLDAP (I)

fico

12 maminitsi

Mhoro shamwari !. Ngatidzikei kubhizinesi, uye sezvatinogara tichikurudzira, verengai zvinyorwa zvitatu zvakapfuura mune akateedzana:

DNS, DHCP uye NTP ndiwo mashoma masevhisi akakosha kudhairekitori redu rakareruka zvichibva OpenLDAP native, anoshanda nemazvo pa Debian 6.0 "Svina", kana muUbuntu 12.04 LTS "Precise Pangolin".

Semuenzaniso network:

Lan: 10.10.10.0/24
Dominio: amigos.cu
Servidor: mildap.amigos.cu
Sistema Operativo Servidor: Debian 6 "Squeeze
Dirección IP del servidor: 10.10.10.15
Cliente 1: debian7.amigos.cu
Cliente 2: raring.amigos.cu
Cliente 3: suse13.amigos.cu
Cliente 4: seven.amigos.cu

Muchikamu Chekutanga tichaona:

  • OpenLDAP kuisirwa (mbama 2.4.23-7.3)
  • Cheki mushure mekuiswa
  • Indices yekufunga nezvazvo
  • Dhata Kuwana Kudzora Mitemo
  • Chizvarwa cheTLS Certification muSqueeze

tichiri muchikamu cheChipiri isu tichaenderera ne:

  • Yemunharaunda mushandisi kusimbiswa
  • Zadza dhatabhesi
  • Manage iyo dhatabhesi uchishandisa console zvishandiso
  • Pfupiso kusvika ikozvino ...

OpenLDAP kuisirwa (mbama 2.4.23-7.3)

Iyo OpenLDAP server inoiswa uchishandisa iyo package mbama. Isu tinofanirwa zvakare kuisa iyo package ldap-zvishandiso, iyo inotipa isu nevamwe vatengi-padivi maturusi, pamwe neOpenLDAP zvadzo zvinoshandiswa.

: ~ # aptitude yekuisa slapd ldap-zvishandiso

Munguva yekumisikidza maitiro, iyo debconf Izvo zvinotikumbira isu password yemukuru kana mushandisi «arun«. Huwandu hwekutsamira hwakaiswawo; mushandisi akagadzirwa kuvhura; iyo yekutanga sevha yekugadziriswa inogadzirwa pamwe neiyo LDAP dhairekitori.

Mune mavhezheni ekutanga eOpenLDAP, iyo daemon yekumisikidza mbama yakaitwa zvachose kuburikidza nefaira /etc/ldap/slapd.conf. Mune vhezheni yatiri kushandisa uye gare gare, iyo gadziriso inoitwa zvakafanana mbama, uye nechinangwa ichi a DIT «Dhairekitori Ruzivo Muti»Kana Directory Ruzivo Muti, zvakasiyana.

Iyo yekumisikidza nzira inozivikanwa se RTC «Yechokwadi Nguva Kugadziriswa»Nguva Yechokwadi Kugadziriswa, kana seMethodho cn = gadziriso, inotibvumidza isu kugadzirisa zvine simba iyo mbama pasina kuda kutangazve sevhisi.

Iyo yekugadzirisa dhatabhesi ine muunganidzwa wemavara mafaira mune fomati LIF «LDAP Dhata Kuchinjana Fomati»Fomati yeLDAP yeData Shanduro, iri mufaira /etc/ldap/slapd.d.

Kuti uwane pfungwa yeiyo folda sangano mbama.d, ngatimhanyei:

: ~ # ls -lR /etc/ldap/slapd.d/
/etc/ldap/slapd.d/: yakazara 8 drwxr-x-- 3 openldap openldap 4096 Feb 16 11:08 cn = config -rw ------- 1 openldap openldap 407 Feb 16 11:08 cn = gadziriso.ldif /etc/ldap/slapd.d/cn=config: yakazara 28 -rw ------- 1 openldap openldap 383 Feb 16 11:08 cn = module {0} .ldif drwxr-x-- 2 openldap openldap 4096 Feb 16 11:08 cn = schema -rw ------- 1 openldap openldap 325 Feb 16 11:08 cn = schema.ldif -rw ------- 1 openldap openldap 343 Feb 16 11:08 olcBackend = {0} hdb.ldif -rw ------- 1 openldap openldap 472 Feb 16 11:08 olcDatabase = {0} config.ldif -rw ------- 1 openldap openldap 586 Kukadzi 16 11:08 olcDatabase = {- 1} frontend.ldif -rw ------- 1 openldap openldap 1012 Feb 16 11:08 olcDatabase = {1} hdb.ldif /etc/ldap/slapd.d/cn = gadziriro / cn = schema: yakazara 40 -rw ------- 1 openldap openldap 15474 Feb 16 11:08 cn = {0} core.ldif -rw ------- 1 openldap openldap 11308 Feb 16 11:08 cn = {1} cosine.ldif -rw ------- 1 openldap openldap 6438 Feb 16 11:08 cn = {2} nis.ldif -rw ------- 1 openldap openldap 2802 Kukadzi 16 11:08 cn = {3} inetorgperson.ldif

Kana isu tikatarisa pane yapfuura kuburitsa zvishoma, tinoona kuti iyo Dzorera inoshandiswa mu Squeeze ndiyo dhatabhesi mhando hdb, iri musiyano we bdb "Berkeley Database", uye kuti yakazara zvizere uye inotsigira kupiwa zita patsva kwemiti midiki. Kuti udzidze zvakawanda nezve izvo zvinogoneka Kudzokera kumashure iyo inotsigira OpenLDAP, shanya http://es.wikipedia.org/wiki/OpenLDAP.

Isu tinoonawo kuti matatu akapatsanurwa dhatabhesi anoshandiswa, ndokuti, imwe yakatsaurirwa kumisikidzwa, imwe ku Frontend, uye yekupedzisira inova iyo dhatabhesi hdb per se.

Ukuwo, mbama inoiswa nekusarudzika neiyo schematics moyo, Cook, NIS e internet munhu.

Cheki mushure mekuiswa

Mune terminal tinogadzikana nekuita uye kuverenga zvabuda. Tichaongorora, kunyanya nemutemo wechipiri, kumisikidzwa kwakatemwa kubva pakurodha pasi dhairekodhi mbama.d.

: ~ # ldapsearch -Q -LLL -Y KUNYANYA -H ldapi: /// -b cn = config | zvimwe: ~ # ldapsearch -Q -LLL -Y KUNYANYA -H ldapi: /// -b cn = config dn
dn: cn = config dn: cn = module {0}, cn = config dn: cn = schema, cn = config dn: cn = {0} musimboti, cn = schema, cn = config dn: cn = {1} cosine , cn = schema, cn = config dn: cn = {2} nis, cn = schema, cn = config dn: cn = {3} inetorgperson, cn = schema, cn = config dn: olcBackend = {0} hdb, cn = gadzira dn: olcDatabase = {- 1} kumberi, cn = gadziriso dn: olcDatabase = {0} gadziriso, cn = gadziriso dn: olcDatabase = {1} hdb, cn = gadziriso

Tsananguro yeinobuda yega yega:

  • cn = gadziriso: Global parameter.
  • cn = module {0}, cn = gadziriso: Simba rakatakura module.
  • cn = schema, cn = kumisikidza: Iine iyo akaomeswa-kodhi padanho rehurongwa schematics.
  • cn = {0} musimboti, cn = schema, cn = gadziriso: akaomeswa-kodhi yeiyo kernel schematic.
  • cn = {1} cosine, cn = schema, cn = gadziriso: Chirongwa Sew.
  • cn = {2} nis, cn = schema, cn = gadziriso: Chirongwa Nis.
  • cn = {3} inetorgperson, cn = schema, cn = gadziriso: Chirongwa internet munhu.
  • olcBackend = {0} hdb, cn = gadziriso: Dzorera mhando yekuchengetedza dhata hdb.
  • olcDatabase = {- 1} kumberi, cn = gadziriso: Frontend ye database uye default parameter yemamwe madhatabhesi.
  • olcDatabase = {0} gadzira, cn = gadziriso: Dhatabhesi yekugadzirisa yeiyo mbama (cn = gadziriso).
  • olcDatabase = {1} hdb, cn = config: Yedu dhatabhesi semuenzaniso (dc = shamwari, dc = cu)
: ~ # ldapsearch -x -LLL -H ldap: /// -b dc = muenzaniso, dc = com dn
dn: dc = shamwari, dc = cu dn: cn = admin, dc = shamwari, dc = cu
  • dc = shamwari, dc = cu: DIT Base Directory Ruzivo Muti
  • cn = admin, dc = shamwari, dc = cu: Administrator (mudziDN) weDIT wakaziviswa panguva yekuisirwa.

chitsamba: Chigadziko chechigadziko dc = shamwari, dc = cu, akaitora debconf panguva yekuisirwa kubva FQDN kubva kuseva softap.amigos.cu.

Indices yekufunga nezvazvo

Iyo indexing yezvinyorwa inoitwa kunatsiridza mashandiro ekutsvaga pane DIT, ine firita maitiro. Iwo ma indexes atichatarisa ndiwo mashoma anokurudzirwa zvinoenderana nehunhu hwakaziviswa mune zvisirizvo zvirongwa.

Kugadziridza zvine mutsindo indekisi mudhatabhesi, tinogadzira faira remavara mune fomati LIF, uye gare gare tinoiwedzera kune database. Isu tinogadzira iyo faira olcDbIndex.ldif uye isu tinoisiya iine zvinotevera zvirimo:

: ~ # nano olcDbIndex.ldif
dn: olcDatabase = {1} hdb, cn = config changetype: gadziridza wedzera: olcDbIndex olcDbIndex: uidNumber eq - wedzera: olcDbIndex olcDbIndex: gidNumber eq - wedzera: olcDbIndex olcDbIndex: nhengoUid eq, olcDbIndexDl: Exl: - wedzera: olcDbIndex olcDbIndex: uid pres, sub, eq - wedzera: olcDbIndex olcDbIndex: cn pres, sub, eq - wedzera: olcDbIndex olcDbIndex: sn pres, sub, eq - wedzera: olcDbIndex olcDbIndex: givenName, ou pres, eq, sub, - wedzera: olcDbIndex olcDbIndex: displayName pres, sub, eq - wedzera: olcDbIndex olcDbIndex: default sub - wedzera: olcDbIndex olcDbIndex: mail eq, subinitial - wedzera: olcDbIndex olcDbIndex: dc eq

Isu tinowedzera ma index ku database uye tarisa shanduko:

: ~ # ldapmodify -YOKUNYANYA -H ldapi: /// -f ./olcDbIndex.ldif

: ~ # ldapsearch -Q -LLL -Y KUNYANYA -H ldapi: /// -b \ cn = config '(olcDatabase = {1} hdb)' olcDbIndex

dn: olcDatabase = {1} hdb, cn = config olcDbIndex: objectClass eq olcDbIndex: uidNumber, gidNumber eq olcDbIndex: memberUid eq, pres, sub olcDbIndex: loginShell eq olcDbIndex: uid pres, sub, eq olcn presq, sub, eq olcDbIndex: sn pres, sub, eq olcDbIndex: yakapihwaName, ou pres, eq, sub olcDbIndex: kuratidzaName pres, sub, eq olcDbIndex: default sub olcDbIndex: mail eq, subinitial olcDbIndex: dc eq

Dhata Kuwana Kudzora Mitemo

Mitemo yakagadzwa kuitira kuti vashandisi vagone kuverenga, kugadzirisa, kuwedzera uye kudzima dhata muDhatabhesi dhatabhesi inonzi Access Control, apo isu tichadaidza Access Control Lists kanaACL Kuwana Kudzora Rondedzero»Kumitemo inogadzirisa mitemo.

Kuti uzive ipi ACLs dzakaziviswa nekutadza panguva yekumisikidzwa kweiyo mbama, tinoita:

: ~ # ldapsearch -Q -LLL -Y Kunze -H ldapi: /// -b \
cn = kumisikidza '(olcDatabase = {1} hdb)' olcAccess

: ~ # ldapsearch -Q -LLL -Y Kunze -H ldapi: /// -b \
cn = kumisikidza '(olcDatabase = {- 1} kumberi)' olcAccess

: ~ # ldapsearch -Q -LLL -Y Kunze -H ldapi: /// -b \
cn = config '(olcDatabase = {0} gadziriso)' olcAccess

: ~ # ldapsearch -Q -LLL -Y Kunze -H ldapi: /// -b \
cn = kumisikidza '(olcAccess = *)' olcAccess olcSuffix

Imwe yemirairo yapfuura inotiratidza iyo ACLs kuti kusvikira zvino tazivisa muDhairekitori redu. Kunyanya, iwo wekupedzisira kuraira unovaratidza vese, nepo matatu ekutanga achitipa iyo yekudzora yekudzora mitemo yevatatu. DIT inobatanidzwa mune yedu mbama.

Panyaya ye ACLs uye kuti urege kugadzira chinyorwa chakareba, tinokurudzira kuverenga iwo emapeji mapeji murume akarova.access.

Kuti uve nechokwadi chekuwanikwa kwevashandisi nevatungamiriri kuti vagadzirise zvinyorwa zvavo zve loginShell y Geckos, isu tinowedzera anotevera ACL:

## Isu tinogadzira iyo olcAccess.ldif faira uye ndokusiya iine zvinotevera zvirimo: ~ # nano olcAccess.ldif
dn: olcDatabase = {1} hdb, cn = config changetype: gadziridza wedzera: olcAccess olcAccess: {1} to attrs = loginShell, gecos na dn = "cn = admin, dc = shamwari, dc = cu" nyora wega kunyora na * verenga

## Isu tinowedzera iyo ACL
: ~ # ldapmodify -YOKUNYANYA -H ldapi: /// -f ./olcAccess.ldif

# Isu tinoongorora shanduko
kudonhedza -Q -LLL -Y KUNYANYA -H ldapi: /// -b \
cn = kumisikidza '(olcAccess = *)' olcAccess olcSuffix

Chizvarwa cheZitifiketi TLS mu Svina

Kuti uve nechokwadi chechokwadi neiyo OpenLDAP sevha, isu tinofanirwa kuzviita kuburikidza neyakavharidzirwa chikamu chatinogona kuwana nekushandisa iyo TLS «Yekutakura Rukoko Kuchengeteka» o Yakachengeteka Yekutakura Rukoko.

Iyo OpenLDAP server uye vatengi vayo vanokwanisa kushandisa iyo framework TLS inopa dziviriro maererano nekuvimbika uye kuvanzika, pamwe nerutsigiro rwekuchengetedzwa kweLDAP kuburikidza nemushini SASL «Nyore Kusimbisa uye Chengetedzo Layer« Kunze.

Yemazuva ano OpenLDAP maseva anofarira kushandiswa kwe */ KutangaTLS /* o Tanga Yakachengeteka Yekutakura Rukoko kune iyo /LDAPS: ///, iyo yapera. Chero mibvunzo, shanya * Kutanga TLS v. ldaps: // * en http://www.openldap.org/faq/data/cache/605.html

Ingo siya iyo faira seyakaisirwa default / etc / default / slapd neshoko SLAPD_SERVICES = »ldap: /// ldapi: ///», Kuti ushandise nzira yakavharidzirwa pakati pemutengi uye sevha, uye iwo anobatsira ekuzvishandira ivo pachavo kuendesa OpenLDAP yakaiswa munzvimbo iyi.

Iyo nzira inotsanangurwa pano, zvichibva pamapakeji mabhuni-bin y ssl-cert inoshanda kuDebian 6 "Svina" uyezve neUbuntu Server 12.04. YeDebian 7 "Wheezy" imwe nzira yakavakirwa pa OpenSSL.

Chizvarwa chezvitupa muSqueeze chinoitwa seinotevera:

1.- Isu tinoisa anodiwa mapakeji
: ~ # kugona kuisa gnutls-bin ssl-cert

2.- Isu tinogadzira iyo yekutanga Kiyi yeChitupa Chiremera
: ~ # sh -c "certtool --generate-privkey> /etc/ssl/private/cakey.pem"

3.- Isu tinogadzira template yekutsanangudza iyo CA (Chitupa Chiremera)
: ~ # nano /etc/ssl/ca.info cn = Cuban Shamwari ca cert_signing_key

4.- Isu tinogadzira iyo CA Yega Yakasainwa kana Yega-Yakasainirwa Chitupa chevatengi
: ~ # certtool --generate-yega-yakasainwa - --load-privkey /etc/ssl/private/cakey.pem \ --template /etc/ssl/ca.info \ --outfile / etc / ssl / certs / cacert.pem

5.- Isu tinogadzira Yakavanzika Kiyi yeSeva
: ~ # certtool --generate-privkey \ --bits 1024 \ --kutumira /etc/ssl/private/mildap-key.pem

chitsambaTsiva "softap"muzita refaira pamusoro peseva yako. Kutumidza Chitupa neKiyi, zvese kuseva uye nebasa rinoishandisa, zvinotibatsira kuti zvinhu zvijeke.

6.- Isu tinogadzira iyo faira /etc/ssl/mildap.info ine zvinotevera zvirimo:
: ~ # nano /etc/ssl/mildap.info sangano = Shamwari dzeCuba cn = mildap.amigos.cu tls_www_server encryption_key kusaina_key expiring_days = 3650

chitsamba: Mune zvirimo pamusoro tinozivisa kuti chitupa chinoshanda kwenguva yemakore gumi. Iyo paramende inofanirwa kugadziridzwa kuti ive nyore.

7.- Isu tinogadzira iyo Server Chitupa
: ~ # certtool --generate-chitupa \ --load-privkey /etc/ssl/private/mildap-key.pem \ --load-ca-chitupa /etc/ssl/certs/cacert.pem ca-privkey /etc/ssl/private/cakey.pem \ --template /etc/ssl/mildap.info \ --outfile /etc/ssl/certs/mildap-cert.pem

Parizvino tagadzira mafaera anodikanwa, isu tinongofanirwa kuwedzera kuDhairekitori nzvimbo yeSelf-Signed Chitupa cacert.pem; icho cheSeva Chitupa softap-cert.pem; uye Yakavanzika Kiyi yeSeva softap-key.pem. Isu tinofanirwa zvakare kugadzirisa mvumo uye muridzi wemafaira akagadzirwa.

: ~ # nano /etc/ssl/certinfo.ldif
dn: cn = config wedzera: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - wedzera: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/mildap-cert.pem - wedzera: olcertLscerterty /mildap-key.pem

8.- Wedzera: ~ # ldapmodify -YOKUNYANYA -H ldapi: /// -f /etc/ssl/certinfo.ldif

9.- Isu tinogadzirisa muridzi nemvumo
: ~ # adduser openldap ssl-cert: ~ # chgrp ssl-cert /etc/ssl/private/mildap-key.pem: ~ # chmod g + r /etc/ssl/private/mildap-key.pem: ~ # chmod kana /etc/ssl/private/mildap-key.pem

Chitupa cacert.pem Iyo ndiyo yatinofanirwa kuteedzera mune yega mutengi. Kuti ichi chitupa chishandiswe pane sevha pachayo, tinofanirwa kuchizivisa mufaira /etc/ldap/ldap.conf. Kuti tiite izvi, isu tinoshandura iyo faira uye ndokuisiya iine zvinotevera zvirimo:

: ~ # nano /etc/ldap/ldap.conf
BASE dc = shamwari, dc = cu URI ldap: //mildap.amigos.cu TLS_CACERT /etc/ssl/certs/cacert.pem

Chekupedzisira uyezve se cheki, tinotangazve sevhisi mbama uye isu tinotarisa kuburitsa kweiyo syslog kubva kuseva, kuti uone kana sevhisi yakatangwazve nemazvo uchishandisa ichangobva kuziviswa chitupa.

: ~ # sevhisi yakarova kutangazve
: ~ # muswe / var / log / syslog

Kana sevhisi ikasatangazve nenzira kwayo kana isu tikacherekedza chakakomba chikanganiso mu syslog, ngatirege kuora moyo. Tinogona kuyedza kugadzirisa kukanganisa kana kutanga patsva. Kana isu tikasarudza kutanga kubva pakutanga kuisirwa iyo mbama, hazvidi kuti utomise server yedu.

Kuchenesa zvese zvatakaita kusvika zvino nekuda kwechimwe chikonzero kana chimwe, isu tinofanirwa kusunungura iyo package mbama, uye bvisa faira / var / lib / ldap. Isu tinofanirwa zvakare kusiya iyo faira mune yayo yekutanga vhezheni /etc/ldap/ldap.conf.

Kashoma kuti zvese zvinoshanda nemazvo pakuedza kwekutanga. 🙂

Yeuka kuti muchikamu chinotevera tichaona:

  • Yemunharaunda mushandisi kusimbiswa
  • Zadza dhatabhesi
  • Manage iyo dhatabhesi uchishandisa console zvishandiso
  • Pfupiso kusvika ikozvino ...

See you soon shamwari !.


Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira iyo data: Miguel Ángel Gatón
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako

  1.   Hugo akadaro
    inoita 10 makore

    Mudzidzisi !!!
    ZVAKAITIKA NETUTO!
    zvakanaka
    ese ma LIKES EYENYU KWAKO.
    😀

    Pindura Hugo
    1.    federico akadaro
      inoita 10 makore

      Ndatenda zvikuru, Hugo !!! Mirira zvinyorwa zvinotevera nezvenyaya iyi.

      Pindura kuna federico
  2.   ndinoshuvira akadaro
    inoita 10 makore

    Hi,

    inonakidza nhevedzano yezvinyorwa zvako.

    Ndakashamisika kuverenga chirevo ichi: "Mazuva ano OpenLDAP maseva anofarira kushandisa StartTLS kana Kutanga Yakachengeteka Yekutakura Layer kune yekare TLS / SSL protocol, iyo yapera."

    Iwe unoti izvo, mune zvese zviitiko kunyangwe kunze kweiyo LDAP chiyero, STARTTLS inzira yekuchengetedza iri pamusoro peTSL / SSL?

    Pindura kuzita iri kugutsikana
    1.    federico akadaro
      inoita 10 makore

      Ndatenda nekutaura. Ziva kuti ndinoreva OpenLDAP. Ini handipfuure. In http://www.openldap.org/faq/data/cache/185.html, unogona kuverenga zvinotevera:

      Yekutakura Layer Chengetedzo (TLS) izita rakajairika reiyo Yakachengeteka Socket Layer (SSL). Aya mazwi (kunze kwekunge akakodzera aine chaiwo vhezheni nhamba) anowanzo kuchinjika.

      StartTLS izita reiyo yakajairwa LDAP mashandiro ekutanga TLS / SSL. TLS / SSL inotangwa pakupedza kubudirira kweichi chiitiko cheLDAP. Hapana imwe nzira chiteshi inodiwa. Iyo dzimwe nguva inonzi seTLS kusimudzira mashandiro, sezvo ichivandudza yakajairwa LDAP kubatana kune imwe inodzivirirwa neTLS / SSL.

      ldaps: // uye LDAPS inoreva "LDAP pamusoro peTLS / SSL" kana "LDAP Yakachengetedzwa". TLS / SSL inosungirirwa pakubatana kune imwe chiteshi (kazhinji 636). Kunyangwe chiteshi cheLDDS (636) yakanyoreswa kushandiswa uku, iwo maitiro eTLS / SSL ekutanga mashini haana kuenzaniswa.

      Kamwe kakatangwa, hapana mutsauko pakati pe ldaps: // uye StartTLS. Ivo vanogovana zvakafanana sarudzo dzekumisikidza (kunze kwema ldaps: // inoda kumisikidzwa kweakasiyana muteereri, ona slapd (8) 's -h sarudzo) uye zvichizoguma seyekuchengetedza masevhisi achigadzwa.
      Cherechedza:
      1) ldap: // + StartTLS inofanira kunangidzirwa kune yakajairwa LDAP chiteshi (kazhinji 389), kwete iyo ldaps: // port.
      2) ldaps: // inofanirwa kunangidzirwa kuchiteshi cheLDAPS (kazhinji 636), kwete chiteshi cheLDAP.

      Pindura kuna federico
      1.    ndinoshuvira akadaro
        inoita 10 makore

        Ndine urombo, asi ini handina chokwadi nei uchizviti: 1) maseva emazuva ano anoda STARTTLS kune SSL / TLS; 2) iyo STARTTLS yazvino, maringe neSSL / TLS iyo yapera.

        Ndanga ndichirwira kwehafu yemwedzi neyakagadziriswa yeakasiyana makasitoma vatengi vanowana iyo server neSSL (vachishandisa opensl maraibhurari, sezvinoita zhinji yemahara software), ine CA zvitupa mu / etc / ssl / certs / uye zvimwe zvigadzirwa. Uye izvo zvandakadzidza ndezvekuti: 1) STARTTLS chete inonyora kuvimbika kwechikamu, uye zvimwe zvese zvinotumirwa zvisina kunyorwa; 2) SSL inonyora zvese zvirimo muchikamu. Naizvozvo, hapana mhaka iyo STARTTLS inyanzvi kupfuura SSL; Ini ndinotoda kuve nemafungiro ekufunga neimwe nzira, nekuti izvo zvemukati memusangano wako zvinofamba zvisina kunyorwa pamusoro petiweki.

        Chimwe chinhu chakasiyana ndechekuti STARTTLS inokurudzirwa kune zvimwe zvikonzero zvandisingazive: yekuenderana neMSWindows, nekuti kuitisa kwacho kwakadzikama kana kuri kuyedzwa zvirinani ... handizive. Ndosaka ndiri kukubvunza.

        Kubva pane chirevo chebhuku rawakanamatira kwandiri mumhinduro yako, ndinoona kuti mutsauko uripo pakati pe ldap: // uye ldaps: // yakaenzana nemusiyano uripo pakati pe imap: // uye imaps: //, kana pakati pe smtp: // na smtps: //: chiteshi chakasiyana chinoshandiswa, imwe yekuwedzera yekuwedzera inowedzerwa mune yekumisikidza faira, asi mamwe ese ma parameter anochengetwa. Asi izvo hazviratidze chero chinhu nezve kusarudza STARTTLS kana kwete.

        Kwaziso, uye urombo nemhinduro. Ndiri kungoedza kudzidza zvishoma.

        Pindura kuzita iri kugutsikana
        1.    federico akadaro
          inoita 10 makore

          Tarisa, hazvishamise kwazvo kuti nditaure nezvechinhu ichocho muzvinyorwa zvangu ndisina kutsigirwa nechinyorwa chakakomba. Pakupera kweakateedzana ini ndinosanganisira ese mahukama kune zvinyorwa zvandinoona zvakakomba, uye kuti ndakabvunza kunyora chinyorwa. Ini ndinokufambisa iwe zvinotevera zvinongedzo:

          https://wiki.debian.org/LDAP/OpenLDAPSetup
          Ubuntu ServerGuide https://code.launchpad.net/serverguide
          OpenLDAP-Yepamutemo http://www.openldap.org/doc/admin24/index.html
          LDAP pamusoro peSSL / TLS uye StartTLS http://tt4cs.wordpress.com/2014/01/18/ldap-over-ssltls-and-starttls/

          Uyezve, ndakabvunza zvinyorwa zvinoteedzana zvakaiswa nepakeji imwe neimwe.

          Nyaya yekuchengetedzwa kazhinji uye mutsauko uripo pakati peKutangaTLS neTLS / SSL, zvine hunyanzvi uye zvakadzama zvekuti handizvione sendine ruzivo rwakakosha kuti ndipe tsananguro dzakadai. Ini ndinofunga tinogona kuenderera mberi tichitaura kuburikidza neemail.

          Uyezve, hapana kwandinotaura kuti LDAPS: // haigone kushandiswa. Kana iwe uchifunga kuti yakachengeteka, saka enda kumberi !!!

          Ini handichagona kukubatsira futi uye ndinonyatso kukoshesa zvawataura.

          Pindura kuna federico
        2.    federico akadaro
          inoita 10 makore

          Zvishoma kujekesa iwe zvaunogona kuwana -nzira nezve OpenLDAP- mu:
          http://www.openldap.org/faq/data/cache/605.html

          Iyo StartTLS yakawedzera mashandiro [RFC 2830] ndeye LDAPv3 yakajairwa mashandiro ekugonesa TLS (SSL) kuchengetedzwa kwekuchengetedzwa kwedata. Iyo michina inoshandisa LDAPv3 yakawedzera mashandiro kumisikidza yakavharidzirwa SSL / TLS kubatana mukati meyakatosimbiswa LDAP kubatana. Ipo iyo michina yakagadzirirwa kushandiswa neTLSv1, kumisikidza kwakawanda kunodzokera kune SSLv3 (uye SSLv2) kana zvichidikanwa.

          ldaps: // inzira yekumisikidza yakavharidzirwa SSL / TLS kubatana kweLDAP. Inoda kushandiswa kwechiteshi chakaparadzaniswa, kazhinji 636. Kunyangwe pakutanga yaigadzirirwa kushandiswa neLDAPv2 uye SSLv2, kumisikidza kwakawanda kunotsigira kushandiswa kwayo neLDAPv3 neTLSv1. Kunyangwe pasina hunyanzvi hwekutsanangudza kune ldaps: // inoshandiswa zvakanyanya.

          ldaps: // inodzorwa mukufarira Start TLS [RFC2830]. OpenLDAP 2.0 inotsigira zvese zviri zviviri.
          Nezvikonzero zvekuchengetedza server inofanirwa kugadzirirwa kuti isatambire SSLv2.

          Pindura kuna federico
  3.   vakasununguka akadaro
    inoita 10 makore

    Ichi chichava chimwe chezvinyorwa izvo vashandisi vasinga taure nekuti sezvo ivo vachingo tarisa porn pazviteshi zvavo zveLinux, ivo havangodi.Zve ldap ini ndine akati wandei masevhisi anoenderana mukati meheterogeneous network yekambani yandinoshandira. Chinyorwa chakanaka !!

    Pindura kune freebsddick
    1.    federico akadaro
      inoita 10 makore

      Ndatenda nekutaura !!!. Uye chirevo chako maererano nezvakataurwa zvishoma mune dzakawanda zvinyorwa zvangu ichokwadi. Nekudaro, ini ndinogamuchira tsamba kubva kune vaverengi vanofarira, kana kubva kune vamwe vanotora chinyorwa kuti vazoverenga nekushandisa.

      Izvo zvinogara zvichibatsira kuve nemhinduro kuburikidza nemakomendi, kunyangwe kana ari: Ndakaichengetera kuti iverenge gare gare, inonakidza, kana imwe pfungwa.

      Reply with quote

      Pindura kuna federico
  4.   federico akadaro
    inoita 10 makore

    Vakasununguka !!! Ndatenda nekutaura. Ndakagamuchira chirevo chako mutsamba asi ini handichichioni kunyangwe ndichivandudza iro kanoverengeka. Shamwari, unogona kuyedza izvi uye zvinyorwa zvakapfuura pasina matambudziko paSqueeze kana Ubuntu Server 12.04. Muzvitupa zve Wheezy zvinogadzirwa zvakasiyana, uchishandisa OpenSSL. Asi hapana. Zvangu zvese, hama !!!.

    Pindura kuna federico
  5.   federico akadaro
    inoita 10 makore

    @thisnameisfalse: Munyori akanakisa anowana blur. Kutenda kune ako makomendi, ndinofunga kuti ndima iri kubvunzwa inofanira kunge iri seinotevera:

    Mazuva ano OpenLDAP maseva anofarira kushandisa StartTLS, kana Kutanga Yakachengeteka Yekutakura Layer, kune iyo LDAPS: // protocol, iyo yapera Chero mibvunzo, shanya Kutanga TLS v. ldaps: // en http://www.openldap.org/faq/data/cache/605.html

    Reply with quote

    Pindura kuna federico
  6.   Jose Monge akadaro
    inoita 10 makore

    Yakakwana, izvozvi ndine homuweki pane ldap

    Pindura kuna jose monge
  7.   Walter akadaro
    inoita 10 makore

    Iwe haugone kuisa zvese mune imwechete faira kuti utore kurodha iyo yakazara dzidziso

    Pindura kuna walter
  8.   ever akadaro
    inoita 10 makore

    Ini ndiri nyanzvi yemakomputa ine ruzivo rwakakura muLinux, zvakadaro ini ndichiri ndakarasika pakati pechinyorwa. Ipapo ini ndobva ndaverengazve zvakanyanya. Ndatenda zvikuru nedzidziso.
    Kunyangwe chiri chokwadi kuti chinotibvumidza kuti tinzwisise zvakanyanya nei ActiveDirectory inowanzo sarudzirwa zvinhu izvi. Iko kune zvakasarudzika zvemusiyano kana zvasvika pakuita nyore kwekugadzirisa uye kuita.
    Reply with quote

    Pindura kuEVeR
  9.   federico akadaro
    inoita 10 makore

    Ndatenda mese nekupindura !!!
    @jose monge, ndinovimba inokubatsira
    @ walter pakupera kwezvose zvinyorwa, ini ndichaona kana ndichigona kuita compendium mu html kana pdf fomati
    @eVeR imwe nzira yakatenderedza, OpenLDAP iri nyore -kunyangwe ikaratidzika senge- pane Anoshanda Dhairekitori. mirira zvinyorwa zvinotevera uye uchaona.

    Pindura kuna federico
  10.   Marcelo akadaro
    inoita 10 makore

    Mubvunzo, ini ndinoita yekumisikidza nhanho nhanho asi kana ndichitangazve iyo yekurova sevhisi, inondikanda ini inotevera kukanganisa>

    Jul 30 15:27:37 xxxx yakarova [1219]: @ (#) $ OpenLDAP: slapd (Ubuntu) (Mar 17 2014 21: 20: 08) $ # 012 # 011buildd @ aatxe: /build/buildd/openldap-2.4.31 .XNUMX / debian / kuvaka / maseva / slapd
    Jul 30 15:27:37 xxxxx yakarova [1219]: ZVisingazivikanwe hunhuTsananguro "CHANGETYPE" yakaiswa.
    Jul 30 15:27:37 xxxxx yakarova [1219]: ZVisingazivikanwe hunhuTsananguro "Wedzera" yakaiswa.
    Jul 30 15:27:37 xxxxx [1219]: <= str2entry: slap_str2undef_ad (-): isina chinhu AttributeDescription
    Jul 30 15:27:37 xxxxx yakarova [1219]: mbama yakamiswa.
    Jul 30 15:27:37 xxxxx [1219]: connections_destroy: hapana chekuparadza.

    Pindura Marcelo
    1.    x11tete11x akadaro
      inoita 10 makore

      unogona kubvunza muforum 😀 http://foro.desdelinux.net/

      Pindura x11tete11x
  11.   petrop akadaro
    inoita 9 makore

    Kune wese munhu anoona ichi chakanakisa uye chakatsanangurwa chaizvo posvo uye dambudziko iri rinoitika kana uchigadzira ACLs:
    ldapmodify: fomati isiriyo (mutsetse 5) kupinda: "olcDatabase = {1} hdb, dc = config"

    Mushure mekutsemura musoro wangu ndichitsvaga internet, zvinoitika kuti ldapmodify ndiyo chaiyo mhando mhando kunze uko pachiso chewebhu. Iyo inoshungurudzika ine zvisirizvo mavara pamwe nenzvimbo dzinoteedzera. Pasina imwezve ado, rairo ndeyekunyora mamiriro nedivi parutivi izvo zviri na X nyora wega kunyora ne * verenga. Kana ichiri kusashanda isa Notepad ++> Wona> Ratidza chiratidzo uye pakupedzisira kufa kune asingaonekwe mavara. Ndinovimba mumwe munhu anobatsira.

    Pindura kune pedrop
  12.   petrop akadaro
    inoita 9 makore

    Gadzira zvitupa zveDebian Wheezy zvichibva paOverSSL izvi zvinogona kushanda:
    http://blog.phenobarbital.info/2014/10/openldap-tlsssl-configuracion-basica-y-aseguramiento/

    Pindura kune pedrop