Adeegga Tusaha ee LDAP [4]: ​​OpenLDAP (I)

fico

Daqiiqado 12

Saaxiibbo waad salaaman tihiin !. Aynu u dhaadhacno meheradda, oo sidii had iyo goorba aannu kugula talinno, akhri saddexdii maqaal ee hore ee taxanaha ahaa:

DNS, DHCP iyo NTP ayaa ah adeegyada ugu yar ee lagama maarmaanka u ah diiwaankayaga fudud ee ku saleysan OpenLDAP hooyo, si sax ah uga shaqeeya Debian 6.0 "Isu ururi", ama Ubuntu 12.04 LTS «Precise Pangolin».

Tusaale network:

Lan: 10.10.10.0/24
Dominio: amigos.cu
Servidor: mildap.amigos.cu
Sistema Operativo Servidor: Debian 6 "Squeeze
Dirección IP del servidor: 10.10.10.15
Cliente 1: debian7.amigos.cu
Cliente 2: raring.amigos.cu
Cliente 3: suse13.amigos.cu
Cliente 4: seven.amigos.cu

Qaybta Koowaad waxaan ku arki doonaa:

  • Furan OpenLDAP (dharbaaxada 2.4.23-7.3)
  • Hubinta ka dib rakibidda
  • Tusmooyinka tixgelinta
  • Xeerarka Xakamaynta Helitaanka Xogta
  • Jiilka Shahaadooyinka TLS ee Isku-uruujinta

halka Qaybta Labaad aan ku sii wadayno:

  • Aqoonsiga isticmaalaha maxalliga ah
  • Dadweynaha keydka u keyd
  • Maamul keydka macluumaadka adoo isticmaalaya koronto-qabatada
  • Soo koobid ilaa hadda ...

Furan OpenLDAP (dharbaaxada 2.4.23-7.3)

OpenLDAP server ayaa lagu rakibay iyadoo la isticmaalayo xirmada dharbaaxay. Waa inaan sidoo kale rakibnaa xirmada ldap-maacuunta, kaasoo ina siiya qaar ka mid ah agabka macaamiisha, iyo sidoo kale OpenLDAP yutiilitiyada u gaarka ah.

: ~ # aptitude rakibi slapd ldap-utils

Intii lagu gudajiray hawsha rakibida, qashin Waxay na weydiin doontaa lambarka sirta ee maamulka ama isticmaalaha «admin«. Tiro ka mid ah ku-tiirsanayaasha ayaa sidoo kale la rakibay; isticmaale ayaa la abuuray furanldap; qaabeynta adeegga bilowga ah ayaa la abuuray iyo sidoo kale tusaha LDAP.

Noocyadii hore ee OpenLDAP, qaabeynta daemon dharbaaxay waxaa lagu dhammeeyay galka feylka /etc/ldap/slapd.conf. Nooca aan isticmaaleyno iyo goor dambe, qaabeynta waxaa lagu sameeyaa isla isla dharbaaxay, iyo ujeedkan a dit «Geedka Macluumaadka Tusaha»Ama Geedka Macluumaadka Tusaha, si gooni gooni ah.

Habka qaabeynta ee loo yaqaan RTC «Qaabeynta waqtiga dhabta ah»Waqtiga dhabta ah qaabeynta, ama habka cn = isku xidhka, wuxuu noo ogolaanayaa inaan si firfircoon u qaabeyno dharbaaxay iyada oo aan loo baahnayn dib u bilaabid adeegga.

Kaydinta macluumaadka qaabeynta waxay ka kooban tahay faylal qoraal ah qaab ahaan LDIF «Qaabka Isdhaafsiga Xogta LDAP»Qaabka LDAP ee Xog isdhaafsiga, oo ku yaal galka /etc/ldap/slapd.d.

Si aad fikrad uga hesho ururka galka dharbaaxid.d, aan orodno:

: ~ # ls -lR /etc/ldap/slapd.d/
/etc/ldap/slapd.d/: wadar ahaan 8 drwxr-x --- 3 openldap openldap 4096 Feb 16 11:08 cn = config -rw ------- 1 openldap openldap 407 Feb 16 11:08 cn = config.ldif /etc/ldap/slapd.d/cn=config: wadar ahaan 28 -rw ------- 1 openldap openldap 383 Feb 16 11:08 cn = module {0} .ldif drwxr-x --- 2 openldap openldap 4096 Feb 16 11:08 cn = schema -rw ------- 1 openldap openldap 325 Feb 16 11:08 cn = schema.ldif -rw ------- 1 openldap openldap 343 Feb 16 11:08 olcBackend = {0} hdb.ldif -rw ------- 1 openldap openldap 472 Feb 16 11:08 olcDatabase = {0} config.ldif -rw ------- 1 openldap openldap 586 Feb 16 11:08 olcDatabase = {- 1} frontend.ldif -rw ------- 1 openldap openldap 1012 Feb 16 11:08 olcDatabase = {1} hdb.ldif /etc/ldap/slapd.d/cn = config / cn = schema: wadarta 40 -rw ------- 1 openldap openldap 15474 Feb 16 11:08 cn = {0} core.ldif -rw ------- 1 openldap openldap 11308 Feb 16 11:08 cn = {1} cosine.ldif -rw ------- 1 openldap openldap 6438 Feb 16 11:08 cn = {2} nis.ldif -rw ------- 1 openldap openldap 2802 Feb 16 11:08 cn = {3} inetorgperson.ldif

Haddii aan yara eegno wax soo saarkii hore, waxaan aragnaa in Backend loo isticmaalay Iskujuujinta waa nooca keydka macluumaadka hdb, taas oo ah nooc ka mid ah bdb "Berkeley Database", iyo inay si buuxda u kala sarrayso oo ay taageerayso in loo beddelo geedo-hoosaadyo. Si aad wax badan uga barato waxa suurtogalka ah Dib u celin kaas oo taageera OpenLDAP, booqo http://es.wikipedia.org/wiki/OpenLDAP.

Waxaan sidoo kale aragnaa in saddex keyd oo kala duwan loo adeegsaday, taas oo ah, mid u heellan qaabeynta, mid kalena loo frontend, iyo kan ugu dambeeya oo ah keydka macluumaadka hdb per se.

Dhinaca kale, dharbaaxay waxaa lagu rakibay si toos ah qalabka Core, Dawo, Nis e Qofka ka shaqeeya.

Hubinta ka dib rakibidda

Terminal-ka waxaan si deggan ugu fulinaa oo u aqrinnaa wax soo saarka. Waan hubin doonaa, gaar ahaan amarka labaad, qaabeynta laga soo saaray liistada galka dharbaaxid.d.

: ~ # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi: /// -b cn = config | inbadan: ~ # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi: /// -b cn = config dn
dn: cn = config dn: cn = module {0}, cn = config dn: cn = schema, cn = config dn: cn = {0} core, cn = schema, cn = config dn: cn = {1} cosine , cn = schema, cn = config dn: cn = {2} nis, cn = schema, cn = config dn: cn = {3} inetorgperson, cn = schema, cn = config dn: olcBackend = {0} hdb, cn = config dn: olcDatabase = {- 1} hore, cn = config dn: olcDatabase = {0} config, cn = config dn: olcDatabase = {1} hdb, cn = config

Sharaxa wax soo saar kasta:

  • cn = isku xidhka: Xuduudaha adduunka.
  • cn = moduleka {0}, cn = qaabeynta: Module si xamaasad leh u raran.
  • cn = schema, cn = isku xidhka: Waxay ka kooban tahay adag-koodh heerka nidaamyada nidaamka.
  • cn = {0} xudun, cn = schema, cn = isku xidhka: adag-koodh oo ka mid ah kernel schematic.
  • cn = {1} cosine, cn = schema, cn = isku xidhka: Qorshaha Kooshin.
  • cn = {2} nis, cn = schema, cn = isku xidhka: Qorshaha Nis
  • cn = {3} inetorgperson, cn = schema, cn = config: Qorshaha Qofka ka shaqeeya.
  • olcBackend = {0} hdb, cn = isku xidhka: Backend nooca keydinta xogta hdb.
  • olcDatabase = {- 1} frontend, cn = config: frontend ee keydka macluumaadka iyo cabbiraadaha asalka u ah keydadka kale.
  • olcDatabase = {0} config, cn = config: Kaydinta xogta qaabeynta ee dharbaaxay (cn = isku xidhka).
  • olcDatabase = {1} hdb, cn = config: Tusaalahayaga keydka macluumaadka (dc = saaxiibo, dc = cu)
: ~ # ldapsearch -x -LLL -H ldap: /// -b dc = tusaale, dc = com dn
dn: dc = saaxiibo, dc = cu dn: cn = admin, dc = saaxiibo, dc = cu
  • dc = saaxiibo, dc = cu: Geedka Macluumaadka Tusaha DIT Base
  • cn = admin, dc = saaxiibo, dc = cu: Maamulaha (rootDN) ee DIT ayaa lagu dhawaaqay inta lagu jiro rakibidda.

Nota: Horgalaha dherer dc = saaxiibo, dc = cu, ayaa qaatay qashin inta lagu guda jiro rakibaadda ka FQDN server mildap.amigos.cu.

Tusmooyinka tixgelinta

Tixgelinta galka waxaa loo sameeyay si loo hagaajiyo waxqabadka raadinta dit, oo leh shuruudaha miiraha. Tusayaasha aan tixgelin doonno waa kuwa ugu yar ee lagula taliyay iyadoo loo eegayo astaamaha lagu caddeeyay qorshayaasha caadiga ah

Si firfircoon wax looga beddelo tusmooyinka keydka macluumaadka, waxaan u abuureynaa faylka qoraalka qaab ahaan LDIF, hadhowna waxaan ku darnaa diiwaanka. Waxaan abuuraynaa faylka olcDbIndex.ldif oo waxaan uga tagnay waxyaabaha soo socda:

: ~ # nano olcDbIndex.ldif
dn: olcDatabase = {1} hdb, cn = config changetype: wax ka beddel ku dar: olcDbIndex olcDbIndex: uidNumber eq - add: olcDbIndex olcDbIndex: gidNumber eq - add: olcDbIndex olcDbIndex: memberUid ec, ecDd : loginShell eq, olcDbIndex: login - add: olcDbIndex olcDbIndex: uid pres, sub, eq - add: olcDbIndex olcDbIndex: cn pres, sub, eq - add: olcDbIndex olcDbIndex: sn pres, sub, eq - , ou pres, eq, sub - add: olcDbIndex olcDbIndex: displayName pres, sub, eq - add: olcDbIndex olcDbIndex: default sub - add: olcDbIndex olcDbIndex: mail eq, subinitial - add: olcDbIndex olcDbex:

Waxaan ku darnaa tusmooyinka keydka macluumaadka waxaanna hubineynaa wax ka beddelka:

: ~ # ldapmodify -Y EXTERNAL -H ldapi: /// -f ./olcDbIndex.ldif

: ~ # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi: /// -b \ cn = config '(olcDatabase = {1} hdb)' olcDbIndex

dn: olcDatabase = {1} hdb, cn = config olcDbIndex: objectClass eq olcDbIndex: uidNumber, gidNumber eq olcDbIndex: memberUid eq, pres, sub olcDbIndex: loginShell eq olcDbIndex: subg, eq pres, eid pres, olcDbIndex: sn pres, sub, eq olcDbIndex: givenName, ou pres, eq, sub olcDbIndex: displayName pres, sub, eq olcDbIndex: default sub olcDbIndex: mail eq, subinitial olcDbIndex: dc eq

Xeerarka Xakamaynta Helitaanka Xogta

Shuruucda loo dejiyay si ay isticmaaleyaashu u akhriyi karaan, wax uga beddeli karaan, u dari karaan una tirtiri karaan xogta ku jirta diiwaanka Diiwaanka waxaa loo yaqaan 'Access Control', halka aan u wici doonno Liisaska Xakamaynta Helitaanka ama «Liiska Xakamaynta Helitaanka ACL»Ku aaddan siyaasadaha dejinaya xeerarka.

In la ogaado taas ACL-yada waxaa lagu dhawaaqay si iska caadi ah intii lagu jiray hawsha rakibida ee dharbaaxay, waxaan fulin:

: ~ # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi: /// -b \
cn = config '(olcDatabase = {1} hdb)' olcAccess

: ~ # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi: /// -b \
cn = config '(olcDatabase = {- 1} hore)' olcAccess

: ~ # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi: /// -b \
cn = config '(olcDatabase = {0} config)' olcAccess

: ~ # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi: /// -b \
cn = config '(olcAccess = *)' olcAccess olcSuffix

Mid kasta oo ka mid ah amarrada kor ku xusan ayaa na tusi doona ACL-yada in ilaa hada aan ku cadeynay Diiwaankeena. Gaar ahaan, amarka ugu dambeeya wuxuu muujinayaa dhammaantood, halka saddexda hore ay na siinayaan xeerarka xakamaynta marin u helka dhammaan saddexda. dit ku lug leh dharbaaxay.

Mawduuca ah ACL-yada iyo si aanan u sameyn maqaal aad u dheer, waxaan kugula talineynaa inaad aqriso boggaga gacanta nin dharbaaxay.

Si loo damaanad qaado marin u helka isticmaalayaasha iyo maamulayaasha si loo cusbooneysiiyo gelintooda loginShell y Geckos, waxaan ku dari doonaa ACL soo socda:

## Waxaan abuureynaa faylka olcAccess.ldif oo waxaan uga tagnay waxyaabaha soo socda: ~ # nano olcAccess.ldif
dn: olcDatabase = {1} hdb, cn = config changetype: modify add: olcAccess olcAccess: {1} to attrs = loginShell, gecos by dn = "cn = admin, dc = saaxiibo, dc = cu" ku qor is qor * aqri

## Waxaan ku darnaa ACL
: ~ # ldapmodify -Y EXTERNAL -H ldapi: /// -f ./olcAccess.ldif

# Waan hubinnaa isbeddelada
ldapsearch -Q -LLL -Y QARAN -H ldapi: /// -b \
cn = config '(olcAccess = *)' olcAccess olcSuffix

Jiilka Shahaadooyinka TLS ku cadaadi

Si loo helo xaqiijin sugan oo leh serverka OpenLDAP, waa inaan ku sameynaa kal-fadhi qarsoodi ah oo aan ku guuleysan karno adoo adeegsanaya TLS «Amniga Lakabka Gaadiidka» o Hayso Lakabka Gaadiidka.

OpenLDAP serverka iyo macaamiishiisu way awoodaan inay isticmaalaan qaabeynta TLS si ay u bixiso ilaalin la xiriirta daacadnimada iyo sirta, iyo sidoo kale inay taageerto xaqiijinta LDAP ee sugnaanta iyadoo la adeegsanayo habka SASL «Xaqiijinta fudud iyo Lakabka Amniga« Dibedda

Adeegyada casriga ah ee OpenLDAP ayaa doorbidaya adeegsiga */ StartTLS /* o Ku bilaw lakab gaadiid sugan oo ahXULASHADA: ///, taas oo duugowday. Su'aalo kasta, booqo * Start TLS v. ldaps: // * en http://www.openldap.org/faq/data/cache/605.html

Kaliya ka tag feylka sida loogu rakibay asal ahaan / iwm / default / slapd leh bayaanka SLAPD_SERVICES = »ldap: /// ldapi: ///», iyada oo ujeedadu tahay in la adeegsado kanaal sir ah oo u dhexeeya macmiilka iyo serverka, iyo codsiyada kaabayaasha ah laftooda si ay u maareeyaan OpenLDAP ee gudaha lagu rakibay.

Habka halkan lagu sharaxay, oo ku saleysan xirmooyinka gnutls-bin y ssl-cert waxay ku habboon tahay Debian 6 "Cadaadi" iyo sidoo kale Ubuntu Server 12.04. Wixii Debian 7 "Wheezy" hab kale oo ku saleysan OpenSSL.

Jiilka shahaadooyinka ee 'Squeeze' waxaa loo fuliyaa sida soo socota:

1.- Waxaan rakibnaa xirmooyinka lagama maarmaanka ah
: ~ # aptitude rakibi gnutls-bin ssl-cert

2. - Waxaan u abuureynaa Furaha Aasaasiga ah ee Maamulka Shahaadada
: ~ # sh -c "certtool --generate-privkey> /etc/ssl/private/cakey.pem"

3. - Waxaan abuurnay shax si loo qeexo CA (Maamulka Shahaadada)
: ~ # nano /etc/ssl/ca.info cn = Saaxiibada Cuban ca cert_signing_key

4.- Waxaan u abuureynaa Shahaadada is-saxeexsan ee CA ama Is-Saxeexa macaamiisha
: ~ # certtool --generate-self-saxiixay \ -load-privkey /etc/ssl/private/cakey.pem \ --template /etc/ssl/ca.info \ --outfile / etc / ssl / certs / cacert.pem

5.- Waxaan u soo saaraynaa Fure Gaar ah oo loogu talagalay Server-ka
: ~ # certtool --generate-privkey \ -bits 1024 \ --outfile /etc/ssl/private/mildap-key.pem

Nota: Beddel "khafiif ah"Magaca feylka kor ku xusan adoo adeegsanaya adeegahaaga. Magacaabista Shahaadada iyo Furaha, labadaba adeegaha iyo adeegga adeegsanaya, waxay naga caawineysaa inaan wax iska caddayno.

6. - Waxaan u abuureynaa feylka /etc/ssl/mildap.info oo leh waxyaabaha soo socda:
: ~ # nano /etc/ssl/mildap.info organization = Saaxiibada Cuba cn = mildap.amigos.cu tls_www_server encryption_key saxiixa_key dhicitaanka_days = 3650

Nota: Mawduuca kor ku xusan waxaan caddeyneynaa in shahaadadu shaqeyneyso muddo 10 sano ah. Halbeegga waa in lagu hagaajiyaa sida ugu habboon.

7.- Waxaan abuuraynaa Shahaadada Server
: ~ # certtool --generate-shahaadada \ -load-privkey /etc/ssl/private/mildap-key.pem \ --load-ca-certificate /etc/ssl/certs/cacert.pem \ --load- ca-privkey /etc/ssl/private/cakey.pem \ --template /etc/ssl/mildap.info \ --outfile /etc/ssl/certs/mildap-cert.pem

Ilaa iyo hada waxaan soo saarnay feylasha lama huraanka ah, kaliya waa inaan ku darno Tusaha goobta uu ku yaalo Shahaadada Is-Saxeexa cacert.pem; tii Shahaadada Server-ka mildap-cert.pem; iyo Furaha Gaarka ah ee Server-ka mildap-key.pem. Waa inaan sidoo kale hagaajino rukhsadaha iyo milkiilaha faylasha la soo saaray.

: ~ # nano /etc/ssl/certinfo.ldif
dn: cn = config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/mildap-cert.pem - add: milcT -key.pem

8.- Kudar: ~ # ldapmodify -Y DAMBE -H ldapi: /// -f /etc/ssl/certinfo.ldif

9.- Waxaan hagaajinaa milkiilaha iyo rukhsadaha
: ~ # adduser openldap ssl-cert: ~ # chgrp ssl-cert /etc/ssl/private/mildap-key.pem: ~ # chmod g + r /etc/ssl/private/mildap-key.pem: ~ # chmod ama /etc/ssl/private/mildap-key.pem

Shahaadada cacert.pem Waa midda ay tahay inaan nuqul ka qaadno macmiil kasta. Si shahaadadan loogu isticmaalo server-ka laftiisa, waa inaan ku sheegno faylka /etc/ldap/ldap.conf. Si tan loo sameeyo, waxaan wax ka beddeleynaa feylka oo waxaan uga tagnaa waxyaabaha soo socda:

: ~ # nano /etc/ldap/ldap.conf
BASE dc = saaxiibo, dc = cu URI ldap: //mildap.amigos.cu TLS_CACERT /etc/ssl/certs/cacert.pem

Ugu dambeyntii iyo sidoo kale jeeg ahaan, waxaan dib u bilaabi doonnaa adeegga dharbaaxay waxaanan hubinaa wax soo saarka syslog ka imaado serverka, si aad u ogaato in adeega si sax ah dib loogu bilaabay iyadoo la isticmaalayo shahaada cusub ee lagu dhawaaqay.

: ~ # adeegga slapd dib u bilaw
: ~ # dabada / var / log / syslog

Haddii adeeggu uusan dib u bilaabin si sax ah ama aan u aragno qalad culus oo ku jira syslog, yaanan niyad jabin. Waxaan isku dayi karnaa inaan hagaajino dhaawaca ama dib u bilowno. Haddii aan go'aansanno inaan ka bilowno xoqida rakibidda ah dharbaaxay, looma baahna in la qaabeeyo adeegeena.

Si aan u tirtirno wax kasta oo aan illaa iyo hadda qabanay hal sabab ama mid kale, waa inaan ka saarnaa xirmada dharbaaxay, ka dibna tirtir faylka / var / lib / ldap. Sidoo kale waa inaan uga tagnaa feylka nooca asalka ah /etc/ldap/ldap.conf.

Waa dhif iyo naadir in wax waliba si sax ah ugu shaqeeyaan isku dayga koowaad. 🙂

Xusuusnow in qeybta soo socota aan arki doono:

  • Aqoonsiga isticmaalaha maxalliga ah
  • Dadweynaha keydka u keyd
  • Maamul keydka macluumaadka adoo isticmaalaya koronto-qabatada
  • Soo koobid ilaa hadda ...

Dhowaan waan idin arki doonaa saaxiibo !.


Ka tag faalladaada

cinwaanka email aan la daabacin doonaa. Beeraha loo baahan yahay waxaa lagu calaamadeeyay la *

*

*

  1. Masuul ka ah xogta: Miguel Ángel Gatón
  2. Ujeedada xogta: Xakamaynta SPAM, maaraynta faallooyinka.
  3. Sharci: Oggolaanshahaaga
  4. Isgaarsiinta xogta: Xogta looma gudbin doono dhinacyada saddexaad marka laga reebo waajibaadka sharciga ah.
  5. Kaydinta xogta: Macluumaadka ay martigelisay Shabakadaha Occentus (EU)
  6. Xuquuqda: Waqti kasta oo aad xadidi karto, soo ceshan karto oo tirtiri karto macluumaadkaaga.

  1.   Hugo dijo
    samee 10 sano

    Macallin !!!
    WAXAY KU DHACDAY TUTO!
    waa heer sare
    DHAMMAAN JACAYLKA ADDUUNKA ADIGA.
    ????

    Ku jawaab Hugo
    1.    federico dijo
      samee 10 sano

      Aad baad u mahadsantahay, Hugo !!! Sug maqaallada soo socda ee mowduuca ku saabsan.

      Ku jawaab feederico
  2.   magacan dijo
    samee 10 sano

    Hello

    xiiso leh taxanahaaga maqaallada.

    Waan la yaabay markaan akhriyay bayaankan: "Server-yada casriga ah ee OpenLDAP waxay doorbidaan isticmaalka StartTLS ama Bilow Lakab Gaadiid Amni ah hab maamuuska hore ee TLS / SSL, kaas oo duugoobay."

    Miyaad sheeganeysaa, dhammaan kiisaska xitaa ka baxsan baaxadda LDAP, STARTTLS waa hanaan difaac oo ka sarreeya TSL / SSL?

    Kujawaab magacanisfalse
    1.    federico dijo
      samee 10 sano

      Waad ku mahadsantahay faallooyinkaaga. Ogow waxaan ula jeedaa OpenLDAP. Ma badin Gudaha http://www.openldap.org/faq/data/cache/185.html, waxaad ka akhrisan kartaa waxyaabaha soo socda:

      Nabadgelyada Lakabka Gaadiidka (TLS) waa magaca caadiga u ah Lakabka Dukaanka Sugan (SSL). Shuruudaha (illaa loo qalmo lambarro gaar ah mooyee) guud ahaan waa la is-weydaarsan karaa.

      StartTLS waa magaca hawlgalka heerka LDAP ee bilaabista TLS / SSL. TLS / SSL waxaa la bilaabay markii si guul leh lagu soo gabagabeeyo hawlgalkan LDAP. Ma jirto deked kale oo loo baahdo. Waxaa mararka qaarkood loo yaqaan hawlgalka casriyaynta TLS, maadaama ay casriyayso xiriir LDAP caadi ah oo ay ilaaliso TLS / SSL.

      ldaps: // iyo LDAPS waxaa loola jeedaa "LDAP over TLS / SSL" ama "LDAP Secured". TLS / SSL waxaa lagu sifeeyay markii lagu xidho deked kale (caadi ahaan 636). In kasta oo dekedda LDAPS (636) ay u diiwaangashan tahay adeegsigaan, qeexitaannada qaab-dhismeedka bilowga TLS / SSL lama dejin.

      Marka la bilaabo, ma jiro wax farqi ah oo u dhexeeya ldaps: // iyo StartTLS. Waxay wadaagaan ikhtiyaarrada qaabeynta isku mid ah (marka laga reebo ldaps: // waxay u baahan tahay qaabeynta dhegeyste gooni ah, eeg slapd (8) 's -h option) oo waxay keeneysaa sida adeegyada amniga oo la aasaasay.
      Fiiro gaar ah:
      1) ldap: // + StartTLS waa in lagu hagaajiyaa dekedda LDAP ee caadiga ah (caadi ahaan 389), ma ahan ldaps: // dekedda.
      2) ldaps: // waa in lagu hagaajiyaa dekedda LDAPS (caadi ahaan 636), maahan dekedda LDAP.

      Ku jawaab feederico
      1.    magacan dijo
        samee 10 sano

        Waan ka xumahay, laakiin wali ma hubo sababta aad u sheeganayso: 1) server-yada casriga ahi waxay doorbidaan STARTTLS-ka SSL / TLS; 2) in STARTTLS ay tahay mid casri ah, kana soo horjeedda SSL / TLS oo duugowday.

        Waxaan la dagaallamayay muddo nus bil ah qaabeynta macaamiisha waraaqaha kala duwan ee ka hela server-ka SSL (adoo adeegsanaya maktabadaha furan ee bilaashka ah, sida ugu badan software-ka bilaashka ah), oo leh shahaadooyinka CA ee / iwm / ssl / certs / iyo waxyaabo kale. Oo waxa aan bartay waa in: 1) STARTTLS keliya ay qarinaysaa aqoonsiga fadhiga, wax kasta oo kalena loo diro si aan qarsoodi ahayn; 2) SSL waxay qarinaysaa gabi ahaanba waxyaabaha ka kooban kalfadhiga. Sidaa darteed, sinnaba sinaba uma ahan STARTTLS farsamo ahaan inay ka sarreyso SSL; Waxaan jeclaan lahaa inaan u janjeero inaan ka fekero si kale, maaddaama nuxurka kalfadhigaagu u safrayo si qarsoodi ah shabakadda.

        Waxyaabo kale oo ka duwan ayaa ah in STARTTLS lagula taliyay sababo kale oo aanan garanaynin: iswaafajinta MSWindows, maxaa yeelay hirgelinta ayaa ka xasilloon ama ka wanaagsan ayaa la tijaabiyay ... Ma garanayo. Taasi waa sababta aan kuu weydiinayo.

        Laga soo xigtay xigashada buug-gacmeedka aad igu lifaaqday jawaabtaada, waxaan u arkaa in farqiga u dhexeeya ldap: // iyo ldaps: // uu u dhigmo farqiga u dhexeeya imap: // iyo imaps: //, ama u dhexeeya smtp : // iyo smtps: //: deked kale ayaa la isticmaalaa, xoogaa gelitaan dheeri ah ayaa lagu daraa feylka qaabeynta, laakiin inta kale ee xuduudaha waa la hayaa. Laakiin taasi ma muujineyso wax ku saabsan doorbidida STARTTLS iyo in kale.

        Salaan, oo ka xumahay jawaabta. Waxaan kaliya isku dayayaa inaan waxbadan barto.

        Kujawaab magacanisfalse
        1.    federico dijo
          samee 10 sano

          Eeg, waa dhif iyo naadir in qoraaladayda aan ku sheegto sheegashooyin taas oo aan la taageerin daabacaad halis ah. Dhamaadka taxanaha waxaan ku dari doonaa dhammaan xiriiriyeyaasha dukumiintiyada aan u arko inay culus yihiin, iyo inaan la tashaday si aan u qoro boostada. Waxaan kuugu hormarinayaa xiriiriyeyaasha soo socda:

          https://wiki.debian.org/LDAP/OpenLDAPSetup
          Tilmaamaha Server-ka Ubuntu https://code.launchpad.net/serverguide
          OpenLDAP-Rasmi ah http://www.openldap.org/doc/admin24/index.html
          LDAP ka badan SSL / TLS iyo StartTLS http://tt4cs.wordpress.com/2014/01/18/ldap-over-ssltls-and-starttls/

          Iyo sidoo kale, waxaan la tashaday dukumiintiyada la socda ee lagu rakibay xirmo kasta.

          Arrinta amniga guud ahaan iyo farqiga u dhexeeya StartTLS iyo TLS / SSL, waa farsamo aad iyo aad u qoto dheer oo aanan u tixgelinaynin inaan naftayda u haysto aqoonta lagama maarmaanka u ah bixinta sharraxaadda noocaas ah. Waxaan u maleynayaa inaan ku sii wadi karno hadalka e-maylka.

          Intaas waxaa sii dheer, meelna kuma sheegin in LDAPS: // aan la isticmaali karin. Hadaad u aragto inay amaan tahay, horay usocoto !!!

          Mar dambe kuma caawin karo, runtiina waan ku qanacsanahay faallooyinkaaga.

          Ku jawaab feederico
        2.    federico dijo
          samee 10 sano

          Wax yar oo cad oo dheeraad ah ayaad heli kartaa - marwalba oo ku saabsan OpenLDAP-
          http://www.openldap.org/faq/data/cache/605.html

          Hawlgallada la kordhiyay ee StartTLS [RFC 2830] waa habka caadiga ah ee LDAPv3 ee awood u siinaya ilaalinta xogta sirta ee TLS (SSL). Farsamadu waxay isticmaashaa hawlgal dheeri ah oo LDAPv3 ah si loo abuuro isku xirnaan SSL / TLS ah oo ku xiran isku xidhka LDAP ee hore loo aasaasay. In kasta oo farsamooyinka loogu talagalay in lagu isticmaalo TLSv1, fulinta badankood waxay dib ugu laaban doonaan SSLv3 (iyo SSLv2) haddii loo baahdo.

          ldaps: // waa farsamaynta aasaasida isku xirka SSL / TLS ee LDAP. Waxay u baahan tahay adeegsiga deked gaar ah, caadi ahaan 636. In kastoo asal ahaan loogu talagalay in lagu isticmaalo LDAPv2 iyo SSLv2, fulinno badan ayaa taageeraya isticmaalkeeda LDAPv3 iyo TLSv1. In kasta oo aysan jirin qeexitaan farsamo ldaps: // si ballaaran ayaa loo isticmaalaa.

          ldaps: // ayaa hoos loo dhigay iyada oo loo roon yahay Start TLS [RFC2830]. OpenLDAP 2.0 labadaba way taageertaa.
          Sababo amni awgeed adeegaha waa in loo qaabeeyaa inuusan aqbalin SSLv2.

          Ku jawaab feederico
  3.   freebsddick dijo
    samee 10 sano

    Tani waxay noqon doontaa mid ka mid ah qodobbadaas oo aysan isticmaaleyaashu ka faalloon doonin maxaa yeelay maadaama oo ay kaliya ka daawadaan qaawan xarumahooda Linux, iyagu si fudud uma daneeyaan. Maqaal wanaagsan !!

    Ku jawaab freebsddick
    1.    federico dijo
      samee 10 sano

      Waad ku mahadsantahay faallooyinka !!!. Hadalkaaga ku saabsan faallooyinka yar yar ee maqaaladayda badankood aad buu run u yahay. Si kastaba ha noqotee, waxaan ka helayaa waraaqo akhristayaasha xiisaha leh, ama kuwa kale ee soo dajiya maqaalka akhriska dambe iyo codsigaba.

      Had iyo jeer waa wax aad u faa'iido badan in laga helo ra'yi-celin iyada oo loo marayo faallooyinka, xitaa haddii ay yihiin: Waxaan u keydiyey akhriska dambe, xiisaha, ama ra'yi kale.

      Salaan

      Ku jawaab feederico
  4.   federico dijo
    samee 10 sano

    The Freeke !!! Waad ku mahadsantahay faallooyinka. Waan ku helay aragtidaada boostada laakiin ma arko inkasta oo aan dhowr jeer cusbooneysiiyo bogga. Saaxiib, waad tijaabin kartaa tan iyo qodobadii hore dhib la'aan dhanka Tuujinta ama Ubuntu Server 12.04. Wheezy, shahaadooyinka waxaa loo soo saaray qaab ka duwan, iyadoo la adeegsanayo OpenSSL. Laakiin waxba. Salaan kadib, walaal !!!.

    Ku jawaab feederico
  5.   federico dijo
    samee 10 sano

    @thisnameisfalse: Karraaniga ugu fiican wuxuu leeyahay cillad. Waad ku mahadsantahay faallooyinkaaga, waxaan u maleynayaa in sadarka su'aashu tahay inuu noqdo sida soo socota:

    Nidaamyada casriga ah ee OpenLDAP waxay doorbidaan isticmaalka StartTLS, ama Bilow Lakabka Gaadiidka Sugan, ee nidaamka LDAPS: //, oo duugoobay. Su'aalo kasta, booqo Start TLS v. ldaps: // en http://www.openldap.org/faq/data/cache/605.html

    Salaan

    Ku jawaab feederico
  6.   Jose Monge dijo
    samee 10 sano

    Wanaagsan, hadda waxaan haystaa shaqada guriga ee ku saabsan ldap

    Ku jawaab jose monge
  7.   Walter dijo
    samee 10 sano

    Wax walba kuma ridi kartid hal feyl sidaa darteed waxaad kala soo bixi kartaa casharka oo dhameystiran

    Ku jawaab walter
  8.   eVR dijo
    samee 10 sano

    Anigu waxaan ahay farsamo yaqaan kumbuyuutar khibrad ballaadhan u leh Linux, welina waxaan seegay dhexda maqaalka. Kadib waxaan si taxaddar leh dib ugu akhrin doonaa. Aad baad ugu mahadsantahay casharka.
    In kasta oo ay run tahay inay noo oggolaaneyso inaan wax badan ka fahamno sababta ActiveDirectory badanaa loogu doorto waxyaalahan. Waxaa jira kala duwanaansho caalami ah marka ay timaado fududeynta qaabeynta iyo hirgelinta.
    Salaan

    Jawaab eVeR
  9.   federico dijo
    samee 10 sano

    Dhamaantiin waad ku mahadsan tihiin inaad faallo bixiseen!
    @jose monge, waxaan rajaynayaa inay ku caawinayso
    @walter dhamaadka dhammaan qoraalada, waan arki doonaa haddii aan sameyn karo isugeyn qaab html ama pdf ah
    @eVeR si kale, OpenLDAP wuu ka fudud yahay - in kasta oo ay u egtahay inaanu ahayn Diiwaan Firfircoon. sug maqaallada soo socda waadna arki doontaa.

    Ku jawaab feederico
  10.   Marcelo dijo
    samee 10 sano

    Weydiis, waxaan u sameeyaa rakibo talaabo talaabo laakiin markaan dib u bilaabo adeegga dharbaaxada, waxay igu tuuraysaa qaladka soo socda>

    Jul 30 15:27:37 xxxx slapd [1219]: @ (#) $ OpenLDAP: slapd (Ubuntu) (Mar 17 2014 21:20:08) $ # 012 # 011buildd @ aatxe: /build/buildd/openldap-2.4.31 .XNUMX / debian / dhis / server / slapd
    Jul 30 15:27:37 xxxxx slapd [1219]: UNKNOWN attributeDescription "CHANGETYPE" inserted.
    Jul 30 15:27:37 xxxxx slapd [1219]: UNKNOWN attributeDescription "ADD" inserted.
    Jul 30 15:27:37 xxxxx [1219]: <= str2entry: slap_str2undef_ad (-): faaruq ah AttributeDescription
    Jul 30 15:27:37 xxxxx slapd [1219]: slapd wuu istaagay.
    Jul 30 15:27:37 xxxxx [1219]: links_destroy: wax dumiya ma jiraan.

    Ku jawaab Marcelo
    1.    x11tete11x dijo
      samee 10 sano

      waxaad ku weydiin kartaa golaha 😀 http://foro.desdelinux.net/

      Jawaab x11tete11x
  11.   isweydaarsiga dijo
    samee 9 sano

    Qofkasta oo arkaya qoraalkan wanaagsan ee sifiican loo sharaxay dhibaatadani waxay dhacdaa marka la abuurayo ACLs:
    ldapmodify: qaab aan sax ahayn (khadka 5) gelitaan: "olcDatabase = {1} hdb, dc = config"

    Ka dib markii aan madaxayga ku garaacay raadinta internetka, waxay soo baxday in ldapmodify uu yahay nooca ugu saxsan ee ku jira wejiga websaydhka. Waa cabsi badan oo leh jilayaal khaldan iyo sidoo kale meelo soo raaca. Adiga oo aan ku sii dheeraanin, taladu waa in lagu qoro shuruudo midba midka kale ama X ku qoro is qor adiga oo * aqrinaya. Haddii aysan wali shaqeynin ku rakib Notepad ++> View> Muuji astaan ​​iyo ugu dambeyntii dhimashada jilayaasha aan la arki karin. Waxaan rajeynayaa in qof caawin doono.

    Ku soo jawaab
  12.   isweydaarsiga dijo
    samee 9 sano

    Abuur shahaadooyin Debian Wheezy oo ku saleysan OpenSSL tani waxay u adeegi kartaa:
    http://blog.phenobarbital.info/2014/10/openldap-tlsssl-configuracion-basica-y-aseguramiento/

    Ku soo jawaab