Workshop_OpenLDAP
-
Upload
marcio-garcia -
Category
Documents
-
view
35 -
download
3
Transcript of Workshop_OpenLDAP
![Page 2: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/2.jpg)
Cronograma
O que é ?
Vantagens
Administração centralizada
Recursos em se utilizar o OpenLDAP
Instalação e configuração
Cases
Pag 2
![Page 3: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/3.jpg)
Introdução
Em quantos lugares diferentes em sua empresa existem dados sobre seus funcionários ?
Pag 3
![Page 4: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/4.jpg)
Introdução
Rede
AplicaçõesProxy
Panorama atual
Pag 4
![Page 5: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/5.jpg)
Introdução
Panorama ideal
Proxy
Rede
Aplicações
LDAP
Pag 5
![Page 6: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/6.jpg)
O que é ?
LDAP
Lightweight Directory Access Protocol
Protocolo Leve de Acesso a Diretório
Diretório ??Leve ?!?!
Pag 6
![Page 7: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/7.jpg)
O que é ?
Leve ?
Foi desenvolvido para o modelo OSI;
O LDAP roda sobre TCP/IP.
Pag 7
![Page 8: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/8.jpg)
O que é ?
Pag 8
![Page 9: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/9.jpg)
O que é ?
Serviço de Diretório:
Um banco de dados otimizado para leitura;
Tende a conter informações descritivas;
Organizado em forma hierárquica (árvore);
Otimizado para dar respostas rápidas;
Suporta um alto volume de procura;
O DNS é um exemplo de um serviço de diretório; ...
Pag 9
![Page 10: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/10.jpg)
O que é ?
Organização dos dados
Pag 10
![Page 11: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/11.jpg)
OpenLDAP
Pag 11
![Page 12: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/12.jpg)
OpenLDAP
Histórico
O protocolo LDAP começou a ser desenvolvido pela
Universidade de Michigan, mas foi descontinuado em 1996
(U-Mich LDAP v.3.3).
Em Agosto de 1998 a empresa Net Boolean, que
hospedava serviços de e-mails para companhias utilizando
software-livre (Apache, FreeBSD, Sendmail, majordomo, e U-
Mich LDAP) fundou o projeto OpenLDAP, com o objetivo: “to
provide open source LDAP software and information”
Pag 12
![Page 13: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/13.jpg)
OpenLDAP
Histórico
Em agosto de 1998 foi lançada a versão 1.0 do OpenLDAP.
O Projeto OpenLdap visa desevolver um servidor robusto,
completo e open-source do protocolo LDAP e suas
ferramentas de desenvolvimento.
O projeto é mantido por uma série de programadores
voluntários no mundo inteiro, que desenvolvem a gama de
Aplicativos OpenLdap.
Pag 13
![Page 14: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/14.jpg)
OpenLDAP
Características
Ldap v3 sobre IPV4 e IPV6;
Autenticação simples e camada de segurança (Cyrus-SASL);
Segurança no Transporte (TLS / SSL);
Controle de topologia da rede (TCP wrappers);
Instâncias múltiplas do Banco de Dados;
Multi-Thread;
ACL;
Réplica (Slurpd / Sync *);
Proxy Cache *
* Disponível somente na família 2.2
Pag 14
![Page 15: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/15.jpg)
OpenLDAP
Funcionalidades
Catálogo de endereços;
Autenticação;
Armazenamento de certificados digitais (S/MIME);
Armazemanento de chaves públicas (PGP);
Armazenamento de informações do funcionário;
...
Pag 15
![Page 16: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/16.jpg)
OpenLDAP
LDIF – LDAP Data Interchange Format
Arquivo texto utilizado para importar / exportar dados.
Padrão definido na RFC 2849 – (The LDAP Data
Interchange Format (LDIF) - Technical Specification);
Pag 16
![Page 17: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/17.jpg)
Estrutura da base do OpenLDAP
# vi base.ldif
dn: c=BR
objectClass: country
c: BR
dn: o=TheSource,c=BR
objectClass: organization
o: TheSource
dn: ou=Consultoria,o=TheSource,c=BR
objectClass: organizationalUnit
ou: Consultoria
c= BR
o= TheSource
ou= Consultoria
Pag 17
![Page 18: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/18.jpg)
Estrutura do usuário# vi usuario.ldif
dn: uid=mgarcia, ou=Consultoria, o=TheSource, c=BR
objectClass: inetOrgPerson
uid: mgarcia
cn: Marcio Garcia Marcenari
sn: Marcenari
mail: [email protected]
userPassword: {SSHA}ADZXCA!-3210238djk==
c= BR
o= TheSource
ou= Consultoria
uid= mgarcia
Pag 18
![Page 19: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/19.jpg)
Panorama da base LDAP
c= BR
o= TheSource
ou= Consultoria
uid= mgarcia
o= FOO
ou= TI
uid= foo@foo
Base OpenLDAP
Outras Possibilidades
Pag 19
![Page 20: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/20.jpg)
Vantagens
IPV4/IPV6;
SSL/TLS;
ACL's
Réplica;
Cache;
Multi-Thread;
Backup;
Restore;
Indexão;
Administração centralizada...
Pag 20
![Page 21: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/21.jpg)
Administração Centralizada
Pag 21
![Page 22: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/22.jpg)
Administração Centralizada
Pag 22
![Page 23: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/23.jpg)
Administração Centralizada
Pag 23
![Page 24: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/24.jpg)
Administração Centralizada
Pag 24
![Page 25: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/25.jpg)
Catálogo de Endereços
Informações dos funcionários da empresa:
Nome;
Telefone comercial;
Telefone celular;
Ramal;
Endereço de trabalho;
Email;
Departamento;
Cargo, etc...
Pag 25
![Page 26: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/26.jpg)
Principais cuidados com o LDAP
Criptografia;
ACL's;
Senhas,
Firewall, ....
Pag 26
![Page 27: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/27.jpg)
Aplicativos
Pag 27
![Page 28: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/28.jpg)
Aplicativos
BIND
Pag 28
![Page 29: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/29.jpg)
Instalação
Pré-requisitos
openssl
BerkeleyDB
Cyrus-SASL
apache
php4
php4-pear
php4-ldap
Pag 29
![Page 30: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/30.jpg)
Instalação
Pacotes
db-4.x.xx.tar.gz
http://www.sleepycat.com/download/index.shtml
cyrus-sasl-2.1.xx.tar.gz
http://asg.web.cmu.edu/cyrus/download/
openldap-2.3.xx.tar.gz
http://www.openldap.org
Pag 30
![Page 31: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/31.jpg)
Instalação
db-4.x.xx.tar.gz
# tar xzvf db-4.x.xx.tar.gz
# cd db-4.x.xx
# cd build_unix
# ../dist/configure --prefix=/usr/local
# make
# make install
# echo “/usr/local/lib” >> /etc/ld.so.conf
# ldconfig -v
Pag 31
![Page 32: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/32.jpg)
Instalação
cyrus-sasl-2.1.xx.tar.gz
# tar xzvf cyrus-sasl-2.1.xx.tar.gz
# cd cyrus-sasl-2.1.xx
# ./configure
# make
# make install
# ln -s /usr/local/lib/sasl2 /usr/lib
Pag 32
![Page 33: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/33.jpg)
Instalação
openldap-2.3.xx.tar.gz
# tar xzvf openldap-2.3.xx.tar.gz
# cd openldap-2.3.xx
# ./configure
# make depend
# make
# make install
Pag 33
![Page 34: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/34.jpg)
ConfiguraçãoConfigurando o OpenLDAP – Opções Globais
# cd /usr/local/etc/openldap/
# vi slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
loglevel 256
Pag 34
![Page 35: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/35.jpg)
Configuração
Configurando o OpenLDAP – Opções do Banco
# cd /usr/local/etc/openldap/
# vi slapd.conf
database bdb
suffix “c=BR”
rootdn “cn=Manager,c=BR”
rootpw {SSHA}Casdkjahs2198!@#sdkjhasd127
directory /usr/local/var/openldap-data
Pag 35
![Page 36: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/36.jpg)
Configuração
Configurando o OpenLDAP – Opções de Pesquisa
# cd /usr/local/etc/openldap/
# vi slapd.conf
index objectClass eq
index cn,sn,mail eq,sub
Pag 36
![Page 37: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/37.jpg)
Iniciando o OpenLDAP
# /usr/local/libexec/slapd
# ps wax | grep slapd551 ? Ss /usr/local/libexec/slapd
552 ? S /usr/local/libexec/slapd
553 ? S /usr/local/libexec/slapd
Pag 37
![Page 38: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/38.jpg)
# vi base.ldif
dn: c=BR
objectClass: country
c: BR
dn: o=TheSource,c=BR
objectClass: organization
o: TheSource
dn: ou=Consultoria,o=TheSource,c=BR
objectClass: organizationalUnit
ou: Consultoria
c= BR
o= TheSource
ou= Consultoria
Estrutura da base do OpenLDAP
Pag 38
![Page 39: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/39.jpg)
Estrutura do usuário# vi usuario.ldif
dn: uid=mgarcia, ou=Consultoria, o=TheSource, c=BR
objectClass: inetOrgPerson
uid: mgarcia
cn: Marcio Garcia Marcenari
sn: Marcenari
mail: [email protected]
userPassword: {SSHA}ADZXCA!-3210238djk==
c= BR
o= TheSource
ou= Consultoria
uid= mgarcia
Pag 39
![Page 40: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/40.jpg)
Importando as entradas
# ldapadd -x -W -v -D 'cn=Manager,c=BR' -f base.ldif
# ldapadd -x -W -v -D 'cn=Manager,c=BR' -f usuario.ldif
c= BR
o= TheSource
ou= Consultoria
uid= mgarcia
Base OpenLDAP
Outras Possibilidades
Pag 40
o= FOO
ou= TI
uid= foo@foo
![Page 41: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/41.jpg)
Consultando a base OpenLDAP
# ldapsearch -x -b c=BR Consulta toda a base
# ldapsearch -x -b c=BR -u uid=mgarcia Consulta o usuário mgarcia
c= BR
o= TheSource
ou= Consultoria
uid= mgarcia
Base OpenLDAP
Outras Possibilidades
Pag 41
o= FOO
ou= TI
uid= foo@foo
![Page 42: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/42.jpg)
Backup / Restore da base
Backup
# ldapsearch -x -b c=BR -LLL > base_bkp.ldif
Restore
# ldapadd -x -W -v -D 'cn=Manager,c=BR' -f base_bkp.ldif
Pag 42
![Page 43: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/43.jpg)
Indexando a base OpenLDAP
# slapindex -v
Alguns cuidados:
Não cancelar a indexão;
Não pode haver nenhuma alteração na base no momento da indexão;
Não pode haver queda de energia.
Vantagens:
Torna a pesquisa mais rápida... eficaz...
Pag 43
![Page 44: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/44.jpg)
PHPLdapAdminPacotes
phpldapadmin-0.9.x.tar.gz
http://phpldapadmin.sourceforge.net
# tar xzvf phpldapadmin-0.9.x.tar.gz -C /var/www/webmail
# cd /var/www/webmail
# mv phpldapadmin-0.9.x adm
# cd adm
# cp config.php.example config.php
# vi config.php
OBS.: Seguir as instruções do arquivo de configuração.
# cd ..
# chown -R www-data: adm
Pag 44
![Page 45: Workshop_OpenLDAP](https://reader034.fdocuments.net/reader034/viewer/2022051520/58ef64af1a28ab3c118b4617/html5/thumbnails/45.jpg)
Tunning
DB_CONFIG
http://www.sleepycat.com/docs/ref/env/db_config.html
http://www.openldap.org/faq/index.cgi?file=2
Onde devo criar o arquivo DB_CONFIG ?
O arquivo deve ser criado no diretório:
# touch /usr/local/var/openldap-data/DB_CONFIG
OBS.: Após criar o arquivo, o LDAP deverá ser reiniciado.
Pag 45