Administrace komentářů

Zdravim,

pochybuju, ze ti to v tehle forme k necemu bude. OpenLdap se nekonfiguruje pomoci ldap.conf souboru, ale prostrednictvim samostatne konfiguracni datatabaze cn=config. Vyhod je plno, mezi hlavni patri napriklad moznost zmeny konfigurace za behu serveru (nektera nastaveni jdou, nektera nejdou) a take moznost replikace konfigurace (kazda zmena konfigurace se projevi na vsech serverech). Prikladam export sve cn=config databaze pomoci 'slapcat' ze ktereho jsem musel rucne odstranit vsechny citlive udaje, predpokladam, ze tam po me zbyly nejake syntakticke chyby a zadne citlive udaje ;).

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: 256
olcPidFile: /var/run/slapd/slapd.pid
olcServerID: 1 ldap://first.domain.tld
olcServerID: 2 ldap://second.domain.tld
olcServerID: 3 ldap://thirst.domain.tld
olcTLSCACertificateFile: /etc/ldap/server.pem
olcTLSCertificateFile: /etc/ldap/server.pem
olcTLSCertificateKeyFile: /etc/ldap/server.pem
olcToolThreads: 1

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}refint
olcModuleLoad: {2}syncprov
olcModuleLoad: {3}memberof
olcModulePath: /usr/lib/ldap

dn: olcBackend={0}hdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}hdb

dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcMirrorMode: TRUE
olcRootDN: cn=admin,cn=config
olcRootPW: {SSHA}asdfasdfasdfasdf
olcSyncrepl: {0}rid=1 provider=ldap://first.domain.tld binddn="cn=admin,cn=config" bindmethod=simple credentials=password searchbase="cn=config" type=refreshAndPersist retry=
"5 5 300 5" timeout=1
olcSyncrepl: {1}rid=2 provider=ldap://second.domain.tld binddn="cn=admin,cn=config" bindmethod=simple credentials=password searchbase="cn=config" type=refreshAndPersist retry
="5 5 300 5" timeout=1
olcSyncrepl: {2}rid=3 provider=ldap://thirst.domain.tld binddn="cn=admin,cn=config" bindmethod=simple credentials=password searchbase="cn=config" type=refreshAndPersist retry
="5 5 300 5" timeout=1

dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov

dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=domain2,dc=tld" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=domain2,dc=tld" write by users read by * auth
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbIndex: memberOf eq
olcDbIndex: uid eq
olcLastMod: TRUE
olcMirrorMode: TRUE
olcRootDN: cn=admin,dc=domain2,dc=tld
olcRootPW: {SSHA}sdfasdfasdfasdfasdf
olcSuffix: dc=domain2,dc=tld
olcSyncrepl: {0}rid=1 provider=ldap://first.domain.tld binddn="cn=admin,dc=domain2,dc=tld" bindmethod=simple credentials=password searchbase="dc=domain2,dc=tld" type=refresh
Only interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncrepl: {1}rid=2 provider=ldap://second.domain.tld binddn="cn=admin,dc=domain2,dc=tld" bindmethod=simple credentials=password searchbase=" dc=domain2,dc=tld" type=refres
hOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncrepl: {2}rid=3 provider=ldap://thirst.domain.tld binddn="cn=admin,dc=domain2,dc=tld" bindmethod=simple credentials=password searchbase="dc=domain2,dc=tld" type=refres
hOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1

dn: olcOverlay={0}refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
olcOverlay: {0}refint
olcRefintAttribute: member
olcRefintAttribute: memberOf
olcRefintModifiersName: cn=admin,dc=domain2,dc=tld
olcRefintNothing: cn=admin,dc=domain2,dc=tld

dn: olcOverlay={1}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {1}syncprov

dn: olcOverlay={2}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {2}memberof

A jeste varovani na zaver. Pokud uz se ti to podari copypastovat a oeditovat tak, aby to odpovidalo tvym predstavam, tak si dej pozor a nestav na tom zadne reseni do doby, nez tomu budes rozumnet. LDAP je infrastrukturalni zalezitost na ktere stoji obvykle rada dalsich sluzeb. Jeji neznalosti si zadelavas na problemy. Pokud uz chces LDAP provozovat a nerozumnet mu, tak doporucuju pouzit treba Red Hat Directory Server (resp. CentOS), ktery ma klikatko a je to easy. Podobne treba 389 z Fedory.

Enjoy!