LDAP

From YobiWiki
Jump to navigation Jump to search

VRAC

apt-get install slapd phpldapadmin ldap-utils
slappasswd -> create a root pwd string
edit /etc/ldap/slapd.conf -> enable rootdn and add rootpw "{SHA}xxxx"
private:/etc/ldap# cat create_struct.ldif 
dn: dc=addressbook,dc=yobi,dc=be
description: Yobi's addessbook
objectClass: domain
objectClass: top
dc: addressbook

dn: dc=groups,dc=yobi,dc=be
description: Users groups
objectClass: domain
dc: groups

dn: dc=users,dc=yobi,dc=be
description: Users
objectClass: domain
dc: users

ldapadd -c -x -D "cn=admin,dc=yobi,dc=be" -W -f create_struct.ldif

... users groups books

/usr/lib/cgi-bin/pwab.cgi
/var/www/styles/pwab.css
/etc/pwab/config.pl

# For pwab                                                                                                                                                                
AddHandler cgi-script .cgi                                                                                                                                                
<Directory "/var/www/pwab">                                                                                                                                               
    Options +ExecCGI                                                                                                                                                      
    </Directory>                                                                                                                                                              
    
apt-get install libnet-ldap-perl
.htaccess

add schema /etc/ldap/shema/mozillaAbPersonAlpha.schema
                           walrantMozillaAbPerson.schema
/etc/ldap/slapd.conf:
#include         /etc/ldap/schema/mozillaAbPersonAlpha.schema                                                                                                             
include         /etc/ldap/schema/walrantMozillaAbPerson.schema

ACLs...

BASE DN dc=addressbook,dc=yobi,dc=be
BIND DN cn=phil,dc=users,dc=yobi,dc=be

mozimport.pl

#!/usr/bin/perl

use strict;
use MIME::Base64;
die "Usage: $0 <file>" unless $ARGV[0];
my $dest = "ou=import,ou=phil,dc=addressbook,dc=yobi,dc=be";
my %e;
my @t;
open (my $fh,$ARGV[0]) or die "Cannot open file $ARGV[0]: $!";
while (<$fh>) {

    next if m/^modifytimestamp:/i;
    next if m/^mozillaDefaultEmail/i;
    next if m/^mozillaCustom4/i;
    next if m/^objectclass/i;
    next unless m/([^:]+):(.*)/;
    my $attr = $1;
    my $val = $2;
    $#t++ if m/^dn/;
    warn "attr already exists: $attr" if $t[$#t]->{$attr};
    if ( $val =~ m/^:/ ) {
	$val = decode_base64(substr($val,2));
	$t[$#t]->{$attr . 'charset'} = 1;
    } else {
	$val = substr($val,1);
    }
    $t[$#t]->{$attr} = $val;
}
close($fh);
foreach (@t) {
    unless ($_->{'sn'}) {
	$_->{'sn'} = $_->{'givenName'};
	$_->{'givenName'} = "-";
    }
    $_->{'cn'} = $_->{'sn'} . " " . $_->{'givenName'};
    $_->{'cn'.'charset'} = $_->{'sn'.'charset'} + $_->{'givenName'.'charset'};
    $_->{'dn'} = 'cn=' . $_->{'cn'} . ',' . $dest;
    $_->{'dn'.'charset'} = $_->{'cn'.'charset'};
    foreach my $i (keys %{$_}) {
	next if $i =~ m/charset/;
	if ($_->{$i.'charset'}) {
	    $_->{$i} = encode_base64($_->{$i});
	    $_->{$i} =~ s/[\n\r]//g;
	}
    }
    my $h = '';
    $h = ':' if $_->{'dn'.'charset'};
    print "dn:$h $_->{dn}\n";
    print "objectclass: top\n";
    print "objectclass: person\n";
    print "objectclass: organizationalPerson\n";
    print "objectclass: inetOrgPerson\n";
    print "objectclass: mozillaAbPersonAlpha\n";
    print "objectclass: walrantMozillaAbPerson\n";
    
    foreach my $i (keys %{$_}) {
	next if $i =~ m/charset/;
	next if $i =~m/dn/;
	my $h='';
	if ($_->{$i.'charset'}) {
	    $h=':';
	}
	print "$i:$h $_->{$i}\n";
    }
    print "\n";
}
exit;

if ( m/objectclass: mozillaAbPersonAlpha/ ) {
    print;
    print "objectclass: walrantMozillaAbPerson\n";
    next;
    }
print;

Bugs

  • when moving card to a dir where the card dn exists already
  • Mozilla autocompletion -> account settings -> choose explicitely the LDAP server, not via default LDAP

TLS

To run the service through TLS for the outside and without TLS internally (for phpLdapAdmin and pwab):
Edit /etc/default/slapd

SLAPD_SERVICES="ldap://127.0.0.1/ ldaps://<public_ip>/"

Edit /etc/ldap/slapd and add:

include /etc/ldap/tls.conf

Create /etc/ldap/tls.conf
Here I simply reuse the certificates done for apache:

TLSCertificateFile /etc/apache2/ssl/www_yobi_be.crt
TLSCertificateKeyFile /etc/apache2/ssl/www_yobi_be.key
TLSVerifyClient never

Now it works through TLS for Mozilla Thunderbird