This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
хранение_учетных_записей_unix_в_ldap [2019/01/28 13:02] val [Модификация информации в ldap каталоге] |
хранение_учетных_записей_unix_в_ldap [2021/10/12 12:38] val [Использование migrationtools] |
||
---|---|---|---|
Line 9: | Line 9: | ||
===== Импорт данных в каталог ===== | ===== Импорт данных в каталог ===== | ||
+ | |||
+ | ==== Описание элементов схемы ==== | ||
* [[http://oav.net/mirrors/LDAP-ObjectClasses.html|Common LDAP schemas]] | * [[http://oav.net/mirrors/LDAP-ObjectClasses.html|Common LDAP schemas]] | ||
- | ==== Импорт данных про организацию ==== | + | ==== Импорт данных про организацию и структуру ==== |
- | === Debian/Ubuntu === | + | !!! Объект dc=corpX,dc=un создается автоматически при инсталляции из dcObject наследуется атрибут dc, из organization наследуется атрибут o |
- | + | ||
- | !!! Объект dc=corpX,dc=un создается автоматически при инсталляции !!! | + | |
- | + | ||
- | === FreeBSD === | + | |
<code> | <code> | ||
server# cat organization.ldif | server# cat organization.ldif | ||
</code><code> | </code><code> | ||
- | dn: dc=corpX,dc=un | + | #dn: dc=corpX,dc=un |
- | objectClass: dcObject | + | #objectClass: dcObject |
- | objectClass: organization | + | #objectClass: organization |
- | o: Corporation X | + | #o: Corporation X |
- | dc: corpX | + | #dc: corpX |
- | </code> | + | |
- | Из dcObject наследуется атрибут dc | + | dn: ou=People,dc=corpX,dc=un |
- | + | objectClass: organizationalUnit | |
- | Из organization наследуется атрибут o | + | ou: People |
+ | dn: ou=Group,dc=corpX,dc=un | ||
+ | objectClass: organizationalUnit | ||
+ | ou: Group | ||
+ | </code> | ||
<code> | <code> | ||
server# ldapadd -x -D "cn=admin,dc=corpX,dc=un" -w secret -f organization.ldif | server# ldapadd -x -D "cn=admin,dc=corpX,dc=un" -w secret -f organization.ldif | ||
- | </code> | ||
- | |||
- | ==== Импорт данных описывающих структуру организации ==== | ||
- | <code> | ||
- | server# cat orgstructure.ldif | ||
- | </code><code> | ||
- | dn: ou=users,dc=corpX,dc=un | ||
- | objectClass: organizationalUnit | ||
- | ou: users | ||
- | |||
- | dn: ou=groups,dc=corpX,dc=un | ||
- | objectClass: organizationalUnit | ||
- | ou: groups | ||
- | </code><code> | ||
- | server# ldapadd -x -D "cn=admin,dc=corpX,dc=un" -w secret -f orgstructure.ldif | ||
</code> | </code> | ||
Line 61: | Line 47: | ||
* [[http://www.padl.com/OSS/MigrationTools.html|MigrationTools]] | * [[http://www.padl.com/OSS/MigrationTools.html|MigrationTools]] | ||
+ | * [[https://wiki.debian.org/LDAP/MigrationTools|Migrating /etc Flat File Databases to LDAP]] | ||
+ | * [[#Использование migrationtools]] | ||
<code> | <code> | ||
server# cat passwdgroup.ldif | server# cat passwdgroup.ldif | ||
</code><code> | </code><code> | ||
- | dn: cn=user1,ou=groups,dc=corpX,dc=un | + | dn: cn=user1,ou=Group,dc=corpX,dc=un |
objectClass: posixGroup | objectClass: posixGroup | ||
cn: user1 | cn: user1 | ||
gidnumber: 10001 | gidnumber: 10001 | ||
- | dn: cn=user2,ou=groups,dc=corpX,dc=un | + | dn: cn=user2,ou=Group,dc=corpX,dc=un |
objectClass: posixGroup | objectClass: posixGroup | ||
cn: user2 | cn: user2 | ||
gidnumber: 10002 | gidnumber: 10002 | ||
- | dn: uid=user1,ou=users,dc=corpX,dc=un | + | dn: uid=user1,ou=People,dc=corpX,dc=un |
objectClass: inetOrgPerson | objectClass: inetOrgPerson | ||
objectClass: posixAccount | objectClass: posixAccount | ||
uid: user1 | uid: user1 | ||
sn: Ivanov | sn: Ivanov | ||
- | cn: Ivanov Ivan Ivanovitch | + | cn: Ivan Ivanovitch Ivanov |
- | gecos: Ivanov Ivan Ivanovitch,RA7,401,499-239-45-23 | + | gecos: Ivan Ivanovitch Ivanov,RA7,401,499-239-45-23 |
uidNumber: 10001 | uidNumber: 10001 | ||
gidNumber: 10001 | gidNumber: 10001 | ||
Line 88: | Line 76: | ||
userpassword: * | userpassword: * | ||
- | dn: uid=user2,ou=users,dc=corpX,dc=un | + | dn: uid=user2,ou=People,dc=corpX,dc=un |
objectClass: inetOrgPerson | objectClass: inetOrgPerson | ||
objectClass: posixAccount | objectClass: posixAccount | ||
uid: user2 | uid: user2 | ||
sn: Petrov | sn: Petrov | ||
- | cn: Petrov Petr Petrovitch | + | cn: Petr Petrovitch Petrov |
- | gecos: Petrov Petr Petrovitch,RA7,402,499-323-55-53 | + | gecos: Petr Petrovitch Petrov,RA7,402,499-323-55-53 |
uidnumber: 10002 | uidnumber: 10002 | ||
gidnumber: 10002 | gidnumber: 10002 | ||
Line 101: | Line 89: | ||
userpassword: * | userpassword: * | ||
- | dn: cn=group1,ou=groups,dc=corpX,dc=un | + | dn: cn=group1,ou=Group,dc=corpX,dc=un |
cn: group1 | cn: group1 | ||
gidNumber: 15001 | gidNumber: 15001 | ||
Line 120: | Line 108: | ||
==== Удаление информации из ldap каталога ==== | ==== Удаление информации из ldap каталога ==== | ||
<code> | <code> | ||
- | server# ldapdelete -x -D "cn=admin,dc=corpX,dc=un" -w secret "uid=user1,ou=users,dc=corpX,dc=un" | + | server# ldapdelete -x -D "cn=admin,dc=corpX,dc=un" -w secret "uid=user1,ou=People,dc=corpX,dc=un" |
</code> | </code> | ||
==== Модификация информации в ldap каталоге ===== | ==== Модификация информации в ldap каталоге ===== | ||
+ | |||
+ | ==== Пример назначения номеров телефонов и адресов email ==== | ||
<code> | <code> | ||
server:~# cat addmailphone.ldif | server:~# cat addmailphone.ldif | ||
</code><code> | </code><code> | ||
- | dn: uid=user1,ou=users,dc=corpX,dc=un | + | dn: uid=user1,ou=People,dc=corpX,dc=un |
changetype: modify | changetype: modify | ||
add: telephoneNumber | add: telephoneNumber | ||
telephoneNumber: 401 | telephoneNumber: 401 | ||
- | dn: uid=user1,ou=users,dc=corpX,dc=un | + | dn: uid=user1,ou=People,dc=corpX,dc=un |
changetype: modify | changetype: modify | ||
add: mail | add: mail | ||
mail: user1@corpX.un | mail: user1@corpX.un | ||
- | dn: uid=user2,ou=users,dc=corpX,dc=un | + | dn: uid=user2,ou=People,dc=corpX,dc=un |
changetype: modify | changetype: modify | ||
add: telephoneNumber | add: telephoneNumber | ||
telephoneNumber: 402 | telephoneNumber: 402 | ||
- | dn: uid=user2,ou=users,dc=corpX,dc=un | + | dn: uid=user2,ou=People,dc=corpX,dc=un |
changetype: modify | changetype: modify | ||
add: mail | add: mail | ||
Line 148: | Line 138: | ||
</code><code> | </code><code> | ||
server# ldapmodify -x -D "cn=admin,dc=corpX,dc=un" -w secret -f addmailphone.ldif | server# ldapmodify -x -D "cn=admin,dc=corpX,dc=un" -w secret -f addmailphone.ldif | ||
- | </code></code> | + | </code> |
- | client1:~# cat addunixattr.ldif | + | |
+ | ==== Пример назначения UNIX атрибутов в Microsoft AD ==== | ||
+ | |||
+ | !!! Объекты guser1, guser2 и group1 должны быть созданы заранее | ||
+ | |||
+ | <code> | ||
+ | gate:~# cat addunixattr.ldif | ||
+ | </code><code> | ||
+ | #==== add and set attr to user1 ==== | ||
dn: CN=guser1,CN=Users,DC=corpX,DC=un | dn: CN=guser1,CN=Users,DC=corpX,DC=un | ||
changetype: modify | changetype: modify | ||
add: gidNumber | add: gidNumber | ||
gidNumber: 10001 | gidNumber: 10001 | ||
- | |||
- | dn: CN=guser2,CN=Users,DC=corpX,DC=un | ||
- | changetype: modify | ||
- | add: gidNumber | ||
- | gidNumber: 10002 | ||
dn: CN=Ivan I. Ivanov,CN=Users,DC=corpX,DC=un | dn: CN=Ivan I. Ivanov,CN=Users,DC=corpX,DC=un | ||
Line 179: | Line 173: | ||
add: loginShell | add: loginShell | ||
loginShell: /bin/sh | loginShell: /bin/sh | ||
+ | |||
+ | #==== add and set attr to user2 ==== | ||
+ | |||
+ | dn: CN=guser2,CN=Users,DC=corpX,DC=un | ||
+ | changetype: modify | ||
+ | add: gidNumber | ||
+ | gidNumber: 10002 | ||
dn: CN=Petr P. Petrov,CN=Users,DC=corpX,DC=un | dn: CN=Petr P. Petrov,CN=Users,DC=corpX,DC=un | ||
Line 199: | Line 200: | ||
add: loginShell | add: loginShell | ||
loginShell: /bin/sh | loginShell: /bin/sh | ||
+ | |||
+ | #==== add and set attr to group1 ==== | ||
+ | |||
+ | dn: CN=group1,CN=Users,DC=corpX,DC=un | ||
+ | changetype: modify | ||
+ | add: gidNumber | ||
+ | gidNumber: 15001 | ||
+ | |||
+ | dn: CN=group1,CN=Users,DC=corpX,DC=un | ||
+ | changetype: modify | ||
+ | add: memberUid | ||
+ | memberUid: user1 | ||
+ | |||
+ | dn: CN=group1,CN=Users,DC=corpX,DC=un | ||
+ | changetype: modify | ||
+ | add: memberUid | ||
+ | memberUid: user2 | ||
</code><code> | </code><code> | ||
- | client1:~# export LDAPTLS_REQCERT=never | + | gate:~# ldapmodify -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -f addunixattr.ldif |
+ | </code> | ||
+ | |||
+ | ===== Использование migrationtools ===== | ||
+ | <code> | ||
+ | # apt install migrationtools | ||
+ | |||
+ | # cat /etc/migrationtools/migrate_common.ph | ||
+ | </code><code> | ||
+ | ... | ||
+ | $DEFAULT_MAIL_DOMAIN = "corpX.un"; | ||
+ | ... | ||
+ | $DEFAULT_BASE = "dc=corpX,dc=un"; | ||
+ | ... | ||
+ | $EXTENDED_SCHEMA = 1; | ||
+ | ... | ||
+ | $IGNORE_UID_BELOW = 1000; | ||
+ | $IGNORE_GID_BELOW = 1000; | ||
+ | ... | ||
+ | $IGNORE_UID_ABOVE = 65500; | ||
+ | $IGNORE_GID_ABOVE = 65500; | ||
+ | ... | ||
+ | </code><code> | ||
+ | # ln -s /etc/migrationtools/migrate_common.ph /etc/perl/migrate_common.ph | ||
+ | |||
+ | # /usr/share/migrationtools/migrate_passwd.pl /etc/passwd | tee users.ldif | ||
+ | !!! удалить все про krb5 | ||
+ | |||
+ | # ldapadd -x -D "cn=admin,dc=corpX,dc=un" -w secret -f users.ldif | ||
+ | |||
+ | # /usr/share/migrationtools/migrate_group.pl /etc/group | tee groups.ldif | ||
- | client1:~# ldapmodify -x -D "cn=Administrator,cn=Users,dc=corp6,dc=un" -W -H ldaps://server -f addunixattr.ldif | + | # ldapadd -x -D "cn=admin,dc=corpX,dc=un" -w secret -f groups.ldif |
</code> | </code> |