This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
хранение_учетных_записей_unix_в_ldap [2021/01/13 19:45] val |
хранение_учетных_записей_unix_в_ldap [2021/03/31 12:06] val [Пример назначения UNIX атрибутов в Microsoft AD] |
||
---|---|---|---|
Line 14: | Line 14: | ||
* [[http://oav.net/mirrors/LDAP-ObjectClasses.html|Common LDAP schemas]] | * [[http://oav.net/mirrors/LDAP-ObjectClasses.html|Common LDAP schemas]] | ||
- | ==== Импорт данных про организацию ==== | + | ==== Импорт данных про организацию и структуру ==== |
- | === Debian/Ubuntu === | + | !!! Объект dc=corpX,dc=un создается автоматически при инсталляции из dcObject наследуется атрибут dc, из organization наследуется атрибут o |
- | + | ||
- | !!! Объект dc=corpX,dc=un создается автоматически при инсталляции !!! | + | |
- | + | ||
- | === FreeBSD === | + | |
<code> | <code> | ||
server# cat organization.ldif | server# cat organization.ldif | ||
</code><code> | </code><code> | ||
- | dn: dc=corpX,dc=un | + | #dn: dc=corpX,dc=un |
- | objectClass: dcObject | + | #objectClass: dcObject |
- | objectClass: organization | + | #objectClass: organization |
- | o: Corporation X | + | #o: Corporation X |
- | dc: corpX | + | #dc: corpX |
- | </code> | + | |
- | Из dcObject наследуется атрибут dc | + | dn: ou=People,dc=corpX,dc=un |
- | + | objectClass: organizationalUnit | |
- | Из organization наследуется атрибут o | + | ou: People |
+ | dn: ou=Group,dc=corpX,dc=un | ||
+ | objectClass: organizationalUnit | ||
+ | ou: Group | ||
+ | </code> | ||
<code> | <code> | ||
server# ldapadd -x -D "cn=admin,dc=corpX,dc=un" -w secret -f organization.ldif | server# ldapadd -x -D "cn=admin,dc=corpX,dc=un" -w secret -f organization.ldif | ||
- | </code> | ||
- | |||
- | ==== Импорт данных описывающих структуру организации ==== | ||
- | <code> | ||
- | server# cat orgstructure.ldif | ||
- | </code><code> | ||
- | dn: ou=users,dc=corpX,dc=un | ||
- | objectClass: organizationalUnit | ||
- | ou: users | ||
- | |||
- | dn: ou=groups,dc=corpX,dc=un | ||
- | objectClass: organizationalUnit | ||
- | ou: groups | ||
- | </code><code> | ||
- | server# ldapadd -x -D "cn=admin,dc=corpX,dc=un" -w secret -f orgstructure.ldif | ||
</code> | </code> | ||
Line 69: | Line 53: | ||
server# cat passwdgroup.ldif | server# cat passwdgroup.ldif | ||
</code><code> | </code><code> | ||
- | dn: cn=user1,ou=groups,dc=corpX,dc=un | + | dn: cn=user1,ou=Group,dc=corpX,dc=un |
objectClass: posixGroup | objectClass: posixGroup | ||
cn: user1 | cn: user1 | ||
gidnumber: 10001 | gidnumber: 10001 | ||
- | dn: cn=user2,ou=groups,dc=corpX,dc=un | + | dn: cn=user2,ou=Group,dc=corpX,dc=un |
objectClass: posixGroup | objectClass: posixGroup | ||
cn: user2 | cn: user2 | ||
gidnumber: 10002 | gidnumber: 10002 | ||
- | dn: uid=user1,ou=users,dc=corpX,dc=un | + | dn: uid=user1,ou=People,dc=corpX,dc=un |
objectClass: inetOrgPerson | objectClass: inetOrgPerson | ||
objectClass: posixAccount | objectClass: posixAccount | ||
Line 92: | Line 76: | ||
userpassword: * | userpassword: * | ||
- | dn: uid=user2,ou=users,dc=corpX,dc=un | + | dn: uid=user2,ou=People,dc=corpX,dc=un |
objectClass: inetOrgPerson | objectClass: inetOrgPerson | ||
objectClass: posixAccount | objectClass: posixAccount | ||
Line 105: | Line 89: | ||
userpassword: * | userpassword: * | ||
- | dn: cn=group1,ou=groups,dc=corpX,dc=un | + | dn: cn=group1,ou=Group,dc=corpX,dc=un |
cn: group1 | cn: group1 | ||
gidNumber: 15001 | gidNumber: 15001 | ||
Line 124: | Line 108: | ||
==== Удаление информации из ldap каталога ==== | ==== Удаление информации из ldap каталога ==== | ||
<code> | <code> | ||
- | server# ldapdelete -x -D "cn=admin,dc=corpX,dc=un" -w secret "uid=user1,ou=users,dc=corpX,dc=un" | + | server# ldapdelete -x -D "cn=admin,dc=corpX,dc=un" -w secret "uid=user1,ou=People,dc=corpX,dc=un" |
</code> | </code> | ||
==== Модификация информации в ldap каталоге ===== | ==== Модификация информации в ldap каталоге ===== | ||
- | ==== Пример назначения номеров телефонов ==== | + | ==== Пример назначения номеров телефонов и адресов email ==== |
<code> | <code> | ||
server:~# cat addmailphone.ldif | server:~# cat addmailphone.ldif | ||
</code><code> | </code><code> | ||
- | dn: uid=user1,ou=users,dc=corpX,dc=un | + | dn: uid=user1,ou=People,dc=corpX,dc=un |
changetype: modify | changetype: modify | ||
add: telephoneNumber | add: telephoneNumber | ||
telephoneNumber: 401 | telephoneNumber: 401 | ||
- | dn: uid=user1,ou=users,dc=corpX,dc=un | + | dn: uid=user1,ou=People,dc=corpX,dc=un |
changetype: modify | changetype: modify | ||
add: mail | add: mail | ||
mail: user1@corpX.un | mail: user1@corpX.un | ||
- | dn: uid=user2,ou=users,dc=corpX,dc=un | + | dn: uid=user2,ou=People,dc=corpX,dc=un |
changetype: modify | changetype: modify | ||
add: telephoneNumber | add: telephoneNumber | ||
telephoneNumber: 402 | telephoneNumber: 402 | ||
- | dn: uid=user2,ou=users,dc=corpX,dc=un | + | dn: uid=user2,ou=People,dc=corpX,dc=un |
changetype: modify | changetype: modify | ||
add: mail | add: mail | ||
Line 157: | Line 141: | ||
==== Пример назначения UNIX атрибутов в Microsoft AD ==== | ==== Пример назначения UNIX атрибутов в Microsoft AD ==== | ||
+ | |||
+ | !!! Объекты guser1, guser2 и group1 должны быть созданы заранее | ||
<code> | <code> | ||
- | client1:~# cat addunixattr.ldif | + | gate:~# cat addunixattr.ldif |
</code><code> | </code><code> | ||
+ | #==== add and set attr to user1 ==== | ||
+ | |||
dn: CN=guser1,CN=Users,DC=corpX,DC=un | dn: CN=guser1,CN=Users,DC=corpX,DC=un | ||
changetype: modify | changetype: modify | ||
add: gidNumber | add: gidNumber | ||
gidNumber: 10001 | gidNumber: 10001 | ||
- | |||
- | dn: CN=guser2,CN=Users,DC=corpX,DC=un | ||
- | changetype: modify | ||
- | add: gidNumber | ||
- | gidNumber: 10002 | ||
dn: CN=Ivan I. Ivanov,CN=Users,DC=corpX,DC=un | dn: CN=Ivan I. Ivanov,CN=Users,DC=corpX,DC=un | ||
Line 190: | Line 173: | ||
add: loginShell | add: loginShell | ||
loginShell: /bin/sh | loginShell: /bin/sh | ||
+ | |||
+ | #==== add and set attr to user2 ==== | ||
+ | |||
+ | dn: CN=guser2,CN=Users,DC=corpX,DC=un | ||
+ | changetype: modify | ||
+ | add: gidNumber | ||
+ | gidNumber: 10002 | ||
dn: CN=Petr P. Petrov,CN=Users,DC=corpX,DC=un | dn: CN=Petr P. Petrov,CN=Users,DC=corpX,DC=un | ||
Line 210: | Line 200: | ||
add: loginShell | add: loginShell | ||
loginShell: /bin/sh | loginShell: /bin/sh | ||
+ | |||
+ | #==== add and set attr to group1 ==== | ||
dn: CN=group1,CN=Users,DC=corpX,DC=un | dn: CN=group1,CN=Users,DC=corpX,DC=un | ||
Line 226: | Line 218: | ||
memberUid: user2 | memberUid: user2 | ||
</code><code> | </code><code> | ||
- | client1:~# export LDAPTLS_REQCERT=never | + | gate:~# ldapmodify -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -f addunixattr.ldif |
- | + | ||
- | client1:~# ldapmodify -x -D "cn=Administrator,cn=Users,dc=corp6,dc=un" -W -H ldaps://server -f addunixattr.ldif | + | |
</code> | </code> | ||
Line 235: | Line 225: | ||
# apt install migrationtools | # apt install migrationtools | ||
- | server.corp13.un:~# diff migrate_common.ph /etc/migrationtools/migrate_common.ph | + | # cat /etc/migrationtools/migrate_common.ph |
</code><code> | </code><code> | ||
- | 58c58 | + | ... |
- | < $NAMINGCONTEXT{'passwd'} = "ou=People"; | + | $DEFAULT_MAIL_DOMAIN = "corp13.un"; |
- | --- | + | ... |
- | > $NAMINGCONTEXT{'passwd'} = "ou=users"; | + | $DEFAULT_BASE = "dc=corp13,dc=un"; |
- | 61c61 | + | ... |
- | < $NAMINGCONTEXT{'group'} = "ou=Group"; | + | $EXTENDED_SCHEMA = 1; |
- | --- | + | ... |
- | > $NAMINGCONTEXT{'group'} = "ou=groups"; | + | $IGNORE_UID_BELOW = 1000; |
- | 71c71 | + | $IGNORE_GID_BELOW = 1000; |
- | < $DEFAULT_MAIL_DOMAIN = "padl.com"; | + | ... |
- | --- | + | $IGNORE_UID_ABOVE = 65500; |
- | > $DEFAULT_MAIL_DOMAIN = "corpX.un"; | + | $IGNORE_GID_ABOVE = 65500; |
- | 74c74 | + | ... |
- | < $DEFAULT_BASE = "dc=padl,dc=com"; | + | |
- | --- | + | |
- | > $DEFAULT_BASE = "dc=corpX,dc=un"; | + | |
- | 96,97c96,97 | + | |
- | < #$IGNORE_UID_BELOW = 1000; | + | |
- | < #$IGNORE_GID_BELOW = 100; | + | |
- | --- | + | |
- | > $IGNORE_UID_BELOW = 1000; | + | |
- | > $IGNORE_GID_BELOW = 1000; | + | |
- | 100,101c100,101 | + | |
- | < #$IGNORE_UID_ABOVE = 9999; | + | |
- | < #$IGNORE_GID_ABOVE = 9999; | + | |
- | --- | + | |
- | > $IGNORE_UID_ABOVE = 65500; | + | |
- | > $IGNORE_GID_ABOVE = 65500; | + | |
</code><code> | </code><code> | ||
# ln -s /etc/migrationtools/migrate_common.ph /etc/perl/migrate_common.ph | # ln -s /etc/migrationtools/migrate_common.ph /etc/perl/migrate_common.ph | ||
- | # /usr/share/migrationtools/migrate_group.pl /etc/group | + | # /usr/share/migrationtools/migrate_passwd.pl /etc/passwd | tee users.ldif |
+ | !!! удалить все про krb5 | ||
+ | |||
+ | # ldapadd -x -D "cn=admin,dc=corpX,dc=un" -w secret -f users.ldif | ||
+ | |||
+ | # /usr/share/migrationtools/migrate_group.pl /etc/group | tee groups.ldif | ||
- | # /usr/share/migrationtools/migrate_passwd.pl /etc/passwd | + | # ldapadd -x -D "cn=admin,dc=corpX,dc=un" -w secret -f groups.ldif |
</code> | </code> |