From 8081a5520a441b43a8a7a73f3a90c7aacfaa8e10 Mon Sep 17 00:00:00 2001
From: Timotej Lazar How to setup a LDAP Server, to add entries to a LDAP Server, and to change users' rights to be able to add entries and change the attributes of entries.
+ldap_search
+Purpose of the exercise
+How To
+
+
+
+
+
diff --git a/tasks/ldap_search/howtos/images/1.png b/tasks/ldap_search/howtos/images/1.png
new file mode 100644
index 0000000..f4edca8
Binary files /dev/null and b/tasks/ldap_search/howtos/images/1.png differ
diff --git a/tasks/ldap_search/howtos/images/2.png b/tasks/ldap_search/howtos/images/2.png
new file mode 100644
index 0000000..4d4ebb5
Binary files /dev/null and b/tasks/ldap_search/howtos/images/2.png differ
diff --git a/tasks/ldap_search/howtos/images/Pic1.jpg b/tasks/ldap_search/howtos/images/Pic1.jpg
new file mode 100644
index 0000000..fecb706
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic1.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic2.1.jpg b/tasks/ldap_search/howtos/images/Pic2.1.jpg
new file mode 100644
index 0000000..085f1cc
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic2.1.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic2.2.jpg b/tasks/ldap_search/howtos/images/Pic2.2.jpg
new file mode 100644
index 0000000..cb9975c
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic2.2.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic2.3.jpg b/tasks/ldap_search/howtos/images/Pic2.3.jpg
new file mode 100644
index 0000000..1069e1a
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic2.3.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic3.1.jpg b/tasks/ldap_search/howtos/images/Pic3.1.jpg
new file mode 100644
index 0000000..0c00ddd
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic3.1.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic3.2.jpg b/tasks/ldap_search/howtos/images/Pic3.2.jpg
new file mode 100644
index 0000000..d488e43
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic3.2.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic3.3.jpg b/tasks/ldap_search/howtos/images/Pic3.3.jpg
new file mode 100644
index 0000000..2ea916c
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic3.3.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic3.4.jpg b/tasks/ldap_search/howtos/images/Pic3.4.jpg
new file mode 100644
index 0000000..24db305
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic3.4.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic3.5.jpg b/tasks/ldap_search/howtos/images/Pic3.5.jpg
new file mode 100644
index 0000000..d2ff304
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic3.5.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic3.6.jpg b/tasks/ldap_search/howtos/images/Pic3.6.jpg
new file mode 100644
index 0000000..0ab07d0
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic3.6.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic3.7.jpg b/tasks/ldap_search/howtos/images/Pic3.7.jpg
new file mode 100644
index 0000000..44ca494
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic3.7.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic3.8.jpg b/tasks/ldap_search/howtos/images/Pic3.8.jpg
new file mode 100644
index 0000000..855353b
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic3.8.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic4.jpg b/tasks/ldap_search/howtos/images/Pic4.jpg
new file mode 100644
index 0000000..4aab71d
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic4.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic5.jpg b/tasks/ldap_search/howtos/images/Pic5.jpg
new file mode 100644
index 0000000..07a60de
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic5.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic6.jpg b/tasks/ldap_search/howtos/images/Pic6.jpg
new file mode 100644
index 0000000..48c6606
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic6.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic7.jpg b/tasks/ldap_search/howtos/images/Pic7.jpg
new file mode 100644
index 0000000..58b8bdf
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic7.jpg differ
diff --git a/tasks/ldap_search/howtos/images/Pic8.jpg b/tasks/ldap_search/howtos/images/Pic8.jpg
new file mode 100644
index 0000000..c9d053e
Binary files /dev/null and b/tasks/ldap_search/howtos/images/Pic8.jpg differ
diff --git a/tasks/ldap_search/howtos/si/index.html b/tasks/ldap_search/howtos/si/index.html
new file mode 100644
index 0000000..7370099
--- /dev/null
+++ b/tasks/ldap_search/howtos/si/index.html
@@ -0,0 +1,23 @@
+
+
+
+
+
+
+
+
+
+
+
During the LDAP server installation you'll have to provide the password for the user "admin", the administrator of the server and confirm the password chosen.
+
+
+
+
+
+
+
+
+
a) If you will configure the "slapd" again don't forget to remove the old database "rm -rf /var/backups/unknown-2.4.44+dfsg-2.ldapdb".
+
Because you will be using a lot the domain name to access the LDAP server you can set the environment variable "D", which will allow for quicker typing of commands.
+
"export D=dc=ceres-20,dc=kpov,dc=lusy,dc=fri,dc=uni-lj,dc=si"
+
"ldapsearch -D cn=admin,$D -wvaje -b $D"
+
+
Execute the following command to add users to the LDAP server:
+
"ldapadd -D cn=admin,$D -wvaje -f users.ldif"
+
Add password to the users added to the LDAP server:
+
"ldappasswd -D cn=admin,$D -wvaje -sj2531e cn=ninavidmar,ou=users,$D"
+
"ldappasswd -D cn=admin,$D -wvaje -scTyRM0 cn=natalijaribnikar39,ou=users,$D"
+
Execute command "ldapsearch -D cn=natalijaribnikar39,ou=users,$D -wcTyRM0 -b $D" to bind to the LDAP server with the newly added user "natalijaribnikar39" and to see the entries currently in the LDAP server.
+
+
To see which backend database is used and other settings related to the users' rights execute command "ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config" as root user in the system, which does not need the user authentication to the LDAP server.
+
+
The settings in the acl.ldif file:
+
+
Now to change users' rights run the command "ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif" as user "root" in the system.
+
Now try to bind to the LDAP server using "natalijaribnikar39" user's credentials and add a new user to the server directory.
+
"ldapadd -D cn=natalijaribnikar39,ou=users,$D -wcTyRM0 -f newuser.ldif"
+ Naloga: ldap search
+Povzetek naloge
+Ustvari 2 virtualna sistema SimpleArbiterDhcp ter LDAPServer ter se s SimpleArbiterDhcp povezi na LDAP server na drugem virtualnem sistemu. Ustvari uporabnika.
+
+
+Ustvari dva navidezna računalnika: SimpleArbiter in LDAPServer. + +
+Na LDAPServer namesti strežnik LDAP. Strežnik naj skrbi za domeno + +
DC={{DOMAIN}},DC=kpov,DC=lusy,DC=fri,DC=uni-lj,DC=si
+
++V imeniku ustvari uporabnika + +
CN={{LDAP_USERNAME}},ou=users,DC={{DOMAIN}},DC=kpov,DC=lusy,DC=fri,DC=uni-lj,DC=si
+
+
+z geslom {{LDAP_PASSWORD}}
in uporabnika
+
+
CN={{BIND_USERNAME}},ou=users,DC={{DOMAIN}},DC=kpov,DC=lusy,DC=fri,DC=uni-lj,DC=si
+
+
+z geslom {{BIND_PASSWORD}}
.
+
+
+Poskrbi, da se bo lahko klient s SimpleArbiter povezal na LDAP strežnik na LDAPServer.
+V primeru, da se klient poveže kot {{BIND_USERNAME}}
z geslom {{BIND_PASSWORD}}
,
+naj strežnik omogoči spreminjanje podatkov za objekt
+
+
CN={{LDAP_USERNAME}},ou=users,DC={{DOMAIN}},DC=kpov,DC=lusy,DC=fri,DC=uni-lj,DC=si
+
++ter ustvarjanje novih objektov v + +
DC={{DOMAIN}},DC=kpov,DC=lusy,DC=fri,DC=uni-lj,DC=si
+
+CN = Common Name
+O = Organization
+OU = Organizational Unit
+DC = Domain Component
+
+''',
+ 'en': '''\
++Create two virtual machines: SimpleArbiter and LDAPServer. + +
+Set up an LDAP server on LDAPServer. Make it responsible for + +
DC={{DOMAIN}},DC=kpov,DC=lusy,DC=fri,DC=uni-lj,DC=si
+
++Create a user + +
CN={{LDAP_USERNAME}},ou=users,DC={{DOMAIN}},DC=kpov,DC=lusy,DC=fri,DC=uni-lj,DC=si
+
+
+with the password {{LDAP_PASSWORD}}
, and a user
+
+
CN={{BIND_USERNAME}},ou=users,DC={{DOMAIN}},DC=kpov,DC=lusy,DC=fri,DC=uni-lj,DC=si
+
+
+with the password {{LDAP_PASSWORD}}
.
+
+
+Make sure that a client from SimpleArbiter can connect to the LDAP server on LDAPServer. If the client identifies themself as {{BIND_USERNAME}}
with the password {{BIND_PASSWORD}}
, allow it to change data for the object
+
+
CN={{LDAP_USERNAME}},ou=users,DC={{DOMAIN}},DC=kpov,DC=lusy,DC=fri,DC=uni-lj,DC=si
+
++and to create objects in + +
DC={{DOMAIN}},DC=kpov,DC=lusy,DC=fri,DC=uni-lj,DC=si
+
+CN = Common Name
+O = Organization
+OU = Organizational Unit
+DC = Domain Component
+
+''',
+}
+
+computers = {
+ 'LDAPServer': {
+ 'disks': [
+ { 'name': 'student-LDAPServer',
+ },
+ #{ 'name': 'CDROM',
+ # 'options':{'readonly': True},
+ # 'parts': [],# no parts, no mounting.
+ #}
+ ],
+ 'network_interfaces': [{'network': 'net1'}],
+ 'flavor': 'm1.tiny',
+ 'config_drive': False
+
+ },
+ 'SimpleArbiter': {
+ 'disks': [
+ { 'name': 'simpleArbiterDhcpGWLDAP',
+ # attempt automount
+ },
+ #{ 'name': 'CDROM',
+ # 'options': {'readonly': True},
+ # 'parts': [{'dev': 'b1', 'path': '/cdrom'}],
+ #},
+ ],
+ 'network_interfaces': [{'network': 'net1'}, {'network': 'test-net'}],
+ 'flavor': 'm1.tiny',
+ 'config_drive': False
+ }
+}
+
+networks = { 'net1': {'public': False}, 'test-net': {'public': True} }
+
+params_meta = {
+ 'LDAP_IP': {'descriptions': {'si': 'IP strežnika', 'en': 'Server IP'}, 'w': True, 'public':True, 'type': 'IP', 'generated': False},
+ 'DOMAIN': {'descriptions': {'si': 'Domena (poddomena kpov.lusy.fri.uni-lj.si)', 'en': 'Domain (subdomain of kpov.lusy.fri.uni-lj.si)'}, 'w': False, 'public':True, 'type': 'username', 'generated': True},
+ 'LDAP_USERNAME': {'descriptions': {'si': 'Uporabniško ime v LDAP', 'en': 'Username in LDAP'}, 'w': False, 'public':True, 'type': 'username', 'generated': True},
+ 'LDAP_PASSWORD': {'descriptions': {'si': 'Geslo v LDAP', 'en': 'LDAP password'}, 'w': False, 'public':True, 'type': 'password', 'generated': True},
+ 'BIND_USERNAME': {'descriptions': {'si': 'Uporabniško ime za dostop do LDAP (bind)', 'en': 'Bind username in LDAP'}, 'w': False, 'public':True, 'type': 'username', 'generated': True},
+ 'BIND_PASSWORD': {'descriptions': {'si': 'Geslo za dostop do LDAP (bind)', 'en': 'Bind password in LDAP'}, 'w': False, 'public':True, 'type': 'password', 'generated': True},
+}
+
+def task(LDAP_IP, DOMAIN, LDAP_USERNAME, LDAP_PASSWORD, BIND_USERNAME, BIND_PASSWORD):
+ from pexpect import pxssh
+ import pexpect
+ results = dict()
+ FULLDOMAIN = "dc={DOMAIN},dc=kpov,dc=lusy,dc=fri,dc=uni-lj,dc=si".format(
+ **locals())
+ BIND_DN = "cn={BIND_USERNAME},ou=Users,{FULLDOMAIN}".format(**locals())
+ s = "ldapsearch -D {BIND_DN} -b {FULLDOMAIN} -w {BIND_PASSWORD}\
+ -h {LDAP_IP}".format(
+ **locals())
+ results['ldapsearch_before'] = pexpect.run(s)
+ s = "ldapmodify -D {BIND_DN} -w {BIND_PASSWORD} -h {LDAP_IP}".format(
+ **locals())
+ modify = pexpect.spawn(s)
+ FORTUNE = kpov_util.hostname_gen(random.Random(str(LDAP_USERNAME)))
+ results['fortune'] = FORTUNE
+ s1 = """
+dn: cn={LDAP_USERNAME},ou=Users,{FULLDOMAIN}
+changetype: modify
+replace: description
+description: {FORTUNE}
+""".format(**locals())
+ modify.write(s1)
+ modify.sendeof()
+ modify.expect(pexpect.EOF)
+ results['modify'] = modify.before
+ s = "ldapsearch -D {BIND_DN} -b {FULLDOMAIN} -w {BIND_PASSWORD}\
+ -h {LDAP_IP}".format(**locals())
+ results['ldapsearch_after'] = pexpect.run(s)
+ return results
+
+def gen_params(user_id, params_meta):
+ params = dict()
+ r = random.Random(user_id)
+ params['DOMAIN'] = kpov_util.hostname_gen(r)
+ params['LDAP_USERNAME'] = kpov_util.username_gen(r)
+ params['LDAP_PASSWORD'] = kpov_util.alnum_gen(r, 6)
+ params['BIND_USERNAME'] = kpov_util.username_gen(r)
+ params['BIND_PASSWORD'] = kpov_util.alnum_gen(r, 6)
+ return params
+
+def task_check(results, params):
+ import re
+ score = 0
+ hints = []
+ s = """.*dn: dc={DOMAIN},dc=kpov,dc=lusy,dc=fri,dc=uni-lj,dc=si\r[^#]*
+objectClass: top\r
+objectClass: dcObject\r
+objectClass: organization\r
+.*""".format(**params)
+#dc: {DOMAIN}\r
+ if re.match(s, results['ldapsearch_before'], re.DOTALL):
+ score += 2
+ else:
+ hints += ["domain missing in ldapsearch result"]
+ s = ".*cn: {}.*".format(re.escape(params['LDAP_USERNAME']))
+ if re.search(s, results['ldapsearch_before']):
+ score += 2
+ else:
+ hints += ["LDAP_USERNAME missing in: " + s + str(results['ldapsearch_before'])]
+ fortune = kpov_util.hostname_gen(random.Random(str(params['LDAP_USERNAME'])))
+ s = ".*cn: {0}.*description: {1}.*".format(
+ re.escape(params['LDAP_USERNAME']), re.escape(fortune))
+ if re.match(s, results['ldapsearch_after'], re.DOTALL):
+ score += 2
+ else:
+ hints += ["description missing after update:" + fortune + "\n" + s + str(results['modify']) + str(results['ldapsearch_after'])]
+ if results['ldapsearch_before'][:100] == results['ldapsearch_after'][:100]:
+ score += 2
+ else:
+ hints += ["ldapsearch before equals after. This should not happen."]
+ s = '.*\r\nmodifying entry "cn={LDAP_USERNAME},ou=Users,dc={DOMAIN},dc=kpov,dc=lusy,dc=fri,dc=uni-lj,dc=si".*'.format(
+ **params)
+ if re.match(s, results['modify'], re.DOTALL):
+ score += 2
+ else:
+ hints += ['Modify error' + s + str(results['modify'])]
+ return score, hints
+
+def prepare_disks(templates, task_params, global_params):
+ write_default_config(templates['simpleArbiterDhcpGWLDAP'], global_params)
--
cgit v1.2.1