LDAP Cluster on Debian Jessie

• Backup info
• Samba info

Instalacja oprogramowania klastrowego 'Corosync' i 'Peacemaker' (na kaÃ…ƒâ€¦Ã‚¼dym z nodów)

  aptitude install vim mc rsync ntp
  aptitude install -t jessie-backports peacemaker crmsh haproxy

UWAGA: Konieczne jest skonfigurowanie poprawnego czasu przed nastă℀žÃ¢â€žÂ¢pnymi dziaÃ…ƒâ€Å¦Ã¢â‚¬Å¡aniami

Instalacja LDAPa

1. Instalacja wymaganych paczek ( na kaÃ…ƒâ€¦Ã‚¼dym z nodów )

   aptitude install slapd ldap-utils
   

2. Dodanie wymaganych schematów

   • qmail.ldif

dn: cn=qmail,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: qmail
olcAttributeTypes: {0}( 1.3.6.1.4.1.7914.1.2.1.1 NAME 'qmailUID' DESC 'UID of 
 the user on the mailsystem' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115
 .121.1.27 SINGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.4.1.7914.1.2.1.2 NAME 'qmailGID' DESC 'GID of 
 the user on the mailsystem' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115
 .121.1.27 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.7914.1.2.1.3 NAME 'mailMessageStore' DESC 
 'Path to the maildir/mbox on the mail system' EQUALITY caseExactIA5Match SUBS
 TR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SIN
 GLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.7914.1.2.1.4 NAME 'mailAlternateAddress' D
 ESC 'Secondary (alias) mailaddresses for the same user' EQUALITY caseIgnoreIA
 5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
 26{256} )
olcAttributeTypes: {4}( 1.3.6.1.4.1.7914.1.2.1.6 NAME 'mailHost' DESC 'On whic
 h qmail server the messagestore of this user is located.' EQUALITY caseIgnore
 IA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
 1.26{256} SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.7914.1.2.1.7 NAME 'mailForwardingAddress' 
 DESC 'Address(es) to forward all incoming messages to.' EQUALITY caseIgnoreIA
 5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
 26{256} )
olcAttributeTypes: {6}( 1.3.6.1.4.1.7914.1.2.1.8 NAME 'deliveryProgramPath' DE
 SC 'Program to execute for all incoming mails.' EQUALITY caseExactIA5Match SU
 BSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
olcAttributeTypes: {7}( 1.3.6.1.4.1.7914.1.2.1.9 NAME 'qmailDotMode' DESC 'Int
 erpretation of .qmail files: both, dotonly, ldaponly, ldapwithprog' EQUALITY 
 caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.7914.1.2.1.10 NAME 'deliveryMode' DESC 'mu
 lti field entries of: nolocal, noforward, noprogram, reply' EQUALITY caseIgno
 reIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
olcAttributeTypes: {9}( 1.3.6.1.4.1.7914.1.2.1.11 NAME 'mailReplyText' DESC 'A
  reply text for every incoming message' EQUALITY caseIgnoreMatch SUBSTR caseI
 gnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{4096} SINGLE-VALUE 
 )
olcAttributeTypes: {10}( 1.3.6.1.4.1.7914.1.2.1.12 NAME 'accountStatus' DESC '
 The status of a user account: active, noaccess, disabled, deleted' EQUALITY c
 aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.7914.1.2.1.14 NAME 'qmailAccountPurge' DE
 SC 'The earliest date when a mailMessageStore will be purged' EQUALITY numeri
 cStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.7914.1.2.1.15 NAME 'mailQuotaSize' DESC '
 The size of space the user can have until further messages get bounced.' EQUA
 LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.7914.1.2.1.16 NAME 'mailQuotaCount' DESC 
 'The number of messages the user can have until further messages get bounced.
 ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.7914.1.2.1.17 NAME 'mailSizeMax' DESC 'Th
 e maximum size of a single messages the user accepts.' EQUALITY integerMatch 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.7914.1.3.1.1 NAME 'dnmember' DESC 'Group 
 member specified as distinguished name.' EQUALITY distinguishedNameMatch SYNT
 AX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {16}( 1.3.6.1.4.1.7914.1.3.1.2 NAME 'rfc822member' DESC 'Gr
 oup member specified as normal rf822 email address.' EQUALITY caseIgnoreIA5Ma
 tch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{
 256} )
olcAttributeTypes: {17}( 1.3.6.1.4.1.7914.1.3.1.3 NAME 'filtermember' DESC 'Gr
 oup member specified as ldap search filter.' EQUALITY caseIgnoreIA5Match SUBS
 TR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{512} )
olcAttributeTypes: {18}( 1.3.6.1.4.1.7914.1.3.1.4 NAME 'senderconfirm' DESC 'S
 ender to Group has to answer confirmation email.' EQUALITY booleanMatch SYNTA
 X 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {19}( 1.3.6.1.4.1.7914.1.3.1.5 NAME 'membersonly' DESC 'Sen
 der to Group must be group member itself.' EQUALITY booleanMatch SYNTAX 1.3.6
 .1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {20}( 1.3.6.1.4.1.7914.1.3.1.6 NAME 'confirmtext' DESC 'Tex
 t that will be sent with sender confirmation email.' EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{4096} 
 SINGLE-VALUE )
olcAttributeTypes: {21}( 1.3.6.1.4.1.7914.1.3.1.7 NAME 'dnmoderator' DESC 'Gro
 up moderator specified as Distinguished name.' EQUALITY distinguishedNameMatc
 h SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {22}( 1.3.6.1.4.1.7914.1.3.1.8 NAME 'rfc822moderator' DESC 
 'Group moderator specified as normal rfc822 email address.' EQUALITY caseIgno
 reIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12
 1.1.26{256} )
olcAttributeTypes: {23}( 1.3.6.1.4.1.7914.1.3.1.9 NAME 'moderatortext' DESC 'T
 ext that will be sent with request for moderation email.' EQUALITY caseIgnore
 Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{4
 096} SINGLE-VALUE )
olcAttributeTypes: {24}( 1.3.6.1.4.1.7914.1.3.1.10 NAME 'dnsender' DESC 'Allow
 ed sender specified as distinguished name.' EQUALITY distinguishedNameMatch S
 YNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {25}( 1.3.6.1.4.1.7914.1.3.1.11 NAME 'rfc822sender' DESC 'A
 llowed sender specified as normal rf822 email address.' EQUALITY caseIgnoreIA
 5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
 26{256} )
olcAttributeTypes: {26}( 1.3.6.1.4.1.7914.1.3.1.12 NAME 'filtersender' DESC 'A
 llowed sender specified as ldap search filter.' EQUALITY caseIgnoreIA5Match S
 UBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{512} 
 )
olcAttributeTypes: {27}( 1.3.6.1.4.1.7914.1.4.1.1 NAME 'qladnmanager' DESC '' 
 EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {28}( 1.3.6.1.4.1.7914.1.4.1.2 NAME 'qlaDomainList' DESC ''
  EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6
 .1.4.1.1466.115.121.1.26{256} )
olcAttributeTypes: {29}( 1.3.6.1.4.1.7914.1.4.1.3 NAME 'qlaUidPrefix' DESC '' 
 EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.
 1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
olcAttributeTypes: {30}( 1.3.6.1.4.1.7914.1.4.1.4 NAME 'qlaQmailUid' DESC '' E
 QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {31}( 1.3.6.1.4.1.7914.1.4.1.5 NAME 'qlaQmailGid' DESC '' E
 QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {32}( 1.3.6.1.4.1.7914.1.4.1.6 NAME 'qlaMailMStorePrefix' D
 ESC '' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX
  1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
olcAttributeTypes: {33}( 1.3.6.1.4.1.7914.1.4.1.7 NAME 'qlaMailQuotaSize' DESC
  '' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {34}( 1.3.6.1.4.1.7914.1.4.1.8 NAME 'qlaMailQuotaCount' DES
 C '' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE 
 )
olcAttributeTypes: {35}( 1.3.6.1.4.1.7914.1.4.1.9 NAME 'qlaMailSizeMax' DESC '
 ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {36}( 1.3.6.1.4.1.7914.1.4.1.10 NAME 'qlaMailHostList' DESC
  '' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.
 3.6.1.4.1.1466.115.121.1.26{256} )
olcAttributeTypes: {37}( 1.3.6.1.4.1.7914.1.4.1.11 NAME 'enabledService' DESC 
 'Enabled service: any' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.11
 5.121.1.26 )
olcAttributeTypes: {38}( 1.3.6.1.4.1.7914.1.4.1.12 NAME 'section' DESC '' EQUA
 LITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {39}( 1.3.6.1.4.1.7914.1.4.1.18 NAME 'dgFilterGroup' DESC '
 dansguardianFilterGroup: filter1, filter2, filter3, itp' EQUALITY caseIgnoreM
 atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {40}( 1.3.6.1.4.1.7914.1.4.1.21 NAME 'localUsbDvd' DESC 'Mo
 zliwosc montowania CD/DVD i USB: enabled, disabled' EQUALITY caseIgnoreMatch 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.7914.1.2.2.1 NAME 'qmailUser' DESC 'QMail-L
 DAP User' SUP top AUXILIARY MUST mail MAY ( uid $ mailMessageStore $ homeDire
 ctory $ userPassword $ mailAlternateAddress $ qmailUID $ qmailGID $ mailHost 
 $ mailForwardingAddress $ deliveryProgramPath $ qmailDotMode $ deliveryMode $
  mailReplyText $ accountStatus $ qmailAccountPurge $ mailQuotaSize $ mailQuot
 aCount $ mailSizeMax $ enabledService $ section $ dgFilterGroup $ localUsbDvd
 ) )
olcObjectClasses: {1}( 1.3.6.1.4.1.7914.1.3.2.1 NAME 'qmailGroup' DESC 'QMail-
 LDAP Group' SUP top AUXILIARY MUST ( mail $ mailAlternateAddress $ mailMessag
 eStore ) MAY ( dnmember $ rfc822member $ filtermember $ senderconfirm $ membe
 rsonly $ confirmtext $ dnmoderator $ rfc822moderator $ moderatortext $ dnsend
 er $ rfc822sender $ filtersender $ enabledService ) )
olcObjectClasses: {2}( 1.3.6.1.4.1.7914.1.4.2.1 NAME 'qldapAdmin' DESC 'QMail-
 LDAP Subtree Admin' SUP top AUXILIARY MUST ( qlaDnManager $ qlaDomainList $ q
 laMailMStorePrefix $ qlaMailHostList ) MAY ( qlaUidPrefix $ qlaQmailUid $ qla
 QmailGid $ qlaMailQuotaSize $ qlaMailQuotaCount $ qlaMailSizeMax ) )

• ppolicy.ldif

  ldapadd -Y EXTERNAL -H ldapi:/// -f qmail.ldif
  ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy.ldif
  

  1. Dodanie podstawowej struktury katalogów - plik struktura.ldif

dn: ou=users,dc=pbs,dc=corp
description: Kontener uzytkownikow
objectClass: organizationalUnit
ou: usersdn: ou=groups,dc=pbs,dc=corp
description: Kontener grup
objectClass: organizationalUnit
ou: groupsdn: ou=sysmgmt,dc=pbs,dc=corp
ou: sysmgmt
description: Kontener uprawnien specjalnych
objectClass: organizationalUnitdn: ou=apps,dc=pbs,dc=corp
objectClass: organizationalUnit
ou: apps
description: Kontener aplikacjidn: ou=mail,ou=groups,dc=pbs,dc=corp
objectClass: organizationalUnit
ou: mail
description: Kontener grup pocztowych

1. Utworzenie konta syncagent - plik syncagent.ldif (Hash hasÃ…ƒâ€Å¦Ã¢â‚¬Å¡a trzeba sobie wyliczyㄇ swój....)

dn: cn=syncagent,dc=pbs,dc=corp
cn: syncagent
objectClass: top
objectClass: person
sn: syncagent
userPassword: {SSHA}Uf+HaKzVwg/NTSQDZLX0vuCntQZjguU0F4MYDw==

1. Wczytaㄇ plik struktura.ldif do LDAPa

   ldapadd -f struktura.ldif -D cn=admin,dc=pbs,dc=corp -x -W
   

2. Wczytaㄇ plik syncagent.ldif do LDAPa

   ldapadd -f syncagent.ldif -D cn=admin,dc=pbs,dc=corp -x -W
   

3. ZaÃ…ƒâ€Å¦Ã¢â‚¬Å¡adowanie konfiguracji do synchronizacji konfigów

plik synchronizacja_konfiguracji.ldif

## master syncprov config (LDIF)
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 1 ldaps://ldap1.pbs.corp:636
olcServerID: 2 ldaps://ldap2.pbs.corp:636dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov# Enable the syncprov overlay for cn=config
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov# ustawienie replikacji
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldaps://ldap1.pbs.corp:636   binddn="cn=syncagent,dc=pbs,dc=corp" bindmethod=simple
       credentials=haslo-usera searchbase="cn=config" type=refreshAndPersist
       retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldaps://ldap2.pbs.corp:636   binddn="cn=syncagent,dc=pbs,dc=corp" bindmethod=simple
       credentials=haslo-usera searchbase="cn=config" type=refreshAndPersist
       retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
# Setup Access
add: olcAccess
olcAccess: to *  by dn.base="cn=syncagent,dc=pbs,dc=corp" read  by * +0 break
-
add: olcLimits
olcLimits: dn.exact="cn=syncagent,dc=pbs,dc=corp" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

• odpalenie konfiga:

   ldapmodify -Y EXTERNAL -H ldapi:/// -f synchronizacja_konfiguracji.ldif
  

  1. Na kaÃ…ƒâ€¦Ã‚¼dym z serwerów przygotowaㄇ certyfikaty do ssl - skopiowaㄇ do katalogu /etc/ldap/ssl pliki:

     • ca.pbs.corp.crt
     • server.cert (symlink do pliku z certyfikatem)
     • server.key (symlink do pliku z kluczem) ( pliki server.cert i server.key majă„… ujednolicone nazwy ze wzglă℀žÃ¢â€žÂ¢du na wspólnă„… konfiguracjă℀žÃ¢â€žÂ¢)

  2. ustawiㄇ wÃ…ƒâ€Å¦Ã¢â‚¬Å¡aÃ…ƒâ€¦Ã¢â‚¬Âºciciela do certyfikatów:

     chown openldap:openldap /etc/ldap/certs/*

  3. Konfiguracja TLS - plik tls.ldif

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/certs/ca.pbs.corp.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/certs/server.cert
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/certs/server.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
add: olcTLSCipherSuite
olcTLSCipherSuite: SECURE128:PFS:-VERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.2:-SHA1:-ARCFOUR-128

• odpalenie konfiga tls.ldif:

    ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif 
  

  1. Na wszystkich serwerach dodaㄇ ldaps:/// do /etc/default/slapd

  2. Zatrzymaㄇ wszystkie serwery slapd

/etc/init.d/slapd stop

1. przekopiowanie plików z tego serwera na pozostaÃ…ƒâ€Å¦Ã¢â‚¬Å¡e serwery

rsync -av /etc/ldap/slapd.d ldap2:/etc/ldap/
rsync -av /var/lib/ldap ldap2:/var/lib/

1. start serwerów

/etc/init.d/slapd start

1. NaleÃ…ƒâ€¦Ã‚¼y sprawdziㄇ, czy serwery spiă℀žÃ¢â€žÂ¢Ã…ƒâ€Å¦Ã¢â‚¬Å¡y siă℀žÃ¢â€žÂ¢ do synchronizacji

    netstat -atnp|grep 636
   

   powinno zwróciㄇ nam 2 rekordy - kaÃ…ƒâ€¦Ã‚¼dy z serwerów powinien byㄇ poÃ…ƒâ€Å¦Ã¢â‚¬Å¡Ã„ƒâ€žÃ¢â‚¬Â¦czony do drugiego

2. Konfiguracja synchronizacji katalogu LDAP i uprawnienia

## Uruchomienie synchronizacji bazy katalogu i ustawienie praw - plik konfiguracja_katalogu_i_prawa.ldif# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUEdn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=003 provider=ldaps://ldap.pbs.corp:636   binddn="cn=syncagent,dc=pbs,dc=corp" bindmethod=simple
       credentials=haselko_usera searchbase="dc=pbs,dc=corp" type=refreshAndPersist
       retry="5 5 300 5" interval=00:00:00:10 timeout=1
olcSyncRepl: rid=004 provider=ldaps://ldap2.pbs.corp:636  binddn="cn=syncagent,dc=pbs,dc=corp" bindmethod=simple
       credentials=haselko_usera searchbase="dc=pbs,dc=corp" type=refreshAndPersist
       retry="5 5 300 5" interval=00:00:00:10 timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
# Setup Access
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange  by dn.base="cn=admin,dc=pbs,dc=corp" write by group/groupOfNames/member.exact="cn=admins,ou=sysmgmt,dc=pbs,dc=corp"
  write by dn.base="cn=syncagent,dc=pbs,dc=corp" read  by anonymous auth  by self write  by * none
olcAccess: {1}to *  by dn.base="cn=syncagent,dc=pbs,dc=corp" read  by * +0 break
olcAccess: {2}to attrs=enabledService,dgFilterGroup  by dn.base="cn=admin,dc=pbs,dc=corp"
  write  by group/groupOfNames/member.exact="cn=admins,ou=sysmgmt,dc=pbs,dc=corp" write  by * read
olcAccess: {3}to dn.children="ou=apps,dc=pbs,dc=corp" by dn.base="cn=admin,dc=pbs,dc=corp" write by group/groupOfNames/member.exact="cn=admins,ou=sysmgmt,dc=pbs,dc=corp" 
  write by * read
olcAccess: {4}to dn.base=""  by * read
olcAccess: {5}to *  by dn.base="cn=admin,dc=pbs,dc=corp" write  by * read
-
add: olcLimits
olcLimits: dn.exact="cn=syncagent,dc=pbs,dc=corp" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

• zaÃ…ƒâ€Å¦Ã¢â‚¬Å¡adowanie konfiguracji:

  ldapmodify -Y EXTERNAL -H ldapi:/// -f synchronizacja_katalogu_i_prawa.ldif
  

  1. Dodanie indeksu do synchronizacji - index1.ldif

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID,entryCSN eq

• zaÃ…ƒâ€Å¦Ã¢â‚¬Å¡adowanie konfiguracji:

  ldapmodify -Y EXTERNAL -H ldapi:/// -f index1.ldif

  1. instalacja bazy i nakÃ…ƒâ€Å¦Ã¢â‚¬Å¡adki accesslog

     • utworzenie katalogu dla bazy:

       mkdir /var/lib/ldap-accesslog chown -R openldap:openldap /var/lib/ldap-accesslog

plik utworzenie_bazy_accesslog.ldif:

# Accesslog database definitions
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap-accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=pbs,dc=corp
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart eq

  ldapadd -Y EXTERNAL -H ldapi:/// -f utworzenie_bazy_accesslog.ldif

• zaÃ…ƒâ€Å¦Ã¢â‚¬Å¡adowanie overlay'a - plik zaladowanie_ovl_acceslog.ldif

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: accesslog

  ldapadd -Y EXTERNAL -H ldapi:/// -f zaladowanie_ovl_acceslog.ldif

• konfiguracja overlay accesslog

plik konfiguracji overlay'a definicja_accesslog_ovl.ldif

# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
olcAccessLogPurge: 07+00:00 01+00:00

   ldapadd -Y EXTERNAL -H ldapi:/// -f definicja_accesslog_ovl.ldif

1. Konfiguracja polityki haseÃ…ƒâ€Å¦Ã¢â‚¬Å¡

   • zaÃ…ƒâ€Å¦Ã¢â‚¬Å¡adowanie moduÃ…ƒâ€Å¦Ã¢â‚¬Å¡u polityki haseÃ…ƒâ€Å¦Ã¢â‚¬Å¡ 01_ppolicy_module.ldif

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: ppolicy

   ldapadd -Y EXTERNAL -H ldapi:/// -f 01_ppolicy_module.ldif

• konfiguracja moduÃ…ƒâ€Å¦Ã¢â‚¬Å¡u polityk 02_ppolicy_overlay_config.ldif

dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=pbs,dc=corp
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE

   ldapadd -Y EXTERNAL -H ldapi:/// -f 02_ppolicy_overlay_config.ldif

• Obiekty polityk w LDAP 03_policies.ldif

dn: ou=policies,dc=pbs,dc=corp
objectClass: organizationalUnit
objectClass: top
ou: policiesdn: cn=noexpire,ou=policies,dc=pbs,dc=corp
objectClass: pwdPolicy
objectClass: device
objectClass: top
cn: noexpire
pwdAttribute: userPassword
pwdLockout: FALSE
pwdMaxAge: 0dn: cn=default,ou=policies,dc=pbs,dc=corp
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 2592000
pwdExpireWarning: 604800
pwdInHistory: 7
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 5
pwdFailureCountInterval: 600
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

   ldapadd -f 03_policies.ldif -D cn=admin,dc=pbs,dc=corp -x -W

• ustawienie polityki bez wygasania hasÃ…ƒâ€Å¦Ã¢â‚¬Å¡a dla syncagenta i admina 04_policies_for_users.ldif

dn: cn=syncagent,dc=pbs,dc=corp
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=noexpire,ou=policies,dc=pbs,dc=corpdn: cn=admin,dc=pbs,dc=corp
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=noexpire,ou=policies,dc=pbs,dc=corp

  ldapmodify -f 04_policies_for_users.ldif -D cn=admin,dc=pbs,dc=corp -x -W

Obliczanie CRC32

             crc32 <(cat /etc/ldap/slapd.d/cn=config/cn=olcDatabase\=\{0\}config.ldif | tail -n +3)

https://www.reddit.com/r/sysadmin/comments/46c1im/issue_configuring_haproxy_frontend_to_active/

global
  log           /dev/log local6
  pidfile       /var/run/haproxy.pid
  chroot        /var/lib/haproxy
  maxconn       8192
  user          haproxy
  group         haproxy
  daemon
  stats socket /var/lib/haproxy/stats.socket mode 660 level admin  # Default SSL material locations
  ca-base /etc/ssl/certs
  crt-base /etc/ssl/private  # Default ciphers to use on SSL-enabled listening sockets.
  # For more information, see ciphers(1SSL). This list is from:
  #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
  ####ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
  ####ssl-default-bind-options no-sslv3  ####tune.ssl.default-dh-param 2048# LDAP and LDAP/STARTTLS
frontend ldap_service_front
  mode                  tcp
  log                   global
  bind                  ldap.company.com:389
  description           LDAP Service
  option                tcplog
  option                logasap
  option                socket-stats
  option                tcpka
  timeout client        5s
  default_backend       ldap_service_backbackend ldap_service_back
  server                ldap-1 ad-dc01.company.com:389 check fall 1 rise 1 inter 2s
  server                ldap-2 ad-dc02.company.com:389 check fall 1 rise 1 inter 2s
  server                ldap-3 ad-dc03.company.com:389 check fall 1 rise 1 inter 2s
  mode                  tcp
  balance               leastconn
  timeout server        2s
  timeout connect       1s
  option                tcpka
  # https://www.mail-archive.com/haproxy@formilux.org/msg17371.html
  option                tcp-check
  tcp-check             connect port 389
  tcp-check             send-binary 300c0201            # LDAP bind request "" simple
  tcp-check             send-binary 01                  # message ID
  tcp-check             send-binary 6007                # protocol Op
  tcp-check             send-binary 0201                # bind request
  tcp-check             send-binary 03                  # LDAP v3
  tcp-check             send-binary 04008000            # name, simple authentication
  tcp-check             expect binary 0a0100            # bind response + result code: success
  tcp-check             send-binary 30050201034200      # unbind request# LDAPS
frontend ldapS_service_front
  mode                  tcp
  log                   global
  bind                  ldap.company.com:636 ssl crt /etc/ssl/private/ldap_company_com.PEM
  description           LDAPS Service
  option                tcplog
  option                logasap
  option                socket-stats
  option                tcpka
  timeout client        5s
  default_backend       ldaps_service_backbackend ldaps_service_back
  server                ldapS-1 ad-dc01.company.com:636 check fall 1 rise 1 inter 2s verify none check check-ssl
  server                ldapS-2 ad-dc02.company.com:636 check fall 1 rise 1 inter 2s verify none check check-ssl
  server                ldapS-3 ad-dc03.company.com:636 check fall 1 rise 1 inter 2s verify none check check-ssl
  mode                  tcp
  balance               leastconn
  timeout server        2s
  timeout connect       1s
  option                tcpka
  #
  option                tcp-check
  tcp-check             connect port 636 ssl
  tcp-check             send-binary 300c0201            # LDAP bind request "" simple
  tcp-check             send-binary 01                  # message ID
  tcp-check             send-binary 6007                # protocol Op
  tcp-check             send-binary 0201                # bind request
  tcp-check             send-binary 03                  # LDAP v3
  tcp-check             send-binary 04008000            # name, simple authentication
  tcp-check             expect binary 0a0100            # bind response + result code: success
  tcp-check             send-binary 30050201034200      # unbind request