All geek questions in one place

LDIF to create Active Directory users and groups in OpenLDAP?

I have a web application that uses Active Directory to authenticate users, and I'm trying to replace AD ​​OpenLDAP.

The documentation says that I need to log in to the domain controller as an administrator, open the user management window, click on the appropriate organizational unit and add user IDs to the appropriate groups (these groups must have the scope "Global" and the type of the group "Security").

I need to create equivalent entries on my OpenLDAP server. Can someone provide an example LDIF for this? I do not know the class and attributes that I should use, and I do not have access to the domain controller. The most problematic elements appear to be the group type and scope because they appear to be binary values, not strings.

Note that I do not want to completely replace Active Directory - I just need user and group identifiers. I tried adding microsoft.schema to OpenLDAP, but it does not work. I found some schema change information for Microsoft Outlook; I need something similar, but simpler.

+6
source share
2 answers

It is almost impossible to convert the entire ActiveDirectory schema to OpenLDAP, it is huge. However, we can add only the necessary attributes and classes:

attributetype ( 1.2.840.113556.1.4.750 NAME 'groupType' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) attributetype ( 1.3.114.7.4.2.0.33 NAME 'memberOf' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) objectclass ( 1.2.840.113556.1.5.9 NAME 'user' DESC 'a user' SUP organizationalPerson STRUCTURAL MUST ( cn ) MAY ( userPassword $ memberOf ) ) objectclass ( 1.2.840.113556.1.5.8 NAME 'group' DESC 'a group of users' SUP top STRUCTURAL MUST ( groupType $ cn ) MAY ( member ) )

Then it is easy to create an LDIF file to insert users and groups:

 dn: dc=myCompany objectClass: top objectClass: dcObject objectClass: organization dc: myCompany o: LocalBranch dn: ou=People,dc=myCompany objectClass: top objectClass: organizationalUnit ou: People description: Test database dn: cn=Users,dc=myCompany objectClass: groupOfNames objectClass: top cn: Users member: cn=Manager,cn=Users,dc=myCompany dn: cn=Manager,cn=Users,dc=myCompany objectClass: person objectClass: top cn: Manager sn: Manager userPassword:: e1NIQX1tc0lKSXJCVU1XdmlPRUtsdktmV255bjJuWGM9 dn: cn=ReadWrite,ou=People,dc=myCompany objectClass: group objectClass: top cn: ReadWrite groupType: 2147483650 member: cn=sysconf,ou=People,dc=myCompany dn: cn=sysopr,ou=People,dc=myCompany objectClass: user objectClass: organizationalPerson objectClass: person objectClass: top cn: sysopr sn: team memberOf: cn=ReadOnly,ou=People,dc=myCompany userPassword:: e1NIQX1jUkR0cE5DZUJpcWw1S09Rc0tWeXJBMHNBaUE9
+9
source

Ok, here is the beginning of the answer:

Once you have installed OPENLdap

A - edit your slapd.conf to:

1) Change the included circuits

 include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetperson.schema

2) Modify schema files as described in this FAQ

3) Change your naming context (I personally use HDB as a backend)

 database hdb suffix "dc=dom,dc=com" rootdn "cn=Manager,dc=dom,dc=com" rootpw secret directory /usr/local/var/openldap-hdb

4) Then restart the directory

B - Insert your root

Here is the LDIF file (root.ldif)

 dn: dc=dom,dc=com objectclass: dcObject objectclass: organization o: Company name dc: dom

Here is the command line

 ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f root.ldif

C - Insert User

Here is the LDIF file (user.ldif)

 dn: cn=user1,dc=dom,dc=com objectClass: inetOrgPerson sn: users cn: user1 telephoneNumber: 9999

Here is the command line

 ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f user.ldif

D - tip

Apache directory studio , for me, a VERY good LDAP browser, it is Open Source, it runs on top of java on Linux and Windows. Using it, you can graphically view AD and OpenLdap and simply click on parts B and C.

Active Directory Schema (classes and attributes) are documented in MSDN. For example, here is information about groupType . Is that what you expect?

+4
source

Source: https://habr.com/ru/post/896255/

More articles:


All Articles