Most backend for identity servers that must handle shitloads of account (oauth, PAM, smtp, the cloud, openID ...) have an LDAP backend underneath.
It's a nifty specialized database and an infuriating network protocol with a Lot Of Insane Parenthesis without being LISP.
I love non standard databases : time oriented database (graphite, rrdtool), distributed performance object oriented database (HDF5), postgres ....
All databases deserve love and attention because they often are sitting on the top of the hill due to an extreme specialization in its implementation.
LDAP model is a tree. It's a rooted tree specialized database. Basically a HUGE tree with STRONGLY TYPED IMMUTABLE VALUES !
That's the horror of the OID naming with a IANA registry. It IS massively bureaucratic thanks to this, so people are scared to enter the process of creating new objects even though it would be welcomed (especially for the DNS entry model).
Tree oriented database beat in huge ways relational database in speed when it comes to read a value from the datastore. But it IS SLOW in insertion and modification. That's the tradeoff to pay. So, very often as a sysadmin most tools (postgreql, postfix, mysql, PAM, samba, django ...) will propose not only to interface with LDAP but also relational database (« slower » in reading, but fast in modification) more often used by middle size organization (up to ~thousands account).
I am like the ferrari lover of exotic database, hence, I would like EVERYONE to convert to LDAP.
However ... DOC for bootstrapping openLDAP is not an howto explaining you WHY you do things, but a series of example thrown at your face that hardly enable you to begin having something useful.
Read here by yourself
So you resort to some of the best documentation site for sysadmins (even for BSD admins, because it covers the service) : You will notice that both these documentations and the discussion around the wiki pages are, first complaining of how tough it is to get the bootstrapping right, and then stick to the original documentation.
I know they are other « free » alternatives, but something iches me about their mother organization (I specially look at you Red Hat and your love for vendor lock-in).
openLDAP is too say the least : poorly documented. And bootstrapping is a hell.
So, since I found NO INTEREST in a documentation made of do this, do that, don't try to understand : it is MAGIIICC, I decided to put the docs in a script you can find here, so that I can begin a tutorial on LDAP without having to dirty my hands in the magic.
PORT=${PORT:-6666}
IP=${IP:-127.0.0.1}
PASSWD=${PASSWD:-secret}
BASEDN="dc=home"
[ -z $1 ] && {
perldoc $0 || head -n 56 $0
exit 1
}
echo F*ck apparmor prevents standalone slapd please install apparmor-utils
doas aa-disable slapd
kill $( cat "`pwd`/$1/slapd.pid" )
echo last chance to hit ctrl + C before destroying \"$1\"
read -r a
rm "$1" -rf
[ -d "$1" ] || mkdir "$1"
chmod 700 "$1"
cat << CONFIG > "`pwd`/initial.ldif"
dn: cn=config
objectClass: olcGlobal
olcArgsFile: `pwd`/$1/slapd.args
olcPidFile: `pwd`/$1/slapd.pid
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/ldap/schema/core.ldif
# RFC1274: Cosine and Internet X.500 schema
include: file:///etc/ldap/schema/cosine.ldif
# Check RFC2307bis for nested groups and an auxiliary posixGroup objectClass (way easier)
include: file:///etc/ldap/schema/nis.ldif
# RFC2798: Internet Organizational Person
include: file:///etc/ldap/schema/inetorgperson.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap/
olcModuleLoad: back_mdb.so
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
OlcDbMaxSize: 1073741824
olcSuffix: dc=home
olcRootDN: cn=root,$BASEDN
olcRootPW: `slappasswd -h {SHA} -s $PASSWD`
olcDbDirectory: `pwd`/$1
olcDbIndex: objectClass eq
olcDbIndex: uid pres,eq
olcDbIndex: mail pres,sub,eq
olcDbIndex: cn,sn pres,sub,eq
olcDbIndex: dc eq
olcAccess: to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by * break
CONFIG
/usr/sbin/slapadd -d 1 -n 0 -F $1 -l `pwd`/initial.ldif
echo $USER
/usr/sbin/slapd -u $USER -F $1 -h ldap://$IP:$PORT
No comments:
Post a Comment