Skip to content

Commit

Permalink
ldap, ufw, acl
Browse files Browse the repository at this point in the history
  • Loading branch information
@valentinsiryk
valentinsiryk committed Mar 6, 2017
1 parent 257b731 commit 0711f47
Show file tree
Hide file tree
Showing 3 changed files with 261 additions and 24 deletions.
217 changes: 217 additions & 0 deletions OpenLDAP/index.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,220 @@ OpenLDAP
:glob:

*

::

/etc/ldap/slapd.d/cn=config/cn=schema # schema location

slapcat # show content of DB object


/usr/sbin/slapcat -v -l dump.ldif # backup SLAPD database

# Install

sudo apt-get install slapd ldap-utils

dpkg-reconfigure slapd

Omit OpenLDAP server configuration? No
DNS domain name? mydomain.com
Organization name? any name
Administrator password? password
Database backend? HDB | BDB
Remove the database when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No

RESTART SLAPD (or container)

ldapsearch -D "cn=admin,dc=mycorp,dc=com" -w password -b "dc=mycorp,dc=com"

ldapsearch -H ldap://localhost:389 -D "cn=admin,dc=mycorp,dc=com" -w password -b "dc=mycorp,dc=com"


IMPORTANT DELETE ALL

ldapdelete -D cn=admin,dc=mycorp,dc=com -w password -r "dc=mycorp,dc=com"
##########



##############################################
# Создадим группу пользователей с названием «users» при помощи команды ldapmodify

ldapmodify -D "cn=admin,dc=mydomain,dc=com" -w password
dn: ou=users,dc=mydomain,dc=com
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: users
description: Domain Users

Всё, начиная с «dn: » вводим руками. После ввода строки описания («description: Domain Users») нажимаем Enter два раза. Если всё введено без ошибок, вы должны увидеть такое сообщение: adding new entry "ou=Users,dc=mydomain,dc=com"

# Нажимаем Ctrl+C для выхода

ldapadd -D cn=admin,dc=mycorp,dc=com -w password -f addgroup.ldif

##################################################



# Create user

slappasswd # generate hash pass

ldapmodify -D "cn=admin,dc=mydomain,dc=com" -w password
or
nano adduser.ldif

dn: uid=jdoe,cn=John Doe,ou=users,dc=mydomain,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: John Doe
ou: users
uid: jdoe
givenName: John
sn: Doe
userPassword: {SSHA}hsxkIVICZSSQsUOQf4xWZutr0t44HSFP

ldapmodify -D "cn=admin,dc=mycorp,dc=com" -w password -f adduser.ldif
######################################################################

# Modify ldif-file:
dn: cn=John Doe,ou=users,dc=mycorp,dc=com
changetype: modify
add: userPassword
userPassword: {SSHA}hsxkIlskflksfOQf4xWZutr0t44HSFP

######################################################################


############
# Commands #
############
::

ldapsearch -D "cn=admin,dc=mydomain,dc=com"
-w <pass> # bind password (for simple authentication)
-W # prompt for bind password



-a deref one of never (default), always, search, or find
-A retrieve attribute names only (no values)
-b basedn base dn for search
-c continuous operation mode (do not stop on errors)
-E [!]<ext>[=<extparam>] search extensions (! indicates criticality)
[!]domainScope (domain scope)
!dontUseCopy (Don't Use Copy)
[!]mv=<filter> (RFC 3876 matched values filter)
[!]pr=<size>[/prompt|noprompt] (RFC 2696 paged results/prompt)
[!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...]
(RFC 2891 server side sorting)
[!]subentries[=true|false] (RFC 3672 subentries)
[!]sync=ro[/<cookie>] (RFC 4533 LDAP Sync refreshOnly)
rp[/<cookie>][/<slimit>] (refreshAndPersist)
[!]vlv=<before>/<after>(/<offset>/<count>|:<value>)
(ldapv3-vlv-09 virtual list views)
[!]deref=derefAttr:attr[,...][;derefAttr:attr[,...][;...]]
[!]<oid>[=:<b64value>] (generic control; no response handling)
-f file read operations from `file'
-F prefix URL prefix for files (default: file:///tmp/)
-l limit time limit (in seconds, or "none" or "max") for search
-L print responses in LDIFv1 format
-LL print responses in LDIF format without comments
-LLL print responses in LDIF format without comments
and version
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-s scope one of base, one, sub or children (search scope)
-S attr sort the results by attribute `attr'
-t write binary values to files in temporary directory
-tt write all values to files in temporary directory
-T path write files to directory specified by path (default: /tmp)
-u include User Friendly entry names in the output
-z limit size limit (in entries, or "none" or "max") for search
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)

-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)



Backup data
-----------

**backup.sh**::

#!/bin/sh

LDAPBK=ldap_$( date +%H-%M_%d-%m-%Y ).ldif
BACKUPDIR=/var/backups

/usr/sbin/slapcat -v -l $BACKUPDIR/$LDAPBK

gzip -9 $BACKUPDIR/$LDAPBK


Restore data
------------

1. stop slapd daemon::

/etc/init.d/slapd stop

2. delete old database (make sure you are in right directory to use rm)::

cd /var/lib/ldap
rm -rf *

3. Restore database from LDIF file::

/usr/sbin/slapadd -l backup.ldif

4. run slapd daemon::

/etc/init.d/slapd start


5 changes: 5 additions & 0 deletions acl.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
===
ACL
===

- https://wiki.archlinux.org/index.php/Access_Control_Lists_(Русский)
63 changes: 39 additions & 24 deletions ufw.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,34 +2,49 @@
ufw
===

Oct 20 11:02:27 bbb kernel: [ 7980.724380] [UFW BLOCK]
IN=eth1 OUT=

# MAC |server (2x6) |client (2x6) |
MAC= 00:1e:8c:7b:cf:ca:fc:75:16:56:e4:78:08:00
Main commands::

# client
SRC=192.168.35.67
# show apps available profiles
sudo ufw app list

# allow available profile
sudo ufw allow OpenSSH

# server
DST=192.168.35.10
sudo ufw enable
sudo ufw status

LEN=60
TOS=0x00
PREC=0x00
TTL=64
ID=61984
DF

# тип протокола TCP/UDP
PROTO=TCP
Log analysis::

SPT=37252
Oct 20 11:02:27 bbb kernel: [ 7980.724380] [UFW BLOCK]
IN=eth1 OUT=

# PORT
DPT=80

WINDOW=29200
RES=0x00
SYN
URGP=0
# MAC |server (2x6) |client (2x6) |
MAC= 00:1e:8c:7b:cf:ca:fc:75:16:56:e4:78:08:00

# client
SRC=192.168.35.67

# server
DST=192.168.35.10

LEN=60
TOS=0x00
PREC=0x00
TTL=64
ID=61984
DF

# type of protocol TCP/UDP
PROTO=TCP

SPT=37252

# PORT
DPT=80

WINDOW=29200
RES=0x00
SYN
URGP=0

0 comments on commit 0711f47

Please sign in to comment.