LDAP Dokumentace: Porovnání verzí
m Značka: editace z Vizuálního editoru |
|||
(Není zobrazeno 18 mezilehlých verzí od 8 dalších uživatelů.) | |||
Řádek 1: | Řádek 1: | ||
− | Pouziti HKFree LDAPu pro autentizaci je vcelku jednoduche | + | '''PROSÍM toto NEPOUŽÍVAT. Používejte SSO, když ho máme v síti rozjeté a plně funkční viz jak ho nainstalovat zde: https://confluence.hkfree.org/x/iwDAAQ je to fakt jednoduché.''' |
+ | |||
+ | Pouziti HKFree LDAPu pro autentizaci je vcelku jednoduche. | ||
+ | * Uzivatele maji login ve formatu XXX, kde XXX je jejich uid | ||
+ | * Heslo je heslo v userdb | ||
+ | * Synchronizace probiha jednou za den z userdb (vse mimo hesla) | ||
+ | * base je dc=hkfree,dc=org | ||
==BASH== | ==BASH== | ||
Je treba nainstalovat (aspon v debianu) ldap-utils. Dalsi potrebna vec je pridat do /etc/ldap/ldap.conf toto: | Je treba nainstalovat (aspon v debianu) ldap-utils. Dalsi potrebna vec je pridat do /etc/ldap/ldap.conf toto: | ||
− | + | <pre> | |
BASE dc=hkfree,dc=org | BASE dc=hkfree,dc=org | ||
URI ldap://ldap.hkfree.org | URI ldap://ldap.hkfree.org | ||
Řádek 10: | Řádek 16: | ||
TLS_CACERT /etc/ssl/certs/hkfree.crt | TLS_CACERT /etc/ssl/certs/hkfree.crt | ||
TLS_REQCERT try | TLS_REQCERT try | ||
+ | </pre> | ||
− | Nyni si stahnete z | + | Nyni si stahnete z https://igw.hkfree.org/download/CA/hkfree.crt do adresare /etc/ssl/certs/ a doinstalujte (v pripade potreby) balik openssl a libsasl2-modules |
Jednoduchy test, jestli vse chodi je napriklad: | Jednoduchy test, jestli vse chodi je napriklad: | ||
+ | <pre> | ||
+ | ldapsearch -U MOJE_ID -ZZ -h ldap.hkfree.org | ||
+ | </pre> | ||
+ | |||
+ | update 28.10.2009: | ||
+ | ldapwhoami -U13 -w $heslo -ZZ | ||
+ | SASL/DIGEST-MD5 authentication started | ||
+ | SASL username: 13 | ||
+ | SASL SSF: 128 | ||
+ | SASL data security layer installed. | ||
+ | dn:uid=13,ou=people,dc=hkfree,dc=org | ||
+ | |||
+ | ldapwhoami -x -D"uid=13,ou=People,dc=hkfree,dc=org" -w $heslo -ZZ | ||
+ | dn:uid=13,ou=People,dc=hkfree,dc=org | ||
− | |||
Zmena hesla se da provest pomoci: | Zmena hesla se da provest pomoci: | ||
+ | <pre> | ||
+ | ldappasswd -U MOJE_ID -ZZ -h ldap.hkfree.org -S | ||
+ | </pre> | ||
− | + | Zjisteni roli uzivatele 13 (loguju se k LDAPu jako uzivatel 1980): | |
+ | ldapsearch -x -D"uid=1980,ou=People,dc=hkfree,dc=org" -w $heslo -ZZ "uid=13" memberOf | ||
atd. | atd. | ||
+ | |||
+ | == Konfigurak pro Apache == | ||
+ | * je treba povolit mod_authnz_ldap a ldap (v apache2.x) | ||
+ | * je treba mit spravne nastavene SSL (importovany korenovy certifikat hkfree) a ldap.conf | ||
+ | |||
+ | * pro nejaky Directory/Location lze autentizace pouzivat takto: | ||
+ | |||
+ | AuthType basic | ||
+ | AuthBasicProvider ldap | ||
+ | AuthLDAPURL "ldap://ldap.hkfree.org/ou=People,dc=hkfree,dc=org" | ||
+ | AuthName "VPN" | ||
+ | AuthLDAPRemoteUserIsDN off | ||
+ | require valid-user | ||
+ | AuthzLDAPAuthoritative off | ||
+ | |||
+ | * pokud chci povolit napriklad pristup jen pro SO/ZSO, tak pouziju URL | ||
+ | |||
+ | AuthLDAPURL "ldap://ldap.hkfree.org/ou=People,dc=hkfree,dc=org?uid?sub?(|(memberOf=cn=ZSO,ou=roles,dc=hkfree,dc=org)(memberOf=cn=SO,ou=roles,dc=hkfree,dc=org))" | ||
+ | |||
+ | * dalsi moznost, ktera je ovsem o neco pomalejsi je hledat ve skupinach primo a neumoznuje hledat ve vice skupinach najednou je | ||
+ | |||
+ | AuthLDAPGroupAttribute member | ||
+ | AuthLDAPGroupAttributeIsDN on | ||
+ | Require ldap-group cn=SO,ou=roles,dc=hkfree,dc=org | ||
==PERL== | ==PERL== | ||
− | viz | + | viz http://ldap.perl.org |
− | + | <pre> | |
use Net::LDAP; | use Net::LDAP; | ||
use Authen::SASL; | use Authen::SASL; | ||
Řádek 50: | Řádek 98: | ||
my $mesg = $ldap->bind( $dn, sasl => $sasl, version => 3 ); | my $mesg = $ldap->bind( $dn, sasl => $sasl, version => 3 ); | ||
+ | </pre> | ||
+ | |||
+ | == Java == | ||
+ | |||
+ | <pre> | ||
+ | import java.util.*; | ||
+ | import java.util.logging.*; | ||
+ | import javax.naming.*; | ||
+ | import javax.naming.directory.*; | ||
+ | import javax.naming.ldap.*; | ||
+ | |||
+ | public class Main { | ||
+ | |||
+ | public static boolean authenticate(int uid, String password) { | ||
+ | Hashtable env = new Hashtable(); | ||
+ | env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); | ||
+ | env.put(Context.PROVIDER_URL, "ldap://ldap.hkfree.org"); | ||
+ | try { | ||
+ | LdapContext ctx = new InitialLdapContext(env, null); | ||
+ | StartTlsResponse tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest()); | ||
+ | tls.negotiate(); | ||
+ | ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple"); | ||
+ | ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, "uid=" + uid + ",ou=People,dc=hkfree,dc=org"); | ||
+ | ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password); | ||
+ | Attributes dummyOperationData = ctx.getAttributes("uid=" + uid + ",ou=People,dc=hkfree,dc=org"); | ||
+ | //System.out.println(dummyOperationData); | ||
+ | tls.close(); | ||
+ | ctx.close(); | ||
+ | return true; | ||
+ | } catch (Exception ex) { | ||
+ | Logger.getLogger(Main.class.getName()).log(Level.SEVERE, null, ex); | ||
+ | return false; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | public static void main(String[] args) { | ||
+ | int uid = 1980; | ||
+ | String password = "xxx"; | ||
+ | boolean ok = authenticate(uid, password); | ||
+ | System.out.println(ok); | ||
+ | } | ||
+ | } | ||
+ | </pre> | ||
+ | |||
==PHP== | ==PHP== | ||
− | viz | + | viz http://www.php.net |
+ | |||
+ | Zjisteni roli, do kterych uzivatel patri (napr. USER, SO, VV, SO-12, SO-48) | ||
+ | <pre> | ||
+ | $ldapserver = "ldap://ldap.hkfree.org"; | ||
+ | $dn = "ou=People,dc=hkfree,dc=org" ; | ||
+ | $ldapUser ="uid=$uid,$dn" ; | ||
+ | $filter = "uid=$uid"; | ||
+ | $ldapCon = ldap_connect($ldapserver) or die ("Nefunguje spojeni s ldap serverem. Prosím zkuste později"); | ||
+ | $ldapbind = ldap_bind($ldapCon, $ldapUser, $password) or header("Location: logout.php"); | ||
+ | $rec = ldap_search($ldapCon, $dn, $filter, array("memberOf")) or die ("Error ldap search"); | ||
+ | </pre> | ||
=Dokumentace= | =Dokumentace= | ||
− | + | http://linuxwiki.riverworth.com/index.php?title=LDAP_Authentication |
Aktuální verze z 27. 10. 2018, 10:56
PROSÍM toto NEPOUŽÍVAT. Používejte SSO, když ho máme v síti rozjeté a plně funkční viz jak ho nainstalovat zde: https://confluence.hkfree.org/x/iwDAAQ je to fakt jednoduché.
Pouziti HKFree LDAPu pro autentizaci je vcelku jednoduche.
- Uzivatele maji login ve formatu XXX, kde XXX je jejich uid
- Heslo je heslo v userdb
- Synchronizace probiha jednou za den z userdb (vse mimo hesla)
- base je dc=hkfree,dc=org
BASH
Je treba nainstalovat (aspon v debianu) ldap-utils. Dalsi potrebna vec je pridat do /etc/ldap/ldap.conf toto:
BASE dc=hkfree,dc=org URI ldap://ldap.hkfree.org TLS_CACERT /etc/ssl/certs/hkfree.crt TLS_REQCERT try
Nyni si stahnete z https://igw.hkfree.org/download/CA/hkfree.crt do adresare /etc/ssl/certs/ a doinstalujte (v pripade potreby) balik openssl a libsasl2-modules
Jednoduchy test, jestli vse chodi je napriklad:
ldapsearch -U MOJE_ID -ZZ -h ldap.hkfree.org
update 28.10.2009:
ldapwhoami -U13 -w $heslo -ZZ SASL/DIGEST-MD5 authentication started SASL username: 13 SASL SSF: 128 SASL data security layer installed. dn:uid=13,ou=people,dc=hkfree,dc=org ldapwhoami -x -D"uid=13,ou=People,dc=hkfree,dc=org" -w $heslo -ZZ dn:uid=13,ou=People,dc=hkfree,dc=org
Zmena hesla se da provest pomoci:
ldappasswd -U MOJE_ID -ZZ -h ldap.hkfree.org -S
Zjisteni roli uzivatele 13 (loguju se k LDAPu jako uzivatel 1980):
ldapsearch -x -D"uid=1980,ou=People,dc=hkfree,dc=org" -w $heslo -ZZ "uid=13" memberOf
atd.
Konfigurak pro Apache
- je treba povolit mod_authnz_ldap a ldap (v apache2.x)
- je treba mit spravne nastavene SSL (importovany korenovy certifikat hkfree) a ldap.conf
- pro nejaky Directory/Location lze autentizace pouzivat takto:
AuthType basic AuthBasicProvider ldap AuthLDAPURL "ldap://ldap.hkfree.org/ou=People,dc=hkfree,dc=org" AuthName "VPN" AuthLDAPRemoteUserIsDN off require valid-user AuthzLDAPAuthoritative off
- pokud chci povolit napriklad pristup jen pro SO/ZSO, tak pouziju URL
AuthLDAPURL "ldap://ldap.hkfree.org/ou=People,dc=hkfree,dc=org?uid?sub?(|(memberOf=cn=ZSO,ou=roles,dc=hkfree,dc=org)(memberOf=cn=SO,ou=roles,dc=hkfree,dc=org))"
- dalsi moznost, ktera je ovsem o neco pomalejsi je hledat ve skupinach primo a neumoznuje hledat ve vice skupinach najednou je
AuthLDAPGroupAttribute member AuthLDAPGroupAttributeIsDN on Require ldap-group cn=SO,ou=roles,dc=hkfree,dc=org
PERL
use Net::LDAP; use Authen::SASL; my $ldapserver = "ldap://ldap.hkfree.org"; my $password = "heslo"; my $user = "uzivatel"; my $dn = "dc=hkfree,dc=org"; my $ldap = Net::LDAP->new($ldapserver, onerror => 'die' ); $ldap->start_tls( $verify => 'require' ); my $sasl = Authen::SASL->new( mechanism => 'CRAM-MD5 PLAIN ANONYMOUS', callback => { pass => $password, user => $user, } ); my $mesg = $ldap->bind( $dn, sasl => $sasl, version => 3 );
Java
import java.util.*; import java.util.logging.*; import javax.naming.*; import javax.naming.directory.*; import javax.naming.ldap.*; public class Main { public static boolean authenticate(int uid, String password) { Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://ldap.hkfree.org"); try { LdapContext ctx = new InitialLdapContext(env, null); StartTlsResponse tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest()); tls.negotiate(); ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple"); ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, "uid=" + uid + ",ou=People,dc=hkfree,dc=org"); ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password); Attributes dummyOperationData = ctx.getAttributes("uid=" + uid + ",ou=People,dc=hkfree,dc=org"); //System.out.println(dummyOperationData); tls.close(); ctx.close(); return true; } catch (Exception ex) { Logger.getLogger(Main.class.getName()).log(Level.SEVERE, null, ex); return false; } } public static void main(String[] args) { int uid = 1980; String password = "xxx"; boolean ok = authenticate(uid, password); System.out.println(ok); } }
PHP
Zjisteni roli, do kterych uzivatel patri (napr. USER, SO, VV, SO-12, SO-48)
$ldapserver = "ldap://ldap.hkfree.org"; $dn = "ou=People,dc=hkfree,dc=org" ; $ldapUser ="uid=$uid,$dn" ; $filter = "uid=$uid"; $ldapCon = ldap_connect($ldapserver) or die ("Nefunguje spojeni s ldap serverem. Prosím zkuste později"); $ldapbind = ldap_bind($ldapCon, $ldapUser, $password) or header("Location: logout.php"); $rec = ldap_search($ldapCon, $dn, $filter, array("memberOf")) or die ("Error ldap search");
Dokumentace
http://linuxwiki.riverworth.com/index.php?title=LDAP_Authentication