LDAP Dokumentace: Porovnání verzí
Skočit na navigaci
Skočit na vyhledávání
| Řádek 1: | Řádek 1: | ||
Pouziti HKFree LDAPu pro autentizaci je vcelku jednoduche. | Pouziti HKFree LDAPu pro autentizaci je vcelku jednoduche. | ||
| − | * Uzivatele maji login ve formatu | + | * Uzivatele maji login ve formatu XXX, kde XXX je jejich uid |
* Heslo je heslo v userdb | * Heslo je heslo v userdb | ||
* Synchronizace probiha jednou za den z userdb (vse mimo hesla) | * Synchronizace probiha jednou za den z userdb (vse mimo hesla) | ||
| Řádek 20: | Řádek 20: | ||
Jednoduchy test, jestli vse chodi je napriklad: | Jednoduchy test, jestli vse chodi je napriklad: | ||
<pre> | <pre> | ||
| − | ldapsearch -U | + | ldapsearch -U MOJE_ID -ZZ -h ldap.hkfree.org |
</pre> | </pre> | ||
| − | update | + | update 28.10.2009: |
| − | ldapwhoami - | + | ldapwhoami -U13 -w $heslo -ZZ |
SASL/DIGEST-MD5 authentication started | SASL/DIGEST-MD5 authentication started | ||
| − | SASL username: | + | SASL username: 13 |
SASL SSF: 128 | SASL SSF: 128 | ||
SASL data security layer installed. | SASL data security layer installed. | ||
| − | dn:uid= | + | dn:uid=13,ou=people,dc=hkfree,dc=org |
| − | ldapwhoami -x -D"uid= | + | ldapwhoami -x -D"uid=13,ou=People,dc=hkfree,dc=org" -w $heslo -ZZ |
| − | dn:uid= | + | dn:uid=13,ou=People,dc=hkfree,dc=org |
Zmena hesla se da provest pomoci: | Zmena hesla se da provest pomoci: | ||
<pre> | <pre> | ||
| − | ldappasswd -U | + | ldappasswd -U MOJE_ID -ZZ -h ldap.hkfree.org -S |
</pre> | </pre> | ||
atd. | atd. | ||
| Řádek 104: | Řádek 104: | ||
tls.negotiate(); | tls.negotiate(); | ||
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple"); | ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple"); | ||
| − | ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, "uid= | + | ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, "uid=" + uid + ",ou=People,dc=hkfree,dc=org"); |
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password); | ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password); | ||
| − | Attributes dummyOperationData = ctx.getAttributes("uid= | + | Attributes dummyOperationData = ctx.getAttributes("uid=" + uid + ",ou=People,dc=hkfree,dc=org"); |
//System.out.println(dummyOperationData); | //System.out.println(dummyOperationData); | ||
tls.close(); | tls.close(); | ||
Verze z 28. 11. 2009, 11:29
Pouziti HKFree LDAPu pro autentizaci je vcelku jednoduche.
- Uzivatele maji login ve formatu XXX, kde XXX je jejich uid
- Heslo je heslo v userdb
- Synchronizace probiha jednou za den z userdb (vse mimo hesla)
- base je dc=hkfree,dc=org
BASH
Je treba nainstalovat (aspon v debianu) ldap-utils. Dalsi potrebna vec je pridat do /etc/ldap/ldap.conf toto:
BASE dc=hkfree,dc=org URI ldap://ldap.hkfree.org TLS_CACERT /etc/ssl/certs/hkfree.cer TLS_REQCERT try
Nyni si stahnete z https://igw.hkfree.org/download/CA/hkfree.crt do adresare /etc/ssl/certs/ a doinstalujte (v pripade potreby) balik openssl a libsasl2-modules
Jednoduchy test, jestli vse chodi je napriklad:
ldapsearch -U MOJE_ID -ZZ -h ldap.hkfree.org
update 28.10.2009:
ldapwhoami -U13 -w $heslo -ZZ SASL/DIGEST-MD5 authentication started SASL username: 13 SASL SSF: 128 SASL data security layer installed. dn:uid=13,ou=people,dc=hkfree,dc=org ldapwhoami -x -D"uid=13,ou=People,dc=hkfree,dc=org" -w $heslo -ZZ dn:uid=13,ou=People,dc=hkfree,dc=org
Zmena hesla se da provest pomoci:
ldappasswd -U MOJE_ID -ZZ -h ldap.hkfree.org -S
atd.
Konfigurak pro Apache
- je treba povolit mod_authnz_ldap a ldap (v apache2.x)
- je treba mit spravne nastavene SSL (importovany korenovy certifikat hkfree) a ldap.conf
- pro nejaky Directory/Location lze autentizace pouzivat takto:
AuthType basic
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldap.hkfree.org/ou=People,dc=hkfree,dc=org"
AuthName "VPN"
AuthLDAPRemoteUserIsDN off
require valid-user
AuthzLDAPAuthoritative off
PERL
use Net::LDAP;
use Authen::SASL;
my $ldapserver = "ldap://ldap.hkfree.org";
my $password = "heslo";
my $user = "uzivatel";
my $dn = "dc=hkfree,dc=org";
my $ldap = Net::LDAP->new($ldapserver, onerror => 'die' );
$ldap->start_tls(
$verify => 'require'
);
my $sasl = Authen::SASL->new(
mechanism => 'CRAM-MD5 PLAIN ANONYMOUS',
callback => {
pass => $password,
user => $user,
}
);
my $mesg = $ldap->bind( $dn, sasl => $sasl, version => 3 );
Java
import java.util.*;
import java.util.logging.*;
import javax.naming.*;
import javax.naming.directory.*;
import javax.naming.ldap.*;
public class Main {
public static boolean authenticate(int uid, String password) {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://ldap.hkfree.org");
try {
LdapContext ctx = new InitialLdapContext(env, null);
StartTlsResponse tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());
tls.negotiate();
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, "uid=" + uid + ",ou=People,dc=hkfree,dc=org");
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
Attributes dummyOperationData = ctx.getAttributes("uid=" + uid + ",ou=People,dc=hkfree,dc=org");
//System.out.println(dummyOperationData);
tls.close();
ctx.close();
return true;
} catch (Exception ex) {
Logger.getLogger(Main.class.getName()).log(Level.SEVERE, null, ex);
return false;
}
}
public static void main(String[] args) {
int uid = 1980;
String password = "xxx";
boolean ok = authenticate(uid, password);
System.out.println(ok);
}
}
PHP
Dokumentace
http://linuxwiki.riverworth.com/index.php?title=LDAP_Authentication
