当前位置: 文江博客话题详情

用于在 OpenLDAP 中创建 Active Directory 用户和组的 LDIF?

发布于 2024-12-02 08:03:28 字数 415 浏览 1 评论 0原文

我有一个使用 Active Directory 来验证用户身份的 Web 应用程序,并且我正在尝试用 OpenLDAP 替换 AD。

文档说我需要以管理员身份登录域控制器,打开用户管理窗口,单击适当的组织单位并将用户ID添加到适当的组(这些组应具有范围“全局”和组类型“安全” )。

我需要在 OpenLDAP 服务器上创建等效条目。有人可以为此提供一个 LDIF 示例吗?我不知道应该使用的类或属性,而且我无权访问域控制器。最有问题的项目似乎是组类型和范围,因为它们似乎是二进制值,而不是字符串。

请注意,我不想完全替换 Active Directory - 我只需要用户 ID 和组。我尝试将 microsoft.schema 添加到 OpenLDAP,但它不起作用。我找到了一些有关修改 Microsoft Outlook 架构的信息;我需要类似但更简单的东西。

原文

I have a web application that uses Active Directory to authenticate users, and I'm trying to replace AD with OpenLDAP.

The documentation says that I need to log on the domain controller as administrator, open the user management window, click on the appropriate organizational unit and add the userids to the proper groups (these groups should have scope "Global" and group type "Security").

I need to create the equivalent entries on my OpenLDAP server. Can someone provide an example LDIF for this? I don't know the class nor the attributes I should use, and I don't have access to a domain controller. The most problematic items seems to be group type and scope, because they seem to be binary values, not strings.

Please note that I don't want to replace Active Directory completely - I just need userids and groups. I've tried adding microsoft.schema to OpenLDAP, but it doesn't work. I've found some information about modifying the schema for Microsoft Outlook; I need something similar but simpler.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

π浅易 2024-12-09 08:03:28

将整个 ActiveDirectory 架构转换为 OpenLDAP 几乎是不可能的,它非常庞大。但是,我们可以仅添加所需的属性和类:

attributetype ( 1.2.840.113556.1.4.750 NAME 'groupType' 
   SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE 
)

attributetype ( 1.3.114.7.4.2.0.33 NAME 'memberOf' 
    SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' 
)

objectclass ( 1.2.840.113556.1.5.9 NAME 'user'
        DESC 'a user'
        SUP organizationalPerson STRUCTURAL
        MUST ( cn )
        MAY ( userPassword $ memberOf ) )

objectclass ( 1.2.840.113556.1.5.8 NAME 'group'
        DESC 'a group of users'
        SUP top STRUCTURAL
        MUST ( groupType $ cn )
        MAY ( member ) )

然后很容易创建 LDIF 文件来插入用户和组:

dn: dc=myCompany
objectClass: top
objectClass: dcObject
objectClass: organization
dc: myCompany
o: LocalBranch

dn: ou=People,dc=myCompany
objectClass: top
objectClass: organizationalUnit
ou: People
description: Test database

dn: cn=Users,dc=myCompany
objectClass: groupOfNames
objectClass: top
cn: Users
member: cn=Manager,cn=Users,dc=myCompany

dn: cn=Manager,cn=Users,dc=myCompany
objectClass: person
objectClass: top
cn: Manager
sn: Manager
userPassword:: e1NIQX1tc0lKSXJCVU1XdmlPRUtsdktmV255bjJuWGM9

dn: cn=ReadWrite,ou=People,dc=myCompany
objectClass: group
objectClass: top
cn: ReadWrite
groupType: 2147483650
member: cn=sysconf,ou=People,dc=myCompany

dn: cn=sysopr,ou=People,dc=myCompany
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: sysopr
sn: team
memberOf: cn=ReadOnly,ou=People,dc=myCompany
userPassword:: e1NIQX1jUkR0cE5DZUJpcWw1S09Rc0tWeXJBMHNBaUE9

It's almost impossible to convert the entire ActiveDirectory schema to OpenLDAP, it's huge. However, we can add only the needed attributes and classes:

attributetype ( 1.2.840.113556.1.4.750 NAME 'groupType' 
   SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE 
)

attributetype ( 1.3.114.7.4.2.0.33 NAME 'memberOf' 
    SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' 
)

objectclass ( 1.2.840.113556.1.5.9 NAME 'user'
        DESC 'a user'
        SUP organizationalPerson STRUCTURAL
        MUST ( cn )
        MAY ( userPassword $ memberOf ) )

objectclass ( 1.2.840.113556.1.5.8 NAME 'group'
        DESC 'a group of users'
        SUP top STRUCTURAL
        MUST ( groupType $ cn )
        MAY ( member ) )

Then it's easy to create an LDIF file for inserting the users and groups:

dn: dc=myCompany
objectClass: top
objectClass: dcObject
objectClass: organization
dc: myCompany
o: LocalBranch

dn: ou=People,dc=myCompany
objectClass: top
objectClass: organizationalUnit
ou: People
description: Test database

dn: cn=Users,dc=myCompany
objectClass: groupOfNames
objectClass: top
cn: Users
member: cn=Manager,cn=Users,dc=myCompany

dn: cn=Manager,cn=Users,dc=myCompany
objectClass: person
objectClass: top
cn: Manager
sn: Manager
userPassword:: e1NIQX1tc0lKSXJCVU1XdmlPRUtsdktmV255bjJuWGM9

dn: cn=ReadWrite,ou=People,dc=myCompany
objectClass: group
objectClass: top
cn: ReadWrite
groupType: 2147483650
member: cn=sysconf,ou=People,dc=myCompany

dn: cn=sysopr,ou=People,dc=myCompany
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: sysopr
sn: team
memberOf: cn=ReadOnly,ou=People,dc=myCompany
userPassword:: e1NIQX1jUkR0cE5DZUJpcWw1S09Rc0tWeXJBMHNBaUE9
回复 原文
甜是你 2024-12-09 08:03:28

好的,这是答案的开始:

安装 OPENLdap

A 后,将 slapd.conf 编辑为:

1) 修改包含的架构

include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetperson.schema

2) 将架构文件修改为此常见问题解答中进行了解释

3) 修改您的命名上下文(个人)我使用 HDB 作为后端)

database hdb
suffix "dc=dom,dc=com"
rootdn "cn=Manager,dc=dom,dc=com"
rootpw secret
directory /usr/local/var/openldap-hdb

4)然后重新启动您的目录

B - 插入您的根目录

这是 LDIF 文件(root.ldif)

dn: dc=dom,dc=com
objectclass: dcObject
objectclass: organization
o: Company name
dc: dom

这是命令行

ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f root.ldif

C - 插入用户< /strong>

这是 LDIF 文件 (user.ldif)

dn: cn=user1,dc=dom,dc=com
objectClass: inetOrgPerson
sn: users
cn: user1
telephoneNumber: 9999

这是命令行

ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f user.ldif

D - 建议

Apache 目录工作室,对我来说,这是一个非常好的 LDAP 浏览器,它是开源的,它可以在 Linux 和 Windows 上的 java 之上运行。使用它,您可以图形方式浏览 AD 和 OpenLdap,只需单击即可执行 B 部分和 C 部分。

Active-Directory 架构(类和属性) 已记录在 MSDN 中。例如,以下是有关 groupType。是你所期望的吗?

Ok, here is the begining of an answer :

Once you installed your OPENLdap

A - Edit your slapd.conf to :

1) Modify the schemas included

include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetperson.schema

2) Modifiy schema files as explained in this FAQ

3) Modify your naming context (personaly I'am using HDB as backend)

database hdb
suffix "dc=dom,dc=com"
rootdn "cn=Manager,dc=dom,dc=com"
rootpw secret
directory /usr/local/var/openldap-hdb

4) Then restart your directory

B - Insert your root

Here is the LDIF file (root.ldif)

dn: dc=dom,dc=com
objectclass: dcObject
objectclass: organization
o: Company name
dc: dom

Here is the command line

ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f root.ldif

C - Insert a user

Here is the LDIF file (user.ldif)

dn: cn=user1,dc=dom,dc=com
objectClass: inetOrgPerson
sn: users
cn: user1
telephoneNumber: 9999

Here is the command line

ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f user.ldif

D - An advice

Apache directory studio, is for me, a VERY good LDAP Browser, it's Open Source, it works on the top of java on Linux and Windows. Using it you can graphicaly browse AD and OpenLdap and do parts B and C just clicking.

Active-Directory Schema (Classes and attributes) are documented in the MSDN. For example here are the information about groupType. Is it what you expect?

回复 原文
~没有更多了~

关于作者

漫雪独思

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

胡图图

文章 0 评论 0

zt006

文章 0 评论 0

z祗昰~

文章 0 评论 0

冰葑

文章 0 评论 0

野の

文章 0 评论 0

天空

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文