Skip to main content

ApacheDS 运维

ApacheDS 目录设计

  • DN
    • ou=users - 用户
      • uid=test.cs
    • ou=groups - 分组、组织架构
      • uid=company
        • objectclass: groupOfNames
    • ou=roles - 角色
      • uid=admin
        • objectclass: groupOfNames
    • ou=services - 服务账号
      • uid=keycloak
      • uid=nextcloud
    • dc=security - 安全相关
      • ou=services - 安全服务
        • uid=krbtgt
          • krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
          • userPassword: randomKey
        • uid=kpasswd
          • krb5PrincipalName: kadmin/changepw@EXAMPLE.COM
        • uid=ldap
  • 类选择
    • 主体 inetOrgPerson
    • 分组 groupOfNames
    • 角色 groupOfNames
  • 属性选择
    • uid 用于唯一标示
      • uid 不是 inetOrgPerson 强制属性
      • cn 和 sn 是强制属性
# 创建基础结构 - 可替换 basedn dc=example,dc=com
dn: ou=users,dc=example,dc=com
objectclass: organizationalUnit
ou: users

dn: ou=groups,dc=example,dc=com
objectclass: organizationalUnit
ou: groups

dn: ou=roles,dc=example,dc=com
objectclass: organizationalUnit
ou: roles

dn: ou=services,dc=example,dc=com
objectclass: organizationalUnit
ou: services

dn: dc=security,dc=example,dc=com
objectclass: domain
dc: security

dn: ou=services,dc=security,dc=example,dc=com
objectclass: organizationalUnit
ou: services

删除默认分区

# 递归删除配置
ldapdelete -r -H ldap://localhost:10389 -D uid=admin,ou=system -w secret ads-partitionId=example,ou=partitions,ads-directoryServiceId=default,ou=config

修改默认密码

# 修改默认 admin 密码
dn:uid=admin,ou=system
changetype: modify
replace: userPassword
# 新的密码
userPassword: secret

Nextcloud LDAP

./occ ldap:show-config s01
Configurations01
hasMemberOfFilterSupport
homeFolderNamingRule
lastJpegPhotoLookup0
ldapAgentNameuid=admin,ou=system
ldapAgentPasswordsecret
ldapAttributesForGroupSearch
ldapAttributesForUserSearch
ldapBackupHost
ldapBackupPort
ldapBasedc=example,dc=com
ldapBaseGroupsou=groups,dc=example,dc=com
ldapBaseUsersou=users,dc=example,dc=com
ldapCacheTTL600
ldapConfigurationActive1
ldapDefaultPPolicyDN
ldapDynamicGroupMemberURL
ldapEmailAttributemail
ldapExperiencedAdmin0
ldapExpertUUIDGroupAttrenrtyUUID
ldapExpertUUIDUserAttrenrtyUUID
ldapExpertUsernameAttruid
ldapExtStorageHomeAttribute
ldapGidNumbergidNumber
ldapGroupDisplayNamecn
ldapGroupFilter(objectclass=groupOfNames)
ldapGroupFilterGroups
ldapGroupFilterMode1
ldapGroupFilterObjectclassinetOrgPerson
ldapGroupMemberAssocAttrmember
ldapHostldap://192.168.1.1
ldapIgnoreNamingRules
ldapLoginFilter`(&(
ldapLoginFilterAttributes
ldapLoginFilterEmail1
ldapLoginFilterMode0
ldapLoginFilterUsername1
ldapNestedGroups1
ldapOverrideMainServer
ldapPagingSize500
ldapPort10389
ldapQuotaAttribute
ldapQuotaDefault
ldapTLS0
ldapUserAvatarRuledefault
ldapUserDisplayNamecn
ldapUserDisplayName2displayname
ldapUserFilter(objectclass=inetOrgPerson)
ldapUserFilterGroups
ldapUserFilterMode1
ldapUserFilterObjectclassinetOrgPerson
ldapUuidGroupAttributeauto
ldapUuidUserAttributeauto
turnOffCertCheck0
turnOnPasswordChange0
useMemberOfToDetectMembership1

分区