ApacheDS 运维
ApacheDS 目录设计
- DN
- ou=users - 用户
- uid=test.cs
- ou=groups - 分组、组织架构
- uid=company
- objectclass: groupOfNames
- uid=company
- ou=roles - 角色
- uid=admin
- objectclass: groupOfNames
- uid=admin
- ou=services - 服务账号
- uid=keycloak
- uid=nextcloud
- dc=security - 安全相关
- ou=services - 安全服务
- uid=krbtgt
- krb5PrincipalName: krbtgt/EXAMPLE.[email protected]
- userPassword: randomKey
- uid=kpasswd
- krb5PrincipalName: kadmin/[email protected]
- uid=ldap
- krb5PrincipalName: ldap/example.[email protected]
- uid=krbtgt
- ou=services - 安全服务
- ou=users - 用户
- 类选择
- 主体 inetOrgPerson
- 参照 rfc2798 选用属性
- 分组 groupOfNames
- 角色 groupOfNames
- 主体 inetOrgPerson
- 属性选择
- uid 用于唯一标示
- uid 不是 inetOrgPerson 强制属性
- cn 和 sn 是强制属性
- uid 用于唯一标示
# 创建基础结构 - 可替换 basedn dc=example,dc=com
dn: ou=users,dc=example,dc=com
objectclass: organizationalUnit
ou: users
dn: ou=groups,dc=example,dc=com
objectclass: organizationalUnit
ou: groups
dn: ou=roles,dc=example,dc=com
objectclass: organizationalUnit
ou: roles
dn: ou=services,dc=example,dc=com
objectclass: organizationalUnit
ou: services
dn: dc=security,dc=example,dc=com
objectclass: domain
dc: security
dn: ou=services,dc=security,dc=example,dc=com
objectclass: organizationalUnit
ou: services
删除默认分区
# 递归删除配置
ldapdelete -r -H ldap://localhost:10389 -D uid=admin,ou=system -w secret ads-partitionId=example,ou=partitions,ads-directoryServiceId=default,ou=config
修改默认密码
# 修改默认 admin 密码
dn:uid=admin,ou=system
changetype: modify
replace: userPassword
# 新的密码
userPassword: secret
Nextcloud LDAP
./occ ldap:show-config s01
| Configuration | s01 |
|---|---|
| hasMemberOfFilterSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | uid=admin,ou=system |
| ldapAgentPassword | secret |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | dc=example,dc=com |
| ldapBaseGroups | ou=groups,dc=example,dc=com |
| ldapBaseUsers | ou=users,dc=example,dc=com |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | enrtyUUID |
| ldapExpertUUIDUserAttr | enrtyUUID |
| ldapExpertUsernameAttr | uid |
| ldapExtStorageHomeAttribute | |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (objectclass=groupOfNames) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 1 |
| ldapGroupFilterObjectclass | inetOrgPerson |
| ldapGroupMemberAssocAttr | member |
| ldapHost | ldap://192.168.1.1 |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | `(&( |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 1 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 1 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 10389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | cn |
| ldapUserDisplayName2 | displayname |
| ldapUserFilter | (objectclass=inetOrgPerson) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 1 |
| ldapUserFilterObjectclass | inetOrgPerson |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
分区