memberof overlay設定

在openldap預設裡是沒有memberof這個overlay，要自己去手動新增，可參考此篇。

First install the openldap package

sudo apt-get install slapd

Then add the memberOf module and overlay to the schema.

vi member.ldif

Add the following to the file:

dn: cn=module,cn=config
cn: module
objectclass: olcModuleList
objectclass: top
olcmoduleload: memberof.la
olcmodulepath: /usr/lib/ldap
dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof

P.S. 要自己切換成BDB,HDB,MDB 我是用mdb所以要改成{1}mdb，下面也是
Save the file and add it to the OpenLDAP config with the following command:

ldapadd -Y EXTERNAL -H ldapi:/// -f member.ldif

[AdSense-B]
Add referential integrety to the ldap config

vi refint.ldif

Add the following to the file:

dn: cn=module,cn=config
cn: module
objectclass: olcModuleList
objectclass: top
olcmoduleload: refint.la
olcmodulepath: /usr/lib/ldap
dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner

[AdSense-A]

Save the file and load the file into the ldap schema

ldapadd -Y EXTERNAL -H ldapi:/// -f refint.ldif

You should now have a fully functional OpenLDAP server with the memeberOf attribute.

在帳號新增的部分可以參考此篇，雖然內容也由提到memberof的overlay，但以上篇才將其建置成功。

Adding nodes

After installing OpenLDAP (which is pretty straightforward on linux using apt-get) we're ready to create some nodes. When comparing to a relational database, we could compare nodes as a table where we store our records. Of course they are not the same, but this comparison is made so you can have a grasp of what a node is.
We want two nodes:

Groups node
People node

There's no native application or shell in which you can fiddle. Instead, Openldap comes with a few executables you can use to perform your actions. You feed these executables with files containing the data you want to add. So let's get to it. Make a file named add_nodes.ldif in your favorite text editor and add the following lines.

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups

To add these nodes, simply run the following command and give the admin password (that you chose during slapd setup) when prompted:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_nodes.ldif

Our base is dc=example,dc=com and with this we've just added people and groups nodes.

Adding a user

Before we add a user, we first need to generated his password hash.

slappasswd -h {SHA} -s my_secret_password

yielding this result

{SHA}M6XDJwA47cNw9gm5kXV1uTQuMoY=

We will use this result when creating our user file. Make the following file and name it add_user.ldif

dn: uid=john,ou=people,dc=example,dc=com
cn: John Doe
givenName: John
sn: Doe
uid: john
uidNumber: 5000
gidNumber: 10000
homeDirectory: /home/john
mail: john.doe@example.com
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
userPassword: {SHA}M6XDJwA47cNw9gm5kXV1uTQuMoY=

And add it by running:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_user.ldif

Adding a group

Same stuff, make add_group.ldif

dn: cn=mygroup,ou=groups,dc=example,dc=com
objectClass: groupofnames
cn: mygroup
description: All users
member: uid=john,ou=people,dc=example,dc=com

where you add a "member : user_dn" line for each user you want to add to this group. And then run

ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_group.ldif

Taking it for a test-run

you can run the following command to see if it's all set up properly:

ldapsearch -x -LLL -H ldap:/// -b uid=john,ou=people,dc=example,dc=com dn memberof

And it should yield this result

dn: uid=john,ou=People,dc=example,dc=com
memberOf: cn=mygroup,ou=groups,dc=example,dc=com