OpenLDAP:Configurando um LDAP Proxy: Difference between revisions

From Wiki
(New page: Neste artigo vamos configurar o servidor OpenLDAP de maneira que ele seja um '''proxy''' para outros servidores LDAP. As vantagens desta abordagem são: # '''Segurança''' - Ao colocar u...)
 
No edit summary
 
Line 80: Line 80:
  idle-timeout    600s
  idle-timeout    600s
  map attribute memberOf ibm-allGroups
  map attribute memberOf ibm-allGroups
== Ver também ==
*[[OpenLDAP:Configurando um LDAP Proxy]]
*[[AWSTATS: Configurando o AWSTATS]]
*[[MySQL:Configurando o MySQL]]
*[[BIND: Configurando o suporte ao Active Directory]]
*[[Tecnologias|  Mais Artigos sobre outras Tecnologias]]
*[[Apache HTTP Server|  Mais Artigos sobre Apache HTTP Server]]
*[[Linux|  Mais Artigos sobre Linux / UNIX / AIX]]
[[Category:Linux]]
[[Category:LDAP]]
[[Category:Tecnologias]]

Latest revision as of 22:43, 5 February 2013

Neste artigo vamos configurar o servidor OpenLDAP de maneira que ele seja um proxy para outros servidores LDAP.

As vantagens desta abordagem são:

  1. Segurança - Ao colocar um servidor LPAP Proxy na DMZ, acessando o LDAP Corporativo, este servidor só possui metadados evitando crashs, além de facilitar a rastreabilidade (análise de logs).
  1. Reescrita de Queries LDAP - Muitos administradores temem expandir o schema dos seus servidores LDAP por medo de corromper o mesmo. Criando regras de reescrita podemos criar os campos necessários.


Exemplo

Neste exemplo o OpenLDAP está simulando o MS Active Directory, e apontando para o IBM Tivoli Directory Server (TDS)

Alterando o atributo de pesquisa memberOf por ibm-allGroups

Edite o arquivo slapd.conf, 

##  LDAP PROXY  SERVER

database meta
suffix  o=empresa,c=br
lastmod off 

uri     "ldap://192.168.1.10/o=empresa,c=br"
acl-authcDN     "uid=AdminLDAP,ou=usuarios,o=empresa,c=br"
acl-passwd      "adminPASSWORD"
idle-timeout    600s
map attribute memberOf ibm-allGroups


Arquivo slapd.conf completo

######################################################################
# Schemas que devem ser carregados
#######################################################################
 
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/nis.schema

#######################################################################
# Arquivos de controle do OpenLDAP
#######################################################################

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args 

#######################################################################
# Nivel do log gerado pelo OpenLDAP
#######################################################################
logfile		/var/log/slapd.log
loglevel 5

#######################################################################
# Modulos que devem ser carregados pelo servidor OpenLDAP
####################################################################### 

# Load dynamic backend modules:
modulepath      /usr/lib/ldap
moduleload    back_ldap.la
moduleload    back_meta.la
#moduleload    back_monitor.la

#######################################################################
# Tempo de permanencia de uma conexao idle (sem trafego) 
#######################################################################

idletimeout     600

##  LDAP PROXY  SERVER
 
database meta
suffix  o=empresa,c=br
lastmod off 

uri     "ldap://192.168.1.10/o=empresa,c=br"
acl-authcDN     "uid=AdminLDAP,ou=usuarios,o=empresa,c=br"
acl-passwd      "adminPASSWORD"
idle-timeout    600s
map attribute memberOf ibm-allGroups


Ver também


Retrieved from "https://ebasso.net/wiki/index.php?title=OpenLDAP:Configurando_um_LDAP_Proxy&oldid=1720"