{ "info": { "author": "Daniele Sluijters", "author_email": "daenney@users.noreply.github.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 3 - Alpha", "Environment :: Console", "Intended Audience :: System Administrators", "License :: OSI Approved :: MIT License", "Operating System :: POSIX", "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3 :: Only", "Topic :: System :: Systems Administration :: Authentication/Directory :: LDAP", "Topic :: Utilities" ], "description": "# slapddgen\n\n* [slapddgen](#slapddgen)\n * [Usage](#usage)\n * [Modifying the templates](#modifying-the-templates)\n * [Docker](#docker)\n * [Building](#building)\n * [Running](#running)\n * [Production](#production)\n * [Configuration](#configuration)\n * [`cn=config.ldif`](#cnconfigldif)\n * [`cn=module{0}.ldif,cn=config`](#cnmodule0ldifcnconfig)\n * [`olcDatabase={-1}frontend.ldif,cn=config`](#olcdatabase-1frontendldifcnconfig)\n * [`olcDatabase={0}config.ldif,cn=config`](#olcdatabase0configldifcnconfig)\n * [`olcDatabase={1}monitor.ldif,cn=config`](#olcdatabase1monitorldifcnconfig)\n * [`olcDatabase={2}mdb.ldif,cn=config`](#olcdatabase2mdbldifcnconfig)\n * [`olcOverlay={0}memberof.ldif,olcDatabase={2}mdb,cn=config`](#olcoverlay0memberofldifolcdatabase2mdbcnconfig)\n * [`olcOverlay={1}refint.ldif,olcDatabase={2}mdb,cn=config`](#olcoverlay1refintldifolcdatabase2mdbcnconfig)\n * [`olcOverlay={2}ppolicy.ldif,olcDatabase={2}mdb,cn=config`](#olcoverlay2ppolicyldifolcdatabase2mdbcnconfig)\n * [`olcOverlay={3}unique.ldif,olcDatabase={2}mdb,cn=config`](#olcoverlay3uniqueldifolcdatabase2mdbcnconfig)\n * [`cn=schema.ldif,cn=config`](#cnschemaldifcnconfig)\n * [`cn=*.ldif,cn=schema,cn=config`](#cnldifcnschemacnconfig)\n\n**NOTE**: This tool is very very alpha. Works for me, might work for you.\n\n**NOTE**: Ensure your editor does not strip trailing whitespace if you\nopen any of the files in `cn=schema` as that will break the ldif format.\n\n`slapddgen` generates a `slapd.d` that you can load into an OpenLDAP\nserver by pointing at it with `slapd -F`. This will start a server\nwith online configuration, aka `olc`, meaning the configuration\nitself is stored in the directory server, not in `slapd.conf`.\n\n## Usage\n\nThe input for this tool is contained in `config.json`, or whatever\n`--config_file` is pointed at. There's too many things to do this\nwith environment variables or CLI switches. Removing things from\n`config.json` is guaranteed to blow shit up, though for the modules,\nACLs, indices and unique empty arrays should be fine.\n\nOnce you've installed slapddgen you can run it with a `slapddgen generate\n--config_file=/path/to/config.json --output_dir=/path/to/write/config/to`\n\n## Modifying the templates\n\nIf you know what you're doing you can modify the templates in\n`templates/slapd.d` to suit your needs. Doing so if you've `pip install`ed\nslapddgen will be annoying, so in that case cloning the repository and\ndoing a `pip install -e .` instead will be more helpful.\n\n## Docker\n\nThere is also an example `Dockerfile` that you can use to package\nit all up in a Docker container. This can be useful for testing purposes\namongst other things.\n\n### Building\n\n```sh\nVERSION=$(git rev-parse --abbrev-ref HEAD)\ndocker build --no-cache=true \\\n --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \\\n --build-arg COMMIT=$(git rev-parse HEAD) \\\n --build-arg VERSION=${VERSION} \\\n -t ldap:${VERSION} .\n```\n\nWhen building a release use `git describe --abbrev=0 --tags` instead\nfor the `VERSION`.\n\n### Running\n\n```sh\ndocker run -it -p 3389:389 -p 6636:636 ldap\n```\n\nThis will expose port 389 in the container, the `ldap://` URL, to the host\non port 3389 (so you don't need to bind on a priviledged port) and do the\nsame for port 636, `ldaps://`.\n\nYou can change the entrypoint with `--entrypoint=/bin/sh`. Once you've done\nthat you can still manually launch OpenLDAP in the container by running\n`slapd -u ldap -g ldap -d 256`.\n\n#### Production\n\nWhen running it for production purposes it's important to ensure\nconfiguration and data can persist to disk. Otherwise you'd start up with a\nfresh and empty directory service every time your restart the container.\n\nTo that end, you should probably volume mount the following:\n\n* Configuration: `/etc/openldap`\n* Database: `/var/lib/openldap/openldap-data`\n\nA separate user, `ldapd` is create which defaults to a UID of `55555`. This\nis to ensure you can correctly map a host user and the container user so you don't\nget into permission issues with the volume mounts.\n\nIn order to change the UID of the `ldapd` user in the container you have to\nrebuild it and pass in `--build-arg UID=`.\n\n## Configuration\n\nslapddgen generates a bunch of configuration for you and assumes the following\nDIT layout:\n\n```text\n- {{suffix}}\n--- {{baseOU}},{{suffix}}\n----- ou=accounts,{{baseOU}},{{suffix}}\n----- ou=groups,{{baseOU}},{{suffix}}\n----- ou=policy,{{baseOU}},{{suffix}}\n```\n\nYou can of course change this yourself by modifying the templates.\n\nThe configuration generated uses online/dynamic configuration, aka olc, aka\n`olcConfig`. As such there is no `slapd.conf` to speak of and you'll have to\napply ldif's with the help of `ldapmodify` to configure the OpenLDAP server\nfurther.\n\nThe resulting `slapd.d` directory can be used to start an OpenLDAP server\nfrom scratch. The following sections assume that you've run slapddgen and\nexplain some of the things in the generated configuration.\n\n### `cn=config.ldif`\n\nThe following settings are defaults related to Alpine:\n\n```ldif\nolcConfigFile: /etc/openldap/slapd.conf\nolcConfigDir: /etc/openldap/slapd.d/\nolcArgsFile: /run/openldap/slapd.args\nolcPidFile: /run/openldap/slapd.pid\n```\n\nOf note is:\n\n```ldif\nolcPasswordCryptSaltFormat: $6$rounds=50000$%.16s\n```\n\nThis uses crypt's SHA512 with 50.000 rounds (key stretching). This relates to\nthe `olcPasswordHash` setting in `olcDatabase={-1}frontend.ldif` as well as\n`olcPPolicyHashCleartext` in `olcOverlay={2}ppolicy.ldif,olcDatabase={2}mdb,cn=config`.\n\n### `cn=module{0}.ldif,cn=config`\n\nConfigures which modules are loaded. Of note are `olcModulePath` and the\nmultitude of `olcModuleLoad` entries, relative to `olcModulePath`.\n\n### `olcDatabase={-1}frontend.ldif,cn=config`\n\nThe frontend database is a special, pseudo, database which contains settings\nthat apply as defaults to all the other `olcDatabase`s.\n\nThe two interesting entries are:\n\n```ldif\nolcMonitoring: FALSE\nolcPasswordHash: {CRYPT}\n```\n\n`olcMontioring` disables the monitoring overlay for all databases. It'll be\nenabled explicitly for `olcDatabase={2}mdb.ldif`. The other ensures that we\nalways use `{CRYPT}` as our password hashing mechanism. Which settings are\napplied to password hashing is defined by `olcPasswordCryptSaltFormat`.\n\n### `olcDatabase={0}config.ldif,cn=config`\n\nThe only thing of interest here are the `olcAccess` entries, defining the\nACLs which allow entities to read/write `cn=config`.\n\n### `olcDatabase={1}monitor.ldif,cn=config`\n\nLike the previous section, `olcAccess` is the only interesting bit.\n\n### `olcDatabase={2}mdb.ldif,cn=config`\n\nThis one is interesting, as this defines the data storage of our actual\nentries in the DIT, as well as other things like ACLs.\n\nOf interest:\n\n```ldif\nolcSuffix: dc=example,dc=com\nolcRootDN: cn=Manager,dc=example,dc=com\nolcRootPW: {CRYPT}super-long-hash\nolcMonitoring: TRUE\nolcDbMaxSize: 536870912\nolcDbDirectory: /var/lib/openldap/openldap-data\nolcDbIndex: objectClass eq\nolcDbIndex: uid eq,sub\nolcDbIndex: uidNumber eq\nolcDbIndex: gidNumber eq\nolcDbIndex: member eq\nolcDbIndex: memberof eq\n```\n\n`olcSuffix` defines the default suffix for all entries. `olcRootDN` is the\nDN of this database \"root\" user, and can modify anything regardless of ACLs.\nThe `olcRootPW` is the password of the `olcRootDN`, generated with\n`slappasswd -h '{CRYPT}' -c '$6$rounds=50000$%.16s'`.\n\n`olcMonitoring` enables monitoring for this database and `olcDbDirectory`\ncontains the path on disk where this database is stored.\n\nThe `olcDbIndex` entries define the indices OpenLDAP will maintain for us\nand help speed up search operations.\n\n`olcDbMaxSize` defines the size of the memory map that will be allocated\nfor the database. It cannot grow past this value at runtime though you\ncan set it to a higher value and then restart. The value is in bytes,\nour default is half a gibibyte (GiB).\n\nAs usual there's also a number of `olcAccess` entries governing access to\nthe data.\n\n### `olcOverlay={0}memberof.ldif,olcDatabase={2}mdb,cn=config`\n\nHere we store the configuration for the memberof overlay. The memberof\noverlay adds a virtual attribute `memberOf` to any entry in the DIT storing\nwhat things this DN is a member of.\n\nImagine you have three `groupOfNames` that refer to a user in the `member`\nattribute. The `memberOf` attribute for that user will then contain the\nDNs of these three `groupOfNames`. Note that `memberOf` will only contain\nthe immediate/direct memberships, not any inherited ones (it will\nnot recursively expand the member attributes).\n\nThe settings of interest are:\n\n```ldif\nolcMemberOfDangling: error\nolcMemberOfDanglingError: constraintViolation\nolcMemberOfRefInt: TRUE\nolcMemberOfGroupOC: groupOfNames\nolcMemberOfMemberAD: member\nolcMemberOfMemberOfAD: memberOf\n```\n\n`olcMemberOfDangling` specifies that we'll return an error in case a\nmodification would result in a dangling reference, returning an error of\ntype `olcMemberOfDanglingError`.\n\n`olcMemberOfRefInt` specifies that we use the referential integrity\noverlay (see the next section).\n\n`olcMemberOfGroupOC` specifies which `objectClass` we monitor for\ndangling references. This is usually only useful for gorups and we use\n`groupOfNames` for groups. `olcMemberOfAD` specifies the attribute used\nto store members of a group in, that's `member` and `olcMemberOfMemberOfAD`\nspecifes the attribute in which the relation is stored, `memberOf`.\n\n### `olcOverlay={1}refint.ldif,olcDatabase={2}mdb,cn=config`\n\nThis configures the referential integrity overlay. Referential integrity\nwill take care of updating any references to a DN stored in the specified\nattributes should that DN get renamed/moved.\n\nOf note:\n\n```ldif\nolcRefintAttribute: owner\nolcRefintAttribute: manager\nolcRefintAttribute: memberOf\nolcRefintAttribute: member\nolcRefintAttribute: roleOccupant\nolcRefintModifiersName: cn=Manager,dc=example,dc=com\n```\n\nThe `olcRefintAttribute`s specify which attributes we want to enforce\nreferential integrity for. This can only every be attributes that store\na distinguished name.\n\n`olcRefintModifiersName` specifes what we'll store in the `modifiersName`\noperational attribute for any entry that gets updated by the referential\nintegrity overlay.\n\n### `olcOverlay={2}ppolicy.ldif,olcDatabase={2}mdb,cn=config`\n\nThe password policy overlay allows to configure certain minimum\nrequirements for passwords (like those stored in the `userPassword`\nattribute).\n\nOf note:\n\n```ldif\nolcPPolicyHashCleartext: TRUE\nolcPPolicyDefault: cn=password,ou=policy,dc=example,dc=com\nolcPPolicyUseLockout: FALSE\n```\n\n`olcPPolicyHashCleartext` means that the server will automatically hash\nany password sent in as clear text using `olcPasswordHash`.\n\n`olcPPolicyDefault` defines an entry in the DIT where we store our\ndefault password policy on which we can set other settings. The entry\nshould have `objectClass: pwdPolicy`. Its settings [are documented\nhere](http://www.zytrax.com/books/ldap/ch6/ppolicy.html#pwdpolicyattributes).\n\nYou can create additional/different password policies in the `ou=policy`\npart of the tree and attach them to a user by adding the `pwdPolicySubentry`\nattribute on them, pointing to a different policy.\n\n`olcPPolicyUseLockout` instructs the server whether it should return an\n`InvalidCredentials` (`FALSE`) when attempting to bind or an `AccountLocked`\n(`TRUE`) instead. This configuration defaults to `FALSE` in order to not be\nable to use this feature to enumerate accounts.\n\n### `olcOverlay={3}unique.ldif,olcDatabase={2}mdb,cn=config`\n\nThe unique overlay allows enforcing uniqueness contraints of attributes on\na part of the tree (or the whole tree). Though the RDN is always enforced to\nbe unique (so you can't have two people with the same `uid` for example)\nother attributes are not, most crucially things like `uidNumber`, `gidNumber`\nor `homeDirectory`.\n\nYou can create constraints by adding an `olcUniqueURI` entry of the form:\n`ldap:///[base dn]?[attributes...]?scope[?filter]`.\n\nFor example, if you wanted to enforce unique `gidNumber`s you could do:\n`ldap:///?gidNumber?sub`. Unfortunately this will enforce `gidNumber`\nconstraints across both `posixAccount` and `posixGroup` so you won't be\nable to create a `posixAccount` with `gidNumber` set to a `posixGroup`s\nGID, which is undesirable. Instead do something like this:\n\n```ldif\nolcUniqueURI: ldap:///ou=groups,ou=example,dc=example,dc=com?gidNumber?sub\nolcUniqueURI: ldap:///ou=accounts,ou=example,dc=example,dc=com?gidNumber?sub\nolcUniqueURI: ldap:///ou=example,dc=example,dc=com?uidNumber?sub\n```\n\nNow the constraint will be enforced independently on these parts of the\ntree, not as a whole.\n\n### `cn=schema.ldif,cn=config`\n\nNothing of relevance to see or change here. It just needs to exist. Once\nthe server has been started this entry will be updated automatically\nwith the server's internal object classes and attributes (mostly all the\n`olc`* object classes and attributes).\n\n### `cn=*.ldif,cn=schema,cn=config`\n\nContains the schema files loaded by the server.\n\nUpdating this is rather tricky. The \"easiest\" way is to generate a `slapd.conf`\nwith the `include` statements for the schemas and then dump it out\nusing `slapdest -f /path/to/slapd.conf -F /path/to/slapd.d`.\n\n\n", "description_content_type": "text/markdown", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/daenney/slapddgen", "keywords": "", "license": "", "maintainer": "", "maintainer_email": "", "name": "slapddgen", "package_url": "https://pypi.org/project/slapddgen/", "platform": "", "project_url": "https://pypi.org/project/slapddgen/", "project_urls": { "Homepage": "https://github.com/daenney/slapddgen" }, "release_url": "https://pypi.org/project/slapddgen/0.1.1/", "requires_dist": [ "Click", "jinja2" ], "requires_python": "", "summary": "slapd.d generator", "version": "0.1.1" }, "last_serial": 4422170, "releases": { "0.1.0": [ { "comment_text": "", "digests": { "md5": "52b96acbd621919f1f3e8c85e70f4e96", "sha256": "2443a84edca781d9319b1fa9f2f8116e18c96f8baa7f3f200f3cd8d34ee44eb7" }, "downloads": -1, "filename": "slapddgen-0.1.0-py3-none-any.whl", "has_sig": false, "md5_digest": "52b96acbd621919f1f3e8c85e70f4e96", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 5337, "upload_time": "2018-08-05T21:37:10", "url": "https://files.pythonhosted.org/packages/88/e7/5acbe7d936a5a1b0600f2b9e0454da6a059e1c5ac05356f40bab866f0221/slapddgen-0.1.0-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "3d95fd5bc6c42d3da2b52b618f705b41", "sha256": "a3f0b28cd1baf0a6de9eefd4a3ad82757fc0fdb9a8e681723626bbd6d3b99044" }, "downloads": -1, "filename": "slapddgen-0.1.0.tar.gz", "has_sig": false, "md5_digest": "3d95fd5bc6c42d3da2b52b618f705b41", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15644, "upload_time": "2018-08-05T21:37:11", "url": "https://files.pythonhosted.org/packages/9b/9d/016fda51e92c6927a51b3043faea1e375274fe0579987df8042b0208eba5/slapddgen-0.1.0.tar.gz" } ], "0.1.1": [ { "comment_text": "", "digests": { "md5": "0f5c6c683161bcc35c96735ef49ff8f2", "sha256": "c3c7444fa0e0ece2a7addd9805c4a1f00f86d0e017beb3a511e25647bbd7af42" }, "downloads": -1, "filename": "slapddgen-0.1.1-py3-none-any.whl", "has_sig": false, "md5_digest": "0f5c6c683161bcc35c96735ef49ff8f2", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 8384, "upload_time": "2018-10-27T14:49:50", "url": "https://files.pythonhosted.org/packages/d9/74/5aee45ee04bf8393950f99cddc8ce7c2e706007882c374ffda8868b2171a/slapddgen-0.1.1-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "1b42f8d093960fe62cfd91541cd4c528", "sha256": "c749389c72131b63381094dfb8ec21921604a8e358c110ad61f731515be0a21f" }, "downloads": -1, "filename": "slapddgen-0.1.1.tar.gz", "has_sig": false, "md5_digest": "1b42f8d093960fe62cfd91541cd4c528", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 24564, "upload_time": "2018-10-27T14:49:52", "url": "https://files.pythonhosted.org/packages/11/83/33ab0593cb526fb99c22762e8d7a30e8554611bc81f00ac9aa0e38aed5a8/slapddgen-0.1.1.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "0f5c6c683161bcc35c96735ef49ff8f2", "sha256": "c3c7444fa0e0ece2a7addd9805c4a1f00f86d0e017beb3a511e25647bbd7af42" }, "downloads": -1, "filename": "slapddgen-0.1.1-py3-none-any.whl", "has_sig": false, "md5_digest": "0f5c6c683161bcc35c96735ef49ff8f2", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 8384, "upload_time": "2018-10-27T14:49:50", "url": "https://files.pythonhosted.org/packages/d9/74/5aee45ee04bf8393950f99cddc8ce7c2e706007882c374ffda8868b2171a/slapddgen-0.1.1-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "1b42f8d093960fe62cfd91541cd4c528", "sha256": "c749389c72131b63381094dfb8ec21921604a8e358c110ad61f731515be0a21f" }, "downloads": -1, "filename": "slapddgen-0.1.1.tar.gz", "has_sig": false, "md5_digest": "1b42f8d093960fe62cfd91541cd4c528", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 24564, "upload_time": "2018-10-27T14:49:52", "url": "https://files.pythonhosted.org/packages/11/83/33ab0593cb526fb99c22762e8d7a30e8554611bc81f00ac9aa0e38aed5a8/slapddgen-0.1.1.tar.gz" } ] }