Movatterモバイル変換

[0]ホーム
URL:

Trac Hacks
wiki:LdapPluginTests

Context Navigation

Contents

  1. Prerequistes
  2. Create the directory config file
  3. Configure your system logger
  4. Start up theLDAP server
  5. Initializing the directory
  6. Clean up
  7. Troubleshooting
    1. Common errors

TestingLDAP extensions

This page gives some guidelines on testing theLdapPlugin extension, and provides some examples about deployingOpenLDAP to perform thetests.

Prerequistes

The examples in this page assume that you are working with a Linux server (Debian), with OpenLDAP 2.2 or greater.

Theslapd server should be installed and you should also have access to the Ldap utils, which usually come with a separate package:

  • server tools:slapadd,slapcat
  • client tools:ldapsearch,ldapadd,ldapmodify,ldapdelete

All the commands are run using the superuser (root) account.

Create the directory config file

The following config file is somewhat more complex than it could be, as it uses ACL, etc. However this is a good base to elaborate a more complexLDAP setup and which is the file I used to test the extension.

# BDB backend in this exampledatabase        bdb# Maximum entries returned in a searchsizelimit       100# Log connections, operations, results# Do not forget to reduce the debug level once everything is up and running !loglevel        768suffix          "dc=example,dc=org"rootdn          "uid=root,dc=example,dc=org"# Cleartext password: Tracrootpw          {SSHA}yGq6aHM4w3Hf94hl4j+1rgO3HSGmmbVqlastmod         on# Path to the database filesdirectory       /var/local/db/tracldap# 1.3.6.1.4.1.15527 is reserved. Do not hijack it# Please see http://www.iana.org/cgi-bin/enterprise.pl# Attribute type definitionsattributetype ( 1.3.6.1.4.1.15527.143                NAME 'tracperm'                DESC 'Trac Permission'                EQUALITY caseIgnoreMatch                SUBSTR caseIgnoreSubstringsMatch                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} )# Class definitionsobjectclass ( 1.3.6.1.4.1.15527.8              NAME 'tracuser'              DESC 'Regular user with Trac permission'              SUP top              STRUCTURAL              MUST ( uid $ cn $ userpassword )              MAY  ( tracperm $ sn $ description ) )objectclass ( 1.3.6.1.4.1.15527.9              NAME 'tracgroup'              DESC 'Trac permission for groupofnames'              SUP top              AUXILIARY              MAY  ( tracperm ) )# ACLs (warning: give read access to anonymous LDAP connection)access to dn.base="" by * readaccess to dn.base="cn=subschema" by * readaccess to filter=(|(objectclass=groupOfNames)(objectclass=tracuser)) dn.one="dc=example,dc=org"       by group="cn=managers,dc=example,dc=org" write       by * readaccess to attrs=tracperm       by group="cn=managers,dc=example,dc=org" write       by self read       by users read       by anonymous readaccess to attrs=entry dn.subtree="dc=example,dc=org"       by * read# Search indexingindex  objectClass,uid eqindex  cn,sn           eq,sub,pres,approxindex  member          eq

You should include this file from the main OpenLDAP configuration file, usually located here:/etc/ldap/slapd.conf. You need to include these definitions at the bottom of the file.

Configure your system logger

OpenLDAP errors can be cryptic. You can find useful information however in the log produced by the server.

It is useful to compare requests made by standard utilities such asldapsearch and the requests made by the extension: if an ldapsearch request fails, blame your server configuration (or your directory content) not the Trac Ldap Extension.

  1. Add the following entry in/etc/syslog.conf:
    # Log OpenLDAPlocal4.*                       -/var/log/openldap.all
  2. Reload the syslog configuration:
    /etc/init.d/sysklogd reload
  3. You probably want to open a console and keep dumping the log messages:
    tail -f /var/log/openldap.all

Start up theLDAP server

  1. Create the directory where theLDAP directory files will reside:
    mkdir /var/local/db/tracldap
  2. Start up the server:
    /etc/init.d/slapd start

You should not get any error. If you get an error message (carefully check the log file), please fix up yourLDAP configuration before resuming installation.

If everything is ok, shut down the server, because we need to initialize theLDAP directory before continuing.

Initializing the directory

We need to create the top-most entry (the localroot) of theLDAP hierarchical directory.

  1. Copy the following LDIF data in a file,init.ldif for example:
    dn: dc=example,dc=orgdc: exampleo: Tracdescription: Test directory for TracobjectClass: dcObjectobjectClass: organization
  2. Then inject this LDIF data into theLDAP directory using the server tool, and the server should be down at this moment:
    /usr/sbin/slapadd -b "dc=example,dc=org" -l init.ldif
  3. Restart theLDAP server:
    /etc/init.d/slapd start

Now that the server is up and running, we can inject the initial directory entries that are expected by the extension unit tests.

  1. Copy the following LDIF data in another file,dirtest.ldif:
    # Group definition# Managers is a group that has permission to add and revoke Trac permissionsdn: cn=managers,dc=example,dc=orgcn: managersobjectClass: groupOfNamesobjectClass: tracgroupmember: uid=trac,dc=example,dc=org# Group definition# Users is a group of regular usersdn: cn=users,dc=example,dc=orgcn: usersobjectClass: groupOfNamesobjectClass: tracgroupmember: uid=joeuser,dc=example,dc=org# User definition# Trac is the 'software user' that manages the Trac permissionsdn: uid=trac,dc=example,dc=orguid: traccn: Trac ManageruserPassword: TracobjectClass: tracuser# Special 'user': anonymous# joker entry for non authenticated accessdn: uid=anonymous,dc=example,dc=orguid: anonymouscn: Trac Anonymoussn: AnonymoususerPassword: no_useobjectClass: tracuser# Special 'user': authenticated# joker entry for any authenticated accessdn: uid=authenticated,dc=example,dc=orguid: authenticatedcn: Trac Authenticatedsn: AuthenticateduserPassword: no_useobjectClass: tracuser# User definition# Joe User is just a regular userdn: uid=joeuser,dc=example,dc=orguid: joeusercn: Joe Usersn: UseruserPassword: anypasswdobjectClass: tracuser
  2. Add those entries to the directory using the client tool. This won't work if theLDAP server is down:
    ldapadd -D "uid=root,dc=example,dc=org" -x -W -f direst.ldif

You'll be prompted for the user password, ie the password for useruid=root. This password is defined in theLDAP directory config file, hereTrac.

Now you should be able to fully use the directory:

  1. Search entries using an anonymous bind:
    ldapsearch -b "dc=example,dc=org" -x objectclass=*
  1. Search entries using an authenticated bind (password for Trac isTrac too):
    ldapsearch -b "dc=example,dc=org" -D "uid=trac,dc=example,dc=org" -x -W objectclass=*
  1. You can also add new entries and remove them if you like. However, the Ldap Extension unit tests expect the directory to be set up as described above.

Clean up

If the test fails or some part of the installation procedure fails, you want to clean up theLDAP directory to restart from a clean environment.

  1. Shut down the OpenLDAP server:
    /etc/init.d/slapd stop
  2. Remove theLDAP database files:
    rm /var/local/db/tracldap/*
  3. Reinitialize the directory, see above.

Troubleshooting

OpenLDAP server is sensitive to its configuration settings, so double check your configuration files and your LDIF files if you encounter errors in the early setup stage.

Common errors

Last modified9 years agoLast modified on Jan 27, 2016, 7:18:54 AM

Download in other formats:

Trac Powered

Powered byTrac 1.2.6
ByEdgewall Software.

[8]ページ先頭
©2009-2025 Movatter.jp