- This is a basic tutorial on using a wonderful Eclipse-based LDAP browser, known as Apache Directory Studio, to gather the information you need for your LDAP configuration. Before you Start Step 1. Get Apache Directory Studio. Download and install Apache Directory Studio.; Step 2.Optional.
- Apache Directory Studio support for the multiplatform application and is compatible with the Linux, Windows and Mac OS X operating systems. Apache Directory contains the several features and functions in a shape of LDAP editor and browser, an LDIF editor, a schema browser, a DSML editor and many others.
2017-10-01 21:44:00
Recently, I thought of upgrading various softwares on my MAC OS including Java, AnypointStudio and all other softwares. So, I downloaded new version of MuleSoft Anypoint Studio on my MAC OS.
In preparation for my upcoming EX413 examination, I'm mucking about with FreeIPA.
FreeIPA is a easy-to-setup solution for building the basis of your corporate infrastructure on Linux. It includes an LDAP server, it sets up DNS and a CA (certificate authority) and it serves as Kerberos server. Basically, it's a light version of Active Directory, but targeted at Linux networks. Of course Linux can use AD just fine, but if you don't have AD FreeIPA is the next best thing.
IPA has come a long way over the past ten years. It might still not be fully featured, but it certainly allows you to setup a centralized RBAC platform, not unlike the BoKS product range I've worked with. BoKS offers more functionality (like a password safe and the possibility to easily filter SSH subsystems like allowing SCP or SFTP only), but it's also far from free.
I'm currently doing exactly what EX413 exams want you to be able to do: install a basic FreeIPA environment, with some users and some centralized SUDO rules. It's the latter that was giving me a little bit of a headache, because I had a hard time figuring out the service account to use for the bind action. Sander van Vugt's training video refers to the service account uid=sudo,cn=sysaccounts,dc=etc,dc=ex413,dc=local, which does not appear to exist out of the box.
This set me off one a foxhunt that lasted 1.5 hours.
- I wanted to use a graphic LDAP browser to poke around the IPA server. Softerra's LDAPAdministrator is a wonderful piece of software, but at $250 for a single license it's a bit much for me :) So I went with Apache's free Directory Studio (ADS).
- ADS is a Java application that runs on Linux, MacOS and Windows. That's ace! However, it's a bit finicky about its Java VMs and it requires A) the full JDK, B) Java version 8. Installing multiple versions of Java on MacOS is famously messy and Wim de Blauwe's blogpost about easily switching Java versions on MacOS was very useful.
- Unfortunately it wasn't enough, so I decided to axe all my installed Java versions as per Oracle's instructions. I then reinstalled JDK8, using the official download from Oracle. After that, I still needed to edit the startup INI file for ADS anyway, to exactly and very specifically point to the right Java VM because /usr/bin/java still points to some old, Apple-provided version. Meh. Instructions here in the ADS FAQ.
- ADS finally boots up! But wouldn't you know it? It also needs an account to bind to the IPA server! :D We're back to square one! A normal user account would allow me to bind just fine, but it was lacking the access permissions to browse the LDAP tree.
- Luckily the FreeIPA FAQ includes a section on adding service accounts for this specific use!
Because this is a sandbox environment, I've set up one account as both the SUDO bind user in /etc/sudo-ldap.conf and in the ADS user interface. Both now work swimmingly! I can 'sudo -l' as a normal user and I can mess around the LDAP tree from the warmth and comfort of my MacOS desktop :)
EDIT:
Well I'll be a monkey's uncle! That little rascal of a UID=sudo was hiding inside LDAP all along! I guess I really did make a mistake in my initial ldappasswd command :D Well, at least I learned a thing or two!
EDIT 2:
FOUND IT! The OID I showed up top has an 's' too many! I wrote 'sysaccountS', while it's supposed to be 'sysaccount'. Ace! That's going to make life a lot easier during the exam :)
Apache Directory Studio Mac High Sierra
kilala.nl tags: work, sysadmin,
Uninstall Apache Directory Studio Mac
View or add comments (curr. 0)