yannstatic/static/2019/12/25/ldap-Getting_started_with_OpenLDAP.html

2273 lines
206 KiB
HTML
Raw Permalink Normal View History

2024-10-31 20:18:37 +01:00
<!DOCTYPE html><html lang="fr">
<head><meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"><title>ldap-Getting started with OpenLDAP - YannStatic</title>
<meta name="description" content="OpenLDAP">
<link rel="canonical" href="https://static.rnmkcy.eu/2019/12/25/ldap-Getting_started_with_OpenLDAP.html"><link rel="alternate" type="application/rss+xml" title="YannStatic" href="/feed.xml">
<!-- - include head/favicon.html - -->
<link rel="shortcut icon" type="image/png" href="/assets/favicon/favicon.png"><link rel="stylesheet" href="/assets/css/main.css"><link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.13/css/all.css" ><!-- start custom head snippets --><link rel="stylesheet" href="/assets/css/expand.css">
<!-- end custom head snippets --><script>(function() {
window.isArray = function(val) {
return Object.prototype.toString.call(val) === '[object Array]';
};
window.isString = function(val) {
return typeof val === 'string';
};
window.hasEvent = function(event) {
return 'on'.concat(event) in window.document;
};
window.isOverallScroller = function(node) {
return node === document.documentElement || node === document.body || node === window;
};
window.isFormElement = function(node) {
var tagName = node.tagName;
return tagName === 'INPUT' || tagName === 'SELECT' || tagName === 'TEXTAREA';
};
window.pageLoad = (function () {
var loaded = false, cbs = [];
window.addEventListener('load', function () {
var i;
loaded = true;
if (cbs.length > 0) {
for (i = 0; i < cbs.length; i++) {
cbs[i]();
}
}
});
return {
then: function(cb) {
cb && (loaded ? cb() : (cbs.push(cb)));
}
};
})();
})();
(function() {
window.throttle = function(func, wait) {
var args, result, thisArg, timeoutId, lastCalled = 0;
function trailingCall() {
lastCalled = new Date;
timeoutId = null;
result = func.apply(thisArg, args);
}
return function() {
var now = new Date,
remaining = wait - (now - lastCalled);
args = arguments;
thisArg = this;
if (remaining <= 0) {
clearTimeout(timeoutId);
timeoutId = null;
lastCalled = now;
result = func.apply(thisArg, args);
} else if (!timeoutId) {
timeoutId = setTimeout(trailingCall, remaining);
}
return result;
};
};
})();
(function() {
var Set = (function() {
var add = function(item) {
var i, data = this._data;
for (i = 0; i < data.length; i++) {
if (data[i] === item) {
return;
}
}
this.size ++;
data.push(item);
return data;
};
var Set = function(data) {
this.size = 0;
this._data = [];
var i;
if (data.length > 0) {
for (i = 0; i < data.length; i++) {
add.call(this, data[i]);
}
}
};
Set.prototype.add = add;
Set.prototype.get = function(index) { return this._data[index]; };
Set.prototype.has = function(item) {
var i, data = this._data;
for (i = 0; i < data.length; i++) {
if (this.get(i) === item) {
return true;
}
}
return false;
};
Set.prototype.is = function(map) {
if (map._data.length !== this._data.length) { return false; }
var i, j, flag, tData = this._data, mData = map._data;
for (i = 0; i < tData.length; i++) {
for (flag = false, j = 0; j < mData.length; j++) {
if (tData[i] === mData[j]) {
flag = true;
break;
}
}
if (!flag) { return false; }
}
return true;
};
Set.prototype.values = function() {
return this._data;
};
return Set;
})();
window.Lazyload = (function(doc) {
var queue = {js: [], css: []}, sources = {js: {}, css: {}}, context = this;
var createNode = function(name, attrs) {
var node = doc.createElement(name), attr;
for (attr in attrs) {
if (attrs.hasOwnProperty(attr)) {
node.setAttribute(attr, attrs[attr]);
}
}
return node;
};
var end = function(type, url) {
var s, q, qi, cbs, i, j, cur, val, flag;
if (type === 'js' || type ==='css') {
s = sources[type], q = queue[type];
s[url] = true;
for (i = 0; i < q.length; i++) {
cur = q[i];
if (cur.urls.has(url)) {
qi = cur, val = qi.urls.values();
qi && (cbs = qi.callbacks);
for (flag = true, j = 0; j < val.length; j++) {
cur = val[j];
if (!s[cur]) {
flag = false;
}
}
if (flag && cbs && cbs.length > 0) {
for (j = 0; j < cbs.length; j++) {
cbs[j].call(context);
}
qi.load = true;
}
}
}
}
};
var load = function(type, urls, callback) {
var s, q, qi, node, i, cur,
_urls = typeof urls === 'string' ? new Set([urls]) : new Set(urls), val, url;
if (type === 'js' || type ==='css') {
s = sources[type], q = queue[type];
for (i = 0; i < q.length; i++) {
cur = q[i];
if (_urls.is(cur.urls)) {
qi = cur;
break;
}
}
val = _urls.values();
if (qi) {
callback && (qi.load || qi.callbacks.push(callback));
callback && (qi.load && callback());
} else {
q.push({
urls: _urls,
callbacks: callback ? [callback] : [],
load: false
});
for (i = 0; i < val.length; i++) {
node = null, url = val[i];
if (s[url] === undefined) {
(type === 'js' ) && (node = createNode('script', { src: url }));
(type === 'css') && (node = createNode('link', { rel: 'stylesheet', href: url }));
if (node) {
node.onload = (function(type, url) {
return function() {
end(type, url);
};
})(type, url);
(doc.head || doc.body).appendChild(node);
s[url] = false;
}
}
}
}
}
};
return {
js: function(url, callback) {
load('js', url, callback);
},
css: function(url, callback) {
load('css', url, callback);
}
};
})(this.document);
})();
</script><script>
(function() {
var TEXT_VARIABLES = {
version: '2.2.6',
sources: {
font_awesome: 'https://use.fontawesome.com/releases/v5.0.13/css/all.css',
jquery: '/assets/js/jquery.min.js',
leancloud_js_sdk: '//cdn.jsdelivr.net/npm/leancloud-storage@3.13.2/dist/av-min.js',
chart: 'https://cdn.bootcss.com/Chart.js/2.7.2/Chart.bundle.min.js',
gitalk: {
js: 'https://cdn.bootcss.com/gitalk/1.2.2/gitalk.min.js',
css: 'https://cdn.bootcss.com/gitalk/1.2.2/gitalk.min.css'
},
valine: 'https://unpkg.com/valine/dist/Valine.min.js'
},
site: {
toc: {
selectors: 'h1,h2,h3'
}
},
paths: {
search_js: '/assets/search.js'
}
};
window.TEXT_VARIABLES = TEXT_VARIABLES;
})();
</script>
</head>
<body>
<div class="root" data-is-touch="false">
<div class="layout--page js-page-root"><!----><div class="page__main js-page-main page__viewport hide-footer has-aside has-aside cell cell--auto">
<div class="page__main-inner"><div class="page__header d-print-none"><header class="header"><div class="main">
<div class="header__title">
<div class="header__brand"><svg id="svg" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="400" height="478.9473684210526" viewBox="0, 0, 400,478.9473684210526"><g id="svgg"><path id="path0" d="M308.400 56.805 C 306.970 56.966,303.280 57.385,300.200 57.738 C 290.906 58.803,278.299 59.676,269.200 59.887 L 260.600 60.085 259.400 61.171 C 258.010 62.428,256.198 63.600,255.645 63.600 C 255.070 63.600,252.887 65.897,252.598 66.806 C 252.460 67.243,252.206 67.600,252.034 67.600 C 251.397 67.600,247.206 71.509,247.202 72.107 C 247.201 72.275,246.390 73.190,245.400 74.138 C 243.961 75.517,243.598 76.137,243.592 77.231 C 243.579 79.293,241.785 83.966,240.470 85.364 C 239.176 86.740,238.522 88.365,237.991 91.521 C 237.631 93.665,236.114 97.200,235.554 97.200 C 234.938 97.200,232.737 102.354,232.450 104.472 C 232.158 106.625,230.879 109.226,229.535 110.400 C 228.933 110.926,228.171 113.162,226.434 119.500 C 226.178 120.435,225.795 121.200,225.584 121.200 C 225.373 121.200,225.200 121.476,225.200 121.813 C 225.200 122.149,224.885 122.541,224.500 122.683 C 223.606 123.013,223.214 123.593,223.204 124.600 C 223.183 126.555,220.763 132.911,219.410 134.562 C 218.443 135.742,217.876 136.956,217.599 138.440 C 217.041 141.424,215.177 146.434,214.532 146.681 C 214.240 146.794,214.000 147.055,214.000 147.261 C 214.000 147.467,213.550 148.086,213.000 148.636 C 212.450 149.186,212.000 149.893,212.000 150.208 C 212.000 151.386,208.441 154.450,207.597 153.998 C 206.319 153.315,204.913 150.379,204.633 147.811 C 204.365 145.357,202.848 142.147,201.759 141.729 C 200.967 141.425,199.200 137.451,199.200 135.974 C 199.200 134.629,198.435 133.224,196.660 131.311 C 195.363 129.913,194.572 128.123,193.870 125.000 C 193.623 123.900,193.236 122.793,193.010 122.540 C 190.863 120.133,190.147 118.880,188.978 115.481 C 188.100 112.928,187.151 111.003,186.254 109.955 C 185.358 108.908,184.518 107.204,183.847 105.073 C 183.280 103.273,182.497 101.329,182.108 100.753 C 181.719 100.177,180.904 98.997,180.298 98.131 C 179.693 97.265,178.939 95.576,178.624 94.378 C 178.041 92.159,177.125 90.326,175.023 87.168 C 174.375 86.196,173.619 84.539,173.342 83.486 C 172.800 81.429,171.529 79.567,170.131 78.785 C 169.654 78.517,168.697 77.511,168.006 76.549 C 167.316 75.587,166.594 74.800,166.402 74.800 C 166.210 74.800,164.869 73.633,163.421 72.206 C 160.103 68.936,161.107 69.109,146.550 69.301 C 133.437 69.474,128.581 70.162,126.618 72.124 C 126.248 72.495,125.462 72.904,124.872 73.033 C 124.282 73.163,123.088 73.536,122.219 73.863 C 121.349 74.191,119.028 74.638,117.061 74.858 C 113.514 75.254,109.970 76.350,108.782 77.419 C 107.652 78.436,100.146 80.400,97.388 80.400 C 95.775 80.400,93.167 81.360,91.200 82.679 C 90.430 83.195,89.113 83.804,88.274 84.031 C 85.875 84.681,78.799 90.910,74.400 96.243 L 73.400 97.456 73.455 106.028 C 73.526 117.055,74.527 121.238,77.820 124.263 C 78.919 125.273,80.400 127.902,80.400 128.842 C 80.400 129.202,81.075 130.256,81.900 131.186 C 83.563 133.059,85.497 136.346,86.039 138.216 C 86.233 138.886,87.203 140.207,88.196 141.153 C 89.188 142.098,90.000 143.104,90.000 143.388 C 90.000 144.337,92.129 148.594,92.869 149.123 C 93.271 149.410,93.600 149.831,93.600 150.059 C 93.600 150.286,93.932 150.771,94.337 151.136 C 94.743 151.501,95.598 153.004,96.237 154.475 C 96.877 155.947,97.760 157.351,98.200 157.596 C 98.640 157.841,99.900 159.943,101.000 162.267 C 102.207 164.817,103.327 166.644,103.825 166.876 C 104.278 167.087,105.065 168.101,105.573 169.130 C 107.658 173.348,108.097 174.093,110.006 176.647 C 111.103 178.114,112.000 179.725,112.000 180.227 C 112.000 181.048,113.425 183.163,114.678 184.200 C 115.295 184.711,117.396 188.733,117.720 190.022 C 117.855 190.562,118.603 191.633,119.381 192.402 C 120.160 193.171,121.496 195.258,122.351 197.039 C 123.206 198.820,124.167 200.378,124.487 200.501 C 124.807 200.624,125.953 202.496,127.034 204.662 C 128.114 206.828,129.676 209.299,130.505 210.153 C 131.333 211.007,132.124 212.177,132.262 212.753 C 132.618 214.239,134.291 217.048,136.288 219.5
" href="/">YannStatic</a></div><!--<button class="button button--secondary button--circle search-button js-search-toggle"><i class="fas fa-search"></i></button>--><!-- <li><button class="button button--secondary button--circle search-button js-search-toggle"><i class="fas fa-search"></i></button></li> -->
<!-- Champ de recherche -->
<div id="searchbox" class="search search--dark" style="visibility: visible">
<div class="main">
<div class="search__header"></div>
<div class="search-bar">
<div class="search-box js-search-box">
<div class="search-box__icon-search"><i class="fas fa-search"></i></div>
<input id="search-input" type="text" />
<!-- <div class="search-box__icon-clear js-icon-clear">
<a><i class="fas fa-times"></i></a>
</div> -->
</div>
</div>
</div>
</div>
<!-- Script pointing to search-script.js -->
<script>/*!
* Simple-Jekyll-Search
* Copyright 2015-2020, Christian Fei
* Licensed under the MIT License.
*/
(function(){
'use strict'
var _$Templater_7 = {
compile: compile,
setOptions: setOptions
}
const options = {}
options.pattern = /\{(.*?)\}/g
options.template = ''
options.middleware = function () {}
function setOptions (_options) {
options.pattern = _options.pattern || options.pattern
options.template = _options.template || options.template
if (typeof _options.middleware === 'function') {
options.middleware = _options.middleware
}
}
function compile (data) {
return options.template.replace(options.pattern, function (match, prop) {
const value = options.middleware(prop, data[prop], options.template)
if (typeof value !== 'undefined') {
return value
}
return data[prop] || match
})
}
'use strict';
function fuzzysearch (needle, haystack) {
var tlen = haystack.length;
var qlen = needle.length;
if (qlen > tlen) {
return false;
}
if (qlen === tlen) {
return needle === haystack;
}
outer: for (var i = 0, j = 0; i < qlen; i++) {
var nch = needle.charCodeAt(i);
while (j < tlen) {
if (haystack.charCodeAt(j++) === nch) {
continue outer;
}
}
return false;
}
return true;
}
var _$fuzzysearch_1 = fuzzysearch;
'use strict'
/* removed: const _$fuzzysearch_1 = require('fuzzysearch') */;
var _$FuzzySearchStrategy_5 = new FuzzySearchStrategy()
function FuzzySearchStrategy () {
this.matches = function (string, crit) {
return _$fuzzysearch_1(crit.toLowerCase(), string.toLowerCase())
}
}
'use strict'
var _$LiteralSearchStrategy_6 = new LiteralSearchStrategy()
function LiteralSearchStrategy () {
this.matches = function (str, crit) {
if (!str) return false
str = str.trim().toLowerCase()
crit = crit.trim().toLowerCase()
return crit.split(' ').filter(function (word) {
return str.indexOf(word) >= 0
}).length === crit.split(' ').length
}
}
'use strict'
var _$Repository_4 = {
put: put,
clear: clear,
search: search,
setOptions: __setOptions_4
}
/* removed: const _$FuzzySearchStrategy_5 = require('./SearchStrategies/FuzzySearchStrategy') */;
/* removed: const _$LiteralSearchStrategy_6 = require('./SearchStrategies/LiteralSearchStrategy') */;
function NoSort () {
return 0
}
const data = []
let opt = {}
opt.fuzzy = false
opt.limit = 10
opt.searchStrategy = opt.fuzzy ? _$FuzzySearchStrategy_5 : _$LiteralSearchStrategy_6
opt.sort = NoSort
opt.exclude = []
function put (data) {
if (isObject(data)) {
return addObject(data)
}
if (isArray(data)) {
return addArray(data)
}
return undefined
}
function clear () {
data.length = 0
return data
}
function isObject (obj) {
return Boolean(obj) && Object.prototype.toString.call(obj) === '[object Object]'
}
function isArray (obj) {
return Boolean(obj) && Object.prototype.toString.call(obj) === '[object Array]'
}
function addObject (_data) {
data.push(_data)
return data
}
function addArray (_data) {
const added = []
clear()
for (let i = 0, len = _data.length; i < len; i++) {
if (isObject(_data[i])) {
added.push(addObject(_data[i]))
}
}
return added
}
function search (crit) {
if (!crit) {
return []
}
return findMatches(data, crit, opt.searchStrategy, opt).sort(opt.sort)
}
function __setOptions_4 (_opt) {
opt = _opt || {}
opt.fuzzy = _opt.fuzzy || false
opt.limit = _opt.limit || 10
opt.searchStrategy = _opt.fuzzy ? _$FuzzySearchStrategy_5 : _$LiteralSearchStrategy_6
opt.sort = _opt.sort || NoSort
opt.exclude = _opt.exclude || []
}
function findMatches (data, crit, strategy, opt) {
const matches = []
for (let i = 0; i < data.length && matches.length < opt.limit; i++) {
const match = findMatchesInObject(data[i], crit, strategy, opt)
if (match) {
matches.push(match)
}
}
return matches
}
function findMatchesInObject (obj, crit, strategy, opt) {
for (const key in obj) {
if (!isExcluded(obj[key], opt.exclude) && strategy.matches(obj[key], crit)) {
return obj
}
}
}
function isExcluded (term, excludedTerms) {
for (let i = 0, len = excludedTerms.length; i < len; i++) {
const excludedTerm = excludedTerms[i]
if (new RegExp(excludedTerm).test(term)) {
return true
}
}
return false
}
/* globals ActiveXObject:false */
'use strict'
var _$JSONLoader_2 = {
load: load
}
function load (location, callback) {
const xhr = getXHR()
xhr.open('GET', location, true)
xhr.onreadystatechange = createStateChangeListener(xhr, callback)
xhr.send()
}
function createStateChangeListener (xhr, callback) {
return function () {
if (xhr.readyState === 4 && xhr.status === 200) {
try {
callback(null, JSON.parse(xhr.responseText))
} catch (err) {
callback(err, null)
}
}
}
}
function getXHR () {
return window.XMLHttpRequest ? new window.XMLHttpRequest() : new ActiveXObject('Microsoft.XMLHTTP')
}
'use strict'
var _$OptionsValidator_3 = function OptionsValidator (params) {
if (!validateParams(params)) {
throw new Error('-- OptionsValidator: required options missing')
}
if (!(this instanceof OptionsValidator)) {
return new OptionsValidator(params)
}
const requiredOptions = params.required
this.getRequiredOptions = function () {
return requiredOptions
}
this.validate = function (parameters) {
const errors = []
requiredOptions.forEach(function (requiredOptionName) {
if (typeof parameters[requiredOptionName] === 'undefined') {
errors.push(requiredOptionName)
}
})
return errors
}
function validateParams (params) {
if (!params) {
return false
}
return typeof params.required !== 'undefined' && params.required instanceof Array
}
}
'use strict'
var _$utils_9 = {
merge: merge,
isJSON: isJSON
}
function merge (defaultParams, mergeParams) {
const mergedOptions = {}
for (const option in defaultParams) {
mergedOptions[option] = defaultParams[option]
if (typeof mergeParams[option] !== 'undefined') {
mergedOptions[option] = mergeParams[option]
}
}
return mergedOptions
}
function isJSON (json) {
try {
if (json instanceof Object && JSON.parse(JSON.stringify(json))) {
return true
}
return false
} catch (err) {
return false
}
}
var _$src_8 = {};
(function (window) {
'use strict'
let options = {
searchInput: null,
resultsContainer: null,
json: [],
success: Function.prototype,
searchResultTemplate: '<li><a href="{url}" title="{desc}">{title}</a></li>',
templateMiddleware: Function.prototype,
sortMiddleware: function () {
return 0
},
noResultsText: 'No results found',
limit: 10,
fuzzy: false,
debounceTime: null,
exclude: []
}
let debounceTimerHandle
const debounce = function (func, delayMillis) {
if (delayMillis) {
clearTimeout(debounceTimerHandle)
debounceTimerHandle = setTimeout(func, delayMillis)
} else {
func.call()
}
}
const requiredOptions = ['searchInput', 'resultsContainer', 'json']
/* removed: const _$Templater_7 = require('./Templater') */;
/* removed: const _$Repository_4 = require('./Repository') */;
/* removed: const _$JSONLoader_2 = require('./JSONLoader') */;
const optionsValidator = _$OptionsValidator_3({
required: requiredOptions
})
/* removed: const _$utils_9 = require('./utils') */;
window.SimpleJekyllSearch = function (_options) {
const errors = optionsValidator.validate(_options)
if (errors.length > 0) {
throwError('You must specify the following required options: ' + requiredOptions)
}
options = _$utils_9.merge(options, _options)
_$Templater_7.setOptions({
template: options.searchResultTemplate,
middleware: options.templateMiddleware
})
_$Repository_4.setOptions({
fuzzy: options.fuzzy,
limit: options.limit,
sort: options.sortMiddleware,
exclude: options.exclude
})
if (_$utils_9.isJSON(options.json)) {
initWithJSON(options.json)
} else {
initWithURL(options.json)
}
const rv = {
search: search
}
typeof options.success === 'function' && options.success.call(rv)
return rv
}
function initWithJSON (json) {
_$Repository_4.put(json)
registerInput()
}
function initWithURL (url) {
_$JSONLoader_2.load(url, function (err, json) {
if (err) {
throwError('failed to get JSON (' + url + ')')
}
initWithJSON(json)
})
}
function emptyResultsContainer () {
options.resultsContainer.innerHTML = ''
}
function appendToResultsContainer (text) {
options.resultsContainer.innerHTML += text
}
function registerInput () {
options.searchInput.addEventListener('input', function (e) {
if (isWhitelistedKey(e.which)) {
emptyResultsContainer()
debounce(function () { search(e.target.value) }, options.debounceTime)
}
})
}
function search (query) {
if (isValidQuery(query)) {
emptyResultsContainer()
render(_$Repository_4.search(query), query)
}
}
function render (results, query) {
const len = results.length
if (len === 0) {
return appendToResultsContainer(options.noResultsText)
}
for (let i = 0; i < len; i++) {
results[i].query = query
appendToResultsContainer(_$Templater_7.compile(results[i]))
}
}
function isValidQuery (query) {
return query && query.length > 0
}
function isWhitelistedKey (key) {
return [13, 16, 20, 37, 38, 39, 40, 91].indexOf(key) === -1
}
function throwError (message) {
throw new Error('SimpleJekyllSearch --- ' + message)
}
})(window)
}());
</script>
<!-- Configuration -->
<script>
SimpleJekyllSearch({
searchInput: document.getElementById('search-input'),
resultsContainer: document.getElementById('results-container'),
json: '/search.json',
//searchResultTemplate: '<li><a href="https://static.rnmkcy.eu{url}">{date}&nbsp;{title}</a></li>'
searchResultTemplate: '<li><a href="{url}">{date}&nbsp;{title}</a></li>'
})
</script>
<!-- Fin déclaration champ de recherche --></div><nav class="navigation">
<ul><li class="navigation__item"><a href="/archive.html">Etiquettes</a></li><li class="navigation__item"><a href="/htmldoc.html">Documents</a></li><li class="navigation__item"><a href="/liens_ttrss.html">Liens</a></li><li class="navigation__item"><a href="/aide-jekyll-text-theme.html">Aide</a></li></ul>
</nav></div>
</header>
</div><div class="page__content"><div class ="main"><div class="grid grid--reverse">
<div class="col-main cell cell--auto"><!-- start custom main top snippet --><div id="results-container" class="search-result js-search-result"></div><!-- end custom main top snippet -->
<article itemscope itemtype="http://schema.org/Article"><div class="article__header"><header><h1 style="color:Tomato;">ldap-Getting started with OpenLDAP</h1></header></div><meta itemprop="headline" content="ldap-Getting started with OpenLDAP"><div class="article__info clearfix"><ul class="left-col menu"><li>
2024-11-08 14:10:33 +01:00
<a class="button button--secondary button--pill button--sm" style="color:#00FFFF" href="/archive.html?tag=ldap">ldap</a>
2024-10-31 20:18:37 +01:00
</li></ul><ul class="right-col menu"><li>
<i class="far fa-calendar-alt"></i>&nbsp;<span title="Création" style="color:#FF00FF">25&nbsp;déc.&nbsp;&nbsp;2019</span>
<span title="Modification" style="color:#00FF7F">23&nbsp;nov.&nbsp;&nbsp;2018</span></li></ul></div><meta itemprop="datePublished" content="2018-11-23T00:00:00+01:00">
<meta itemprop="keywords" content="ldap"><div class="js-article-content">
<div class="layout--article"><!-- start custom article top snippet -->
<style>
#myBtn {
display: none;
position: fixed;
bottom: 10px;
right: 10px;
z-index: 99;
font-size: 12px;
font-weight: bold;
border: none;
outline: none;
background-color: white;
color: black;
cursor: pointer;
padding: 5px;
border-radius: 4px;
}
#myBtn:hover {
background-color: #555;
}
</style>
<button onclick="topFunction()" id="myBtn" title="Haut de page">&#8679;</button>
<script>
//Get the button
var mybutton = document.getElementById("myBtn");
// When the user scrolls down 20px from the top of the document, show the button
window.onscroll = function() {scrollFunction()};
function scrollFunction() {
if (document.body.scrollTop > 20 || document.documentElement.scrollTop > 20) {
mybutton.style.display = "block";
} else {
mybutton.style.display = "none";
}
}
// When the user clicks on the button, scroll to the top of the document
function topFunction() {
document.body.scrollTop = 0;
document.documentElement.scrollTop = 0;
}
</script>
<!-- end custom article top snippet -->
<div class="article__content" itemprop="articleBody"><details>
<summary><b>Afficher/cacher Sommaire</b></summary>
<!-- affichage sommaire -->
<div class="toc-aside js-toc-root"></div>
</details><h2 id="openldap">OpenLDAP</h2>
<p><a href="https://www.vennedey.net/resources/0-Getting-started-with-OpenLDAP-on-Debian-8">Getting started with OpenLDAP on Debian </a><br />
<a href="https://www.vennedey.net/resources/2-LDAP-managed-mail-server-with-Postfix-and-Dovecot-for-multiple-domains">LDAP managed mail server with Postfix and Dovecot for multiple domains</a><br />
<a href="https://wiki.gandi.net/fr/hosting/using-linux/tutorials/debian/mail-server-ldap">Installation dun serveur mail avec backend OpenLDAP</a></p>
<h3 id="installation">Installation</h3>
<p>Linstallation dOpenLDAP sur Debian est faite à laide de la gestion des paquets APT.<br />
<code class="language-plaintext highlighter-rouge">root@ldaphost:~# apt install slapd ldap-utils</code></p>
<p>Pendant linstallation, vous devrez choisir un mot de passe de ladministrateur pour le compte racine LDAP. rhTJH8f97dkS65</p>
<h3 id="reconfigurer-ldap">Reconfigurer ldap</h3>
<p><code class="language-plaintext highlighter-rouge">sudo dpkg-reconfigure slapd</code><br />
Voulez-vous omettre la configuration dOpenLDAP ? Non<br />
Nom de domaine : xoyize.xyz<br />
Nom dentité (« organization ») : yanspm<br />
Mot de passe de ladministrateur : f43z7C9TBwxX3h<br />
Module de base de données à utiliser : HDB<br />
Faut-il supprimer la base de données lors de la purge du paquet ? Non<br />
Faut-il déplacer lancienne base de données ? Oui</p>
<p>Ensuite, nous devons redémarrer <strong>slapd</strong> .<br />
<code class="language-plaintext highlighter-rouge">root@ldaphost:~# service slapd restart</code><br />
Et nous pouvons vérifier si les changements ont pris effet</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@ldaphost:~# netstat -lpn | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 3106/slapd
tcp6 0 0 :::389 :::* LISTEN 3106/slapd
</code></pre></div></div>
<p>Comme on peut le voir, <strong>slapd</strong> écoute les interfaces locales IPv4 et IPv6.</p>
<h3 id="phpldapadmin">PhpLdapAdmin</h3>
<p><strong>Installation</strong><br />
php-ldap<br />
<code class="language-plaintext highlighter-rouge">apt install php7.0-ldap #PHP7</code></p>
<p>Téléchargement<br />
<code class="language-plaintext highlighter-rouge">wget -O phpLDAPadmin.tar.gz http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.3/phpldapadmin-1.2.3.tgz/download</code><br />
Décompression<br />
<code class="language-plaintext highlighter-rouge">tar xvzf phpLDAPadmin.tar.gz -C . </code><br />
Déplacer dans le dossier web<br />
<code class="language-plaintext highlighter-rouge">mv phpldapadmin-1.2.3 /var/www/phpldapadmin</code>
Files owned by root, www-data can just read<br />
<code class="language-plaintext highlighter-rouge">chown -R root: /var/www/phpldapadmin</code><br />
<code class="language-plaintext highlighter-rouge">find /var/www/phpldapadmin -type f | xargs sudo chmod 644</code><br />
<code class="language-plaintext highlighter-rouge">find /var/www/phpldapadmin -type d | xargs sudo chmod 755</code><br />
config.php contains sensitive data, restrict its access<br />
<code class="language-plaintext highlighter-rouge">cp /var/www/phpldapadmin/config/config.php.example /var/www/phpldapadmin/config/config.php</code><br />
<code class="language-plaintext highlighter-rouge">chown root:www-data /var/www/phpldapadmin/config/config.php</code><br />
<code class="language-plaintext highlighter-rouge">chmod 640 /var/www/phpldapadmin/config/config.php</code><br />
Test connexion ldap avec <strong>ldapwhoami</strong><br />
<code class="language-plaintext highlighter-rouge">ldapwhoami -H ldap:// -x</code> retourne <strong>anonymous</strong></p>
<p><strong>Configuration PhpLdapAdmin</strong><br />
<code class="language-plaintext highlighter-rouge">sudo nano /var/www/phpldapadmin/config/config.php</code></p>
<p>Rechercher Ctrl W <strong>$servers-&gt;setValue(server,name</strong><br />
<code class="language-plaintext highlighter-rouge">$servers-&gt;setValue('server','name','xoyize LDAP Server');</code>
Rechercher Ctrl W <strong>$servers-&gt;setValue(server,base,array())</strong><br />
<code class="language-plaintext highlighter-rouge">$servers-&gt;setValue('server','base',array('dc=xoyize,dc=xyz'));</code><br />
Hide the warnings for invalid objectClasses/attributes in templates.<br />
<code class="language-plaintext highlighter-rouge">$config-&gt;custom-&gt;appearance['hide_template_warning'] = true;</code></p>
<p><strong>Configuration Vhost NGINX</strong><br />
<code class="language-plaintext highlighter-rouge">sudo nano /etc/nginx/conf.d/xoyize.xyz.d/phpldapadmin.conf</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>location /phpldap {
alias /var/www/phpldapadmin ;
index index.php;
try_files $uri $uri/ index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.0-fpm.sock; # PHP7.0
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
</code></pre></div></div>
<p>Vérifier et relancer le service
<code class="language-plaintext highlighter-rouge">sudo nginx -t</code><br />
<code class="language-plaintext highlighter-rouge">sudo systemctl restart nginx</code></p>
<p>Connexion <a href="https://xoyize.xyz/phpldap/">https://xoyize.xyz/phpldap/</a> cn=admin,dc=xoyize,dc=xyz mot-de-passe<br />
cn=admin,dc=xoyize,dc=xyz WLgG39zx52</p>
<h3 id="configuration-ldap-starttls">Configuration LDAP StartTLS</h3>
<p>Bien que nous ayons crypté notre interface Web, les clients LDAP externes se connectent toujours au serveur et transmettent des informations en texte brut.<br />
Utilisons nos certificats SSL Lets Encrypt pour ajouter un cryptage à notre serveur LDAP.<br />
Configuration de Slapd pour offrir des connexions sécurisées</p>
<p>Enfin, nous devons configurer slapd pour utiliser ces certificats et ces clés.<br />
Pour ce faire, nous mettons toutes nos modifications de configuration dans un fichier LDIF (format déchange de données LDAP)<br />
puis chargeons les modifications dans notre serveur LDAP avec la commande ldapmodify.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo -s
mkdir /etc/ldap/tls/
# copy the files
cp /root/.acme.sh/xoyize.xyz/xoyize.xyz.cer /etc/ldap/tls/slapd-xoyize-cert.pem
cp /root/.acme.sh/xoyize.xyz/fullchain.cer /etc/ldap/tls/slapd-xoyize-fullchain.pem
cp /root/.acme.sh/xoyize.xyz/xoyize.xyz.key /etc/ldap/tls/slapd-xoyize-key.pem
chown -R openldap:openldap /etc/ldap/tls/
chmod 101 /etc/ldap/tls/
chmod 400 /etc/ldap/tls/*
chmod 404 /etc/ldap/tls/slapd-xoyize-cert.pem
</code></pre></div></div>
<p><strong>ATTENTION:</strong> Le fichier <strong>/etc/ldap/ldap.conf</strong> doit contenir une référence <strong>TLS_CACERT</strong></p>
<p>Now you need to tell slapd where it will find the files by setting the accordant attributes in cn=config.</p>
<p>slapd_config_TLS_enable.ldif</p>
<p>dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/tls/slapd-xoyize-cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/tls/slapd-xoyize-fullchain.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/tls/slapd-xoyize-key.pem</p>
<p>root@ldaphost:~# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f slapd_config_TLS_enable.ldif</p>
<h3 id="openldap-configuration">OpenLDAP configuration</h3>
<p>Depuis OpenLDAP 2.3, la configuration du comportement de <strong>slapd</strong> est stockée dans larborescence dinformations du répertoire (DIT). À mon avis, cela rend la configuration beaucoup plus obscure que de simplement éditer un fichier de configuration, mais comme la configuration de lancien fichier slapd.conf est obsolète et ne sera pas prise en charge dans les versions futures, nous devons nous en occuper.</p>
<p><strong>Modifier la configuration</strong></p>
<p>Pour modifier la configuration de votre installation slapd, vous devez modifier les attributs de larbre de répertoires <strong>cn=config</strong>. Cela peut être réalisé en utilisant nimporte quel outil standard pour la communication et la manipulation avec LDAP comme <strong>ldapmodify</strong> ou des outils graphiques comme jxeplorer ou phpldapadmin. Dans la configuration par défaut appliquée lors de linstallation de slapd, seul lutilisateur root local de la machine est autorisé à accéder au <strong>cn=config</strong> DIT.</p>
<p>Pour appliquer les modifications à la configuration active, vous pouvez créer des fichiers LDIF décrivant la modification et les envoyer dans larborescence cn=config en utilisant ldapmodify.<br />
Pour définir le loglevel de slapd, vous pouvez créer le fichier suivant<br />
<strong>slapd_config_loglevel.ldif</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: none stats config conns
</code></pre></div></div>
<p>Et utiliser <strong>ldapmodify</strong> pour appliquer les modifications.</p>
<p>root@ldaphost:~# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f slapd_config_loglevel.ldif</p>
<p>Configure suffix and create basic DIT objects</p>
<p>One of the very first things you might want to configure is the olcSuffix attribute of your directory database. Usually this is choosen to reflect the domain name of the slapd running host. For example, if the server runs on a host thats domain name is ldap.example.com, the olcSuffix attribute is set to dc=example,dc=com.</p>
<p>If you are lucky the suffix got set correctly during installation of slapd and you dont have to configure it yourself. To check what suffix was set you can either check for the olcSuffix attribute in olcDatabase={1}mdb,cn=config or ask your LDAP server which baseDNs it provides.</p>
<p>To figure this out, run the following command on your server.</p>
<p>user@ldaphost:~$ ldapsearch -LLL -x -H ldapi:/// -b “” -s base namingcontexts</p>
<p>If you get something like</p>
<p>dn:
namingContexts: dc=your,dc=domain,dc=com</p>
<p>(of course reflecting your domain name instead) you are just fine and can proceed with further configuration. If you get something that doesnt match your domain name (e.g. dc=nodomain) you have to set it up yourself.</p>
<p>To change the suffix of your database, you first have to modify the olcSuffix and olcRootDN attributes to match your domain name.</p>
<p>slapd_config_suffix.ldif</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=your,dc=domain,dc=com
-
replace: olcRootDN
olcRootDN: cn=admin,dc=your,dc=domain,dc=com
</code></pre></div></div>
<p>root@ldaphost:~# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f slapd_config_suffix.ldif</p>
<p>After that you have to create the top element of the directory tree (dc=your,dc=domain,dc=com) and the object for the LDAP adminstrator account (cn=admin,dc=your,dc=domain,dc=com).</p>
<p>slapd_setup_basic.ldif</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dn: dc=your,dc=domain,dc=com
changetype: add
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Organisation name
dc: your
dn: cn=admin,dc=your,dc=domain,dc=com
changetype: add
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:
</code></pre></div></div>
<p>To create these objects, you have to use the databases root account and to enter your LDAP admin password as specified during installation.</p>
<p>user@ldaphost:~$ ldapmodify -x -W -D cn=admin,dc=your,dc=domain,dc=com -H ldapi:/// -f slapd_setup_basic.ldif</p>
<p>Allow configuration via simple authentication over TCP</p>
<p>While for basic configurations of slapd the usage of LDIF files and the hosts root account is necessary, it might be more convinient to connect to the cn=config DIT using graphical tools like jxeplorer or phpldapadmin to browse and modify the configuration comfortably. These tools connect to slapd via TCP and usually make use of the simple authentication method. To allow configuration over TCP connections, we have to add a olcRootPW attribute to the olcDatabase=config,cn=config entry. The password is provided in a hashed manner. You can either reuse the hash you retrieved from your current configuration (See attribute olcRootPW in olcDatabase={1}mdb,cn=config) and use one password for managing both configuration and information database, or you generate a new hash choosing a seperate password (advised) by using the slappasswd command.</p>
<p>user@ldaphost:~$ slappasswd
New password:
Re-enter new password:
{SSHA}x8dz1b+GDsUM9jeqz81xQhoEvTQLf07/</p>
<p>To add the password to the cn=config database you have to create a LDIF file which describes the changes that will be made to the database.</p>
<p>slapd_setup_config_rootPW.ldif</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}x8dz1b+GDsUM9jeqz81xQhoEvTQLf07/
</code></pre></div></div>
<p>To apply the changes to your slapd run</p>
<p>root@ldaphost:~# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f slapd_setup_config_rootPW.ldif</p>
<p>and check if the password got added correctly:</p>
<p>root@ldaphost:~# ldapsearch -LLL -Q -Y EXTERNAL -H ldapi:/// -b olcDatabase={0}config,cn=config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
olcRootDN: cn=admin,cn=config
olcRootPW: {SSHA}x8dz1b+GDsUM9jeqz81xQhoEvTQLf07/</p>
<p>You should now be able to see and edit your configuration using the cn=admin,cn=config user and your password with simple authentication (-x) over TCP (ldap://localhost:389).</p>
<p>user@ldaphost:~$ ldapsearch -LLL -x -W -D cn=admin,cn=config -H ldap://localhost:389 -b cn=config
Enter LDAP Password:
dn: cn=config
</p>
<p>WARNING: Before connecting to your LDAP server over TCP trough the internet read the next section on how to secure the connection between you and your server to prevent sniffing of your passwords and intrusion to your slapd.
Securing the connection</p>
<p>Before connecting to your LDAP server over TCP from outsite (your local workspace) you should ensure that the connection established over the network (usually the internet) between your workstation and your LDAP server is encrypted so that an eavesdropper cant sniff the content of your LDAP communication, which, for example, might contain your root password.</p>
<p>If you have SSH access to the slapd running server you can setup an encrypted tunnel from your local machine to slapd by doing something like</p>
<p>you@workstation:~$ ssh -L 10389:localhost:389 ldap.example.com</p>
<p>which will open port 10389 on your workstation to which you can connect with any ldap client like ldapsearch.</p>
<p>you@workstation:~$ ldapsearch -x -H ldap://localhost:10389 -b dc=ldap,dc=example,dc=com</p>
<p>While this is a good way of securing your connection if you are the only one connecting to your slapd from the outsite world it is not sustainable to make your directory reachable for other services running on different hosts or for users without SSH access to this particular machine. For these purposes its better to secure the connection by TLS.</p>
<p>To setup TLS support you need to provide three files.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>The certification authority certificate (CA.pem)
The actual TLS key used for encryption (device.key)
The certificate for your TLS key (device.crt), signed with the key belonging to the CA certificate
</code></pre></div></div>
<p>Here is a quick walkthrough to generate these files on your own. This will leave you with a certificate valid for one year. Important when generating the device certificate (device.crt) is to set the common name (CN) to the domain name that will be used to contact the ldap server (e.g. ldap.example.com). Otherwise, the connection will be refused with TLS: hostname does not match CN in peer certificate. You could also use a certificate signed by an official certificate authority like Lets Encrypt.</p>
<p>root@ldaphost:~# openssl genrsa -out CA.key 8192 &amp;&amp; chmod 400 CA.key
root@ldaphost:~# openssl req -new -x509 -nodes -key CA.key -days 3650 -out CA.pem
root@ldaphost:~# openssl genrsa -out device.key 4096 &amp;&amp; chmod 400 device.key
root@ldaphost:~# openssl req -new -key device.key -out device.csr
root@ldaphost:~# openssl x509 -req -in device.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out device.crt -days 365</p>
<p>If you got all necessary files generated, you can store them in /etc/ldap/tls/. Keep in mind that at least the key (device.key) contains sensitive data that needs to be protected from being read by anyone else than the slapd process. This can easily be achieved by changing the files owner to the slapd running user openldap and giving read permissions to only the owner of the file.</p>
<p>root@ldaphost:~# mkdir /etc/ldap/tls/
root@ldaphost:~# cp CA.pem device.key device.crt /etc/ldap/tls/
root@ldaphost:~# chown -R openldap:openldap /etc/ldap/tls/
root@ldaphost:~# chmod 101 /etc/ldap/tls/
root@ldaphost:~# chmod 400 /etc/ldap/tls/*
root@ldaphost:~# chmod 404 /etc/ldap/tls/CA.pem</p>
<p>Now you need to tell slapd where it will find the files by setting the accordant attributes in cn=config.</p>
<p>slapd_config_TLS_enable.ldif</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/tls/CA.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/tls/device.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/tls/device.key
</code></pre></div></div>
<p>root@ldaphost:~# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f slapd_config_TLS_enable.ldif</p>
<p>If you run into trouble setting these attributes, it might help to restart the slapd deamon (service slapd restart).</p>
<p>Before testing the TLS configuration with ldapsearch on your ldap server the TLS_CACERT directive has to be set in /etc/ldap/ldap.conf to point to the CA certificate used by the slapd. This needs to be done on any host that needs to connect to your LDAP server using TLS. This means that you also need to copy the CA.pem to each clients /etc/ldap/tls/CA.pem and configure /etc/ldap/ldap.conf accordingly.</p>
<p>ldap.conf</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>TLS_CACERT /etc/ldap/tls/CA.pem
</code></pre></div></div>
<p>To test whether TLS support works try to run a ldapsearch with parameter -ZZ. Make sure to use the hostname you specified in the CN attribute of your TLS certificate.</p>
<p>user@ldaphost:~$ ldapsearch -LLL -x -H ldap://ldap.example.com -b dc=ldap,dc=example,dc=com -ZZ</p>
<p>If this works without any errors, also try to connect to the configuration database cn=config using TLS.</p>
<p>user@ldaphost:~$ ldapsearch -LLL -x -W -D cn=admin,cn=config -H ldap://ldap.example.com -b cn=config -ZZ
Enter LDAP Password:
dn: cn=config
</p>
<p>If you get an error like ldap_start_tls: Cant contact LDAP server (-1) this might indicate a wrong configuration of your DNS setup (domain does not point to your local interface). Try to add the line 127.0.0.1 ldap.example.com (and ::1 ldap.example.com when using IPv6) to your /etc/hosts file and try again.
Tightening TLS</p>
<p>When the basic TLS setup works, you also might want to set the olcTLSCipherSuite to define what cypher suites and protocols will be used within the connection. There is no general recommendation for this parameter, since a lot of things must be taken into consideration. If you control the clients connecting to your server as well, you can come up with a more secure and strict configuration. If you have to support a lot of different and maybe outdated clients, a more relaxed configuration might be necessary.</p>
<p>Since in Debian slapd was built against GnuTLS it is not possible to use OpenSSL cypher lists. Instead a GnuTLS Priority string has to be used. Take some time to read through the following links to decide for a string that suits your environment.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>GnuTLS Priority string reference
RHEL 7 dokumentation, chapter 4.11, Hardening TLS Configuration
BetterCrypto.org "Applied Crypto Hardening"
</code></pre></div></div>
<p>The string can be applied to your configuration with this LDIF</p>
<p>slapd_config_TLS_cyphersuite.ldif</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dn:cn=config
changetype:modify
add:olcTLSCipherSuite
olcTLSCipherSuite: SECURE256:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:-SHA1
</code></pre></div></div>
<p>After configuring the cypher suits, test again if you can contact your databases. If you get errors concerning TLS, relax your configuration and test again.</p>
<p>Unfortunately, it is not possible to use the olcTLSEphemeralDHParamFile parameter to use your own Diffie-Hellman group when slapd got linked against GnuTLS as done in Debian. This is a pity, since it makes hardening the LDAP Server against the Logjam attack impossible.</p>
<p>To enable this feature in Debian you need to build slapd against OpenSSL by yourself.
Enforce TLS connections</p>
<p>The next step is to forbid any unencrypted communication to slapd and enforce the usage of TLS. Before doing so, it is very important to have TLS set up correctly and tested whether you can read and edit the cn=config DIT over TLS (using -ZZ). Otherwise, you will lock yourself out from configuration.</p>
<p>If everything works as expected, you can set the olcSecurity attribute to tls=n, where n is the minimum key length in bits required in any key used during communication. tls=1 means that any key length would be fine, as long as encryption happens. If you configured the olcTLSCypherSuite parameter, the key length used will result out of that configuration, and tls=1 will be a sufficient configuration.</p>
<p>If you didnt set the olcTLSCypherSuite parameter, you at least might want to set a propper value here. A good key length might be something like 128 bits or higher.</p>
<p>slapd_config_TLS_enforce.ldif</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dn: cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=128
</code></pre></div></div>
<p>Note: Be aware that the key length is just one of many many different factors that makes up the security chain of your encryption. The best way to tighten your TLS configuration is still to select propper cypher suites and configure them in olcTLSCypherSuite as decribed in the section before.</p>
<p>Warning: When configuring the key length too high, you might run into trouble and lock yourself out of your directory if the key length specified is not supported by client or server. To avoid this situation it is a good idea to first set the considered value only for the database of your data and not for the cn=config database and test if it works.</p>
<p>slap_config_TLS_enforce_test192.ldif</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=192
</code></pre></div></div>
<p>Then test if you can connect to the directory</p>
<p>user@ldaphost~: ldapsearch -LLL -x -H ldap://your.domain.com -b dc=your,dc=domain,dc=com -ZZ
Confidentiality required (13)
Additional information: stronger TLS confidentiality required</p>
<p>If you get stronger TLS confidentiality required the key length used is too long, and you have to decrese it until the test succeeds.</p>
<p>slap_config_TLS_enforce_test128.ldif</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=128
</code></pre></div></div>
<p>If you got a working key length, delete the olcSecurity attribute from the olcDatabase={1}mdb,cn=config object and add it to the cn=config object as described at the beginning of this section to apply it to all databases.</p>
<p>slapd_config_TLS_enforce_test_delete.ldif</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcSecurity
</code></pre></div></div>
<p>Now check whether it is still possible to communicate with slapd unencrypted by skipping the -ZZ parameter.</p>
<p>ldapsearch -LLL -x -H ldap://your.domain.com -b dc=your,dc=domain,dc=com
ldap_bind: Confidentiality required (13)
additional info: TLS confidentiality required</p>
<p>try to do the same with cn=config</p>
<p>user@ldaphost:~$ ldapsearch -LLL -x -W -D cn=admin,cn=config -H ldap://ldap.example.com -b cn=config
Enter LDAP Password:
ldap_bind: Confidentiality required (13)
additional info: TLS confidentiality required</p>
<p>If you get TLS confidentiality required in both cases slapd will not accept unencrypted communication anymore.
Manage ACLs</p>
<p>Before opening your LDAP server to the public (if necessary anyway) you should review the ACLs given in the default configuration whether they fit your needs.</p>
<p>To retrieve the given ACLs run</p>
<p>user@ldaphost:~$ ldapsearch -LLL -x -W -D cn=admin,cn=config -ZZ -H ldap://ldap.example.com -b cn=config (olcAccess=*) olcAccess
Enter LDAP Password:
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {1}to dn.exact=”” by * read
olcAccess: {2}to dn.base=”cn=Subschema” by * read</p>
<p>dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break</p>
<p>dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {1}to dn.base=”” by * read
olcAccess: {2}to * by * read</p>
<p>Since the order of ACLs matters during their evaluation, it is important to insert them into the right place. The {n} prefix in the olcAccess attribute defines the position of the ACL. If you, for example insert an new ACL at index {1}, it will be placed below the ACL indexed {0}, and the old {1} will get indexed {2} and all subsequent ACLs will be renumbered accordingly.</p>
<p>When deleting an entry you can just refer to the index of the ACL.</p>
<p>slapd_acl_delete_1.ldif</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dn: olcDatabase={1}mdb,cn=config
changetype:modify
delete: olcAccess
olcAccess: {1}
</code></pre></div></div>
<p>To replace an ACL</p>
<p>slapd_acl_replace_1.ldif</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {1}
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1} to &lt;what&gt; by &lt;who&gt; &lt;access&gt;
</code></pre></div></div>
<p>Since the ACLs needed highly depend on the purpose of your slapd installation there is no common recommendation. Please refer to section 8 of the OpenLDAP Administrators Guide and have a look at the OpenLDAP Faq-O-Matic to figure out what suits your needs.</p>
<p>The default configuration above allows unauthenticated users to read the whole DIT, the baseDN and schemes provided by the server. Authentication is allowed against objects providing the userPassword attribute and authenticated users are allowed to change their own userPassword and shadowLastChange attributes.</p>
<p>A basic ACL to start could be to replace all by * with by users in the default ACL to prevent reading the DIT by unauthenticated users.</p>
<p>slapd_config_ACL_basic.ldif</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by users read
olcAccess: {2}to dn.base="cn=Subschema" by users read
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by * none
olcAccess: {1}to dn.base="" by users read
olcAccess: {2}to * by users read
</code></pre></div></div>
<p>Grand Opening</p>
<p>When you are done with your setup, you can edit /etc/default/slapd to make the slapd listen to the global interfaces.</p>
<p>/etc/default/slapd</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SLAPD_SERVICES="ldap:///"
</code></pre></div></div>
<p>root@ldaphost:~# service slapd restart
root@ldaphost:~# netstat -lpn | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 654/slapd <br />
tcp6 0 0 :::389 :::* LISTEN 654/slapd</p>
</div>
<div class="d-print-none"><footer class="article__footer"><meta itemprop="dateModified" content="2019-12-25T00:00:00+01:00"><!-- start custom article footer snippet -->
<!-- end custom article footer snippet -->
<!--
<div align="right"><a type="application/rss+xml" href="/feed.xml" title="S'abonner"><i class="fa fa-rss fa-2x"></i></a>
&emsp;</div>
-->
</footer>
<div class="article__section-navigator clearfix"><div class="previous"><span>PRÉCÉDENT</span><a href="/2019/12/25/intel-14-nm-amd-7-nm-arm-7-nm-et-mon-serveur.html">intel-14-nm-amd-7-nm-arm-7-nm-et-mon-serveur</a></div><div class="next"><span>SUIVANT</span><a href="/2019/12/25/ldap-debian-stretch.html">ldap-debian-stretch</a></div></div></div>
</div>
<script>(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
$(function() {
var $this ,$scroll;
var $articleContent = $('.js-article-content');
var hasSidebar = $('.js-page-root').hasClass('layout--page--sidebar');
var scroll = hasSidebar ? '.js-page-main' : 'html, body';
$scroll = $(scroll);
$articleContent.find('.highlight').each(function() {
$this = $(this);
$this.attr('data-lang', $this.find('code').attr('data-lang'));
});
$articleContent.find('h1[id], h2[id], h3[id], h4[id], h5[id], h6[id]').each(function() {
$this = $(this);
$this.append($('<a class="anchor d-print-none" aria-hidden="true"></a>').html('<i class="fas fa-anchor"></i>'));
});
$articleContent.on('click', '.anchor', function() {
$scroll.scrollToAnchor('#' + $(this).parent().attr('id'), 400);
});
});
});
})();
</script>
</div><section class="page__comments d-print-none"></section></article><!-- start custom main bottom snippet -->
<!-- end custom main bottom snippet -->
</div>
</div></div></div></div>
</div><script>(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
var $body = $('body'), $window = $(window);
var $pageRoot = $('.js-page-root'), $pageMain = $('.js-page-main');
var activeCount = 0;
function modal(options) {
var $root = this, visible, onChange, hideWhenWindowScroll = false;
var scrollTop;
function setOptions(options) {
var _options = options || {};
visible = _options.initialVisible === undefined ? false : show;
onChange = _options.onChange;
hideWhenWindowScroll = _options.hideWhenWindowScroll;
}
function init() {
setState(visible);
}
function setState(isShow) {
if (isShow === visible) {
return;
}
visible = isShow;
if (visible) {
activeCount++;
scrollTop = $(window).scrollTop() || $pageMain.scrollTop();
$root.addClass('modal--show');
$pageMain.scrollTop(scrollTop);
activeCount === 1 && ($pageRoot.addClass('show-modal'), $body.addClass('of-hidden'));
hideWhenWindowScroll && window.hasEvent('touchstart') && $window.on('scroll', hide);
$window.on('keyup', handleKeyup);
} else {
activeCount > 0 && activeCount--;
$root.removeClass('modal--show');
$window.scrollTop(scrollTop);
activeCount === 0 && ($pageRoot.removeClass('show-modal'), $body.removeClass('of-hidden'));
hideWhenWindowScroll && window.hasEvent('touchstart') && $window.off('scroll', hide);
$window.off('keyup', handleKeyup);
}
onChange && onChange(visible);
}
function show() {
setState(true);
}
function hide() {
setState(false);
}
function handleKeyup(e) {
// Char Code: 27 ESC
if (e.which === 27) {
hide();
}
}
setOptions(options);
init();
return {
show: show,
hide: hide,
$el: $root
};
}
$.fn.modal = modal;
});
})();
</script><div class="modal modal--overflow page__search-modal d-print-none js-page-search-modal"><script>
(function () {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
// search panel
var search = (window.search || (window.search = {}));
var useDefaultSearchBox = window.useDefaultSearchBox === undefined ?
true : window.useDefaultSearchBox ;
var $searchModal = $('.js-page-search-modal');
var $searchToggle = $('.js-search-toggle');
var searchModal = $searchModal.modal({ onChange: handleModalChange, hideWhenWindowScroll: true });
var modalVisible = false;
search.searchModal = searchModal;
var $searchBox = null;
var $searchInput = null;
var $searchClear = null;
function getModalVisible() {
return modalVisible;
}
search.getModalVisible = getModalVisible;
function handleModalChange(visible) {
modalVisible = visible;
if (visible) {
search.onShow && search.onShow();
useDefaultSearchBox && $searchInput[0] && $searchInput[0].focus();
} else {
search.onShow && search.onHide();
useDefaultSearchBox && $searchInput[0] && $searchInput[0].blur();
setTimeout(function() {
useDefaultSearchBox && ($searchInput.val(''), $searchBox.removeClass('not-empty'));
search.clear && search.clear();
window.pageAsideAffix && window.pageAsideAffix.refresh();
}, 400);
}
}
$searchToggle.on('click', function() {
modalVisible ? searchModal.hide() : searchModal.show();
});
// Char Code: 83 S, 191 /
$(window).on('keyup', function(e) {
if (!modalVisible && !window.isFormElement(e.target || e.srcElement) && (e.which === 83 || e.which === 191)) {
modalVisible || searchModal.show();
}
});
if (useDefaultSearchBox) {
$searchBox = $('.js-search-box');
$searchInput = $searchBox.children('input');
$searchClear = $searchBox.children('.js-icon-clear');
search.getSearchInput = function() {
return $searchInput.get(0);
};
search.getVal = function() {
return $searchInput.val();
};
search.setVal = function(val) {
$searchInput.val(val);
};
$searchInput.on('focus', function() {
$(this).addClass('focus');
});
$searchInput.on('blur', function() {
$(this).removeClass('focus');
});
$searchInput.on('input', window.throttle(function() {
var val = $(this).val();
if (val === '' || typeof val !== 'string') {
search.clear && search.clear();
} else {
$searchBox.addClass('not-empty');
search.onInputNotEmpty && search.onInputNotEmpty(val);
}
}, 400));
$searchClear.on('click', function() {
$searchInput.val(''); $searchBox.removeClass('not-empty');
search.clear && search.clear();
});
}
});
})();
</script><div class="search search--dark">
<div class="main">
<div class="search__header">Recherche</div>
<div class="search-bar">
<div class="search-box js-search-box">
<div class="search-box__icon-search"><i class="fas fa-search"></i></div>
<input id="search-input" type="text" />
<div class="search-box__icon-clear js-icon-clear">
<a><i class="fas fa-times"></i></a>
</div>
</div>
<button class="button button--theme-dark button--pill search__cancel js-search-toggle">
Annuler</button>
</div>
<div id="results-container" class="search-result js-search-result"></div>
</div>
</div>
<!-- Script pointing to search-script.js -->
<script>/*!
* Simple-Jekyll-Search
* Copyright 2015-2020, Christian Fei
* Licensed under the MIT License.
*/
(function(){
'use strict'
var _$Templater_7 = {
compile: compile,
setOptions: setOptions
}
const options = {}
options.pattern = /\{(.*?)\}/g
options.template = ''
options.middleware = function () {}
function setOptions (_options) {
options.pattern = _options.pattern || options.pattern
options.template = _options.template || options.template
if (typeof _options.middleware === 'function') {
options.middleware = _options.middleware
}
}
function compile (data) {
return options.template.replace(options.pattern, function (match, prop) {
const value = options.middleware(prop, data[prop], options.template)
if (typeof value !== 'undefined') {
return value
}
return data[prop] || match
})
}
'use strict';
function fuzzysearch (needle, haystack) {
var tlen = haystack.length;
var qlen = needle.length;
if (qlen > tlen) {
return false;
}
if (qlen === tlen) {
return needle === haystack;
}
outer: for (var i = 0, j = 0; i < qlen; i++) {
var nch = needle.charCodeAt(i);
while (j < tlen) {
if (haystack.charCodeAt(j++) === nch) {
continue outer;
}
}
return false;
}
return true;
}
var _$fuzzysearch_1 = fuzzysearch;
'use strict'
/* removed: const _$fuzzysearch_1 = require('fuzzysearch') */;
var _$FuzzySearchStrategy_5 = new FuzzySearchStrategy()
function FuzzySearchStrategy () {
this.matches = function (string, crit) {
return _$fuzzysearch_1(crit.toLowerCase(), string.toLowerCase())
}
}
'use strict'
var _$LiteralSearchStrategy_6 = new LiteralSearchStrategy()
function LiteralSearchStrategy () {
this.matches = function (str, crit) {
if (!str) return false
str = str.trim().toLowerCase()
crit = crit.trim().toLowerCase()
return crit.split(' ').filter(function (word) {
return str.indexOf(word) >= 0
}).length === crit.split(' ').length
}
}
'use strict'
var _$Repository_4 = {
put: put,
clear: clear,
search: search,
setOptions: __setOptions_4
}
/* removed: const _$FuzzySearchStrategy_5 = require('./SearchStrategies/FuzzySearchStrategy') */;
/* removed: const _$LiteralSearchStrategy_6 = require('./SearchStrategies/LiteralSearchStrategy') */;
function NoSort () {
return 0
}
const data = []
let opt = {}
opt.fuzzy = false
opt.limit = 10
opt.searchStrategy = opt.fuzzy ? _$FuzzySearchStrategy_5 : _$LiteralSearchStrategy_6
opt.sort = NoSort
opt.exclude = []
function put (data) {
if (isObject(data)) {
return addObject(data)
}
if (isArray(data)) {
return addArray(data)
}
return undefined
}
function clear () {
data.length = 0
return data
}
function isObject (obj) {
return Boolean(obj) && Object.prototype.toString.call(obj) === '[object Object]'
}
function isArray (obj) {
return Boolean(obj) && Object.prototype.toString.call(obj) === '[object Array]'
}
function addObject (_data) {
data.push(_data)
return data
}
function addArray (_data) {
const added = []
clear()
for (let i = 0, len = _data.length; i < len; i++) {
if (isObject(_data[i])) {
added.push(addObject(_data[i]))
}
}
return added
}
function search (crit) {
if (!crit) {
return []
}
return findMatches(data, crit, opt.searchStrategy, opt).sort(opt.sort)
}
function __setOptions_4 (_opt) {
opt = _opt || {}
opt.fuzzy = _opt.fuzzy || false
opt.limit = _opt.limit || 10
opt.searchStrategy = _opt.fuzzy ? _$FuzzySearchStrategy_5 : _$LiteralSearchStrategy_6
opt.sort = _opt.sort || NoSort
opt.exclude = _opt.exclude || []
}
function findMatches (data, crit, strategy, opt) {
const matches = []
for (let i = 0; i < data.length && matches.length < opt.limit; i++) {
const match = findMatchesInObject(data[i], crit, strategy, opt)
if (match) {
matches.push(match)
}
}
return matches
}
function findMatchesInObject (obj, crit, strategy, opt) {
for (const key in obj) {
if (!isExcluded(obj[key], opt.exclude) && strategy.matches(obj[key], crit)) {
return obj
}
}
}
function isExcluded (term, excludedTerms) {
for (let i = 0, len = excludedTerms.length; i < len; i++) {
const excludedTerm = excludedTerms[i]
if (new RegExp(excludedTerm).test(term)) {
return true
}
}
return false
}
/* globals ActiveXObject:false */
'use strict'
var _$JSONLoader_2 = {
load: load
}
function load (location, callback) {
const xhr = getXHR()
xhr.open('GET', location, true)
xhr.onreadystatechange = createStateChangeListener(xhr, callback)
xhr.send()
}
function createStateChangeListener (xhr, callback) {
return function () {
if (xhr.readyState === 4 && xhr.status === 200) {
try {
callback(null, JSON.parse(xhr.responseText))
} catch (err) {
callback(err, null)
}
}
}
}
function getXHR () {
return window.XMLHttpRequest ? new window.XMLHttpRequest() : new ActiveXObject('Microsoft.XMLHTTP')
}
'use strict'
var _$OptionsValidator_3 = function OptionsValidator (params) {
if (!validateParams(params)) {
throw new Error('-- OptionsValidator: required options missing')
}
if (!(this instanceof OptionsValidator)) {
return new OptionsValidator(params)
}
const requiredOptions = params.required
this.getRequiredOptions = function () {
return requiredOptions
}
this.validate = function (parameters) {
const errors = []
requiredOptions.forEach(function (requiredOptionName) {
if (typeof parameters[requiredOptionName] === 'undefined') {
errors.push(requiredOptionName)
}
})
return errors
}
function validateParams (params) {
if (!params) {
return false
}
return typeof params.required !== 'undefined' && params.required instanceof Array
}
}
'use strict'
var _$utils_9 = {
merge: merge,
isJSON: isJSON
}
function merge (defaultParams, mergeParams) {
const mergedOptions = {}
for (const option in defaultParams) {
mergedOptions[option] = defaultParams[option]
if (typeof mergeParams[option] !== 'undefined') {
mergedOptions[option] = mergeParams[option]
}
}
return mergedOptions
}
function isJSON (json) {
try {
if (json instanceof Object && JSON.parse(JSON.stringify(json))) {
return true
}
return false
} catch (err) {
return false
}
}
var _$src_8 = {};
(function (window) {
'use strict'
let options = {
searchInput: null,
resultsContainer: null,
json: [],
success: Function.prototype,
searchResultTemplate: '<li><a href="{url}" title="{desc}">{title}</a></li>',
templateMiddleware: Function.prototype,
sortMiddleware: function () {
return 0
},
noResultsText: 'No results found',
limit: 10,
fuzzy: false,
debounceTime: null,
exclude: []
}
let debounceTimerHandle
const debounce = function (func, delayMillis) {
if (delayMillis) {
clearTimeout(debounceTimerHandle)
debounceTimerHandle = setTimeout(func, delayMillis)
} else {
func.call()
}
}
const requiredOptions = ['searchInput', 'resultsContainer', 'json']
/* removed: const _$Templater_7 = require('./Templater') */;
/* removed: const _$Repository_4 = require('./Repository') */;
/* removed: const _$JSONLoader_2 = require('./JSONLoader') */;
const optionsValidator = _$OptionsValidator_3({
required: requiredOptions
})
/* removed: const _$utils_9 = require('./utils') */;
window.SimpleJekyllSearch = function (_options) {
const errors = optionsValidator.validate(_options)
if (errors.length > 0) {
throwError('You must specify the following required options: ' + requiredOptions)
}
options = _$utils_9.merge(options, _options)
_$Templater_7.setOptions({
template: options.searchResultTemplate,
middleware: options.templateMiddleware
})
_$Repository_4.setOptions({
fuzzy: options.fuzzy,
limit: options.limit,
sort: options.sortMiddleware,
exclude: options.exclude
})
if (_$utils_9.isJSON(options.json)) {
initWithJSON(options.json)
} else {
initWithURL(options.json)
}
const rv = {
search: search
}
typeof options.success === 'function' && options.success.call(rv)
return rv
}
function initWithJSON (json) {
_$Repository_4.put(json)
registerInput()
}
function initWithURL (url) {
_$JSONLoader_2.load(url, function (err, json) {
if (err) {
throwError('failed to get JSON (' + url + ')')
}
initWithJSON(json)
})
}
function emptyResultsContainer () {
options.resultsContainer.innerHTML = ''
}
function appendToResultsContainer (text) {
options.resultsContainer.innerHTML += text
}
function registerInput () {
options.searchInput.addEventListener('input', function (e) {
if (isWhitelistedKey(e.which)) {
emptyResultsContainer()
debounce(function () { search(e.target.value) }, options.debounceTime)
}
})
}
function search (query) {
if (isValidQuery(query)) {
emptyResultsContainer()
render(_$Repository_4.search(query), query)
}
}
function render (results, query) {
const len = results.length
if (len === 0) {
return appendToResultsContainer(options.noResultsText)
}
for (let i = 0; i < len; i++) {
results[i].query = query
appendToResultsContainer(_$Templater_7.compile(results[i]))
}
}
function isValidQuery (query) {
return query && query.length > 0
}
function isWhitelistedKey (key) {
return [13, 16, 20, 37, 38, 39, 40, 91].indexOf(key) === -1
}
function throwError (message) {
throw new Error('SimpleJekyllSearch --- ' + message)
}
})(window)
}());
</script>
<!-- Configuration -->
<script>
SimpleJekyllSearch({
searchInput: document.getElementById('search-input'),
resultsContainer: document.getElementById('results-container'),
noResultsText: '<p>Aucun résultat!</p>',
json: '/search.json',
searchResultTemplate: '<li><a href="{url}">{date}&nbsp;{title}</a>&nbsp;(Création {create})</li>'
})
</script>
</div></div>
<script>(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
function scrollToAnchor(anchor, duration, callback) {
var $root = this;
$root.animate({ scrollTop: $(anchor).position().top }, duration, function() {
window.history.replaceState(null, '', window.location.href.split('#')[0] + anchor);
callback && callback();
});
}
$.fn.scrollToAnchor = scrollToAnchor;
});
})();
(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
function affix(options) {
var $root = this, $window = $(window), $scrollTarget, $scroll,
offsetBottom = 0, scrollTarget = window, scroll = window.document, disabled = false, isOverallScroller = true,
rootTop, rootLeft, rootHeight, scrollBottom, rootBottomTop,
hasInit = false, curState;
function setOptions(options) {
var _options = options || {};
_options.offsetBottom && (offsetBottom = _options.offsetBottom);
_options.scrollTarget && (scrollTarget = _options.scrollTarget);
_options.scroll && (scroll = _options.scroll);
_options.disabled !== undefined && (disabled = _options.disabled);
$scrollTarget = $(scrollTarget);
isOverallScroller = window.isOverallScroller($scrollTarget[0]);
$scroll = $(scroll);
}
function preCalc() {
top();
rootHeight = $root.outerHeight();
rootTop = $root.offset().top + (isOverallScroller ? 0 : $scrollTarget.scrollTop());
rootLeft = $root.offset().left;
}
function calc(needPreCalc) {
needPreCalc && preCalc();
scrollBottom = $scroll.outerHeight() - offsetBottom - rootHeight;
rootBottomTop = scrollBottom - rootTop;
}
function top() {
if (curState !== 'top') {
$root.removeClass('fixed').css({
left: 0,
top: 0
});
curState = 'top';
}
}
function fixed() {
if (curState !== 'fixed') {
$root.addClass('fixed').css({
left: rootLeft + 'px',
top: 0
});
curState = 'fixed';
}
}
function bottom() {
if (curState !== 'bottom') {
$root.removeClass('fixed').css({
left: 0,
top: rootBottomTop + 'px'
});
curState = 'bottom';
}
}
function setState() {
var scrollTop = $scrollTarget.scrollTop();
if (scrollTop >= rootTop && scrollTop <= scrollBottom) {
fixed();
} else if (scrollTop < rootTop) {
top();
} else {
bottom();
}
}
function init() {
if(!hasInit) {
var interval, timeout;
calc(true); setState();
// run calc every 100 millisecond
interval = setInterval(function() {
calc();
}, 100);
timeout = setTimeout(function() {
clearInterval(interval);
}, 45000);
window.pageLoad.then(function() {
setTimeout(function() {
clearInterval(interval);
clearTimeout(timeout);
}, 3000);
});
$scrollTarget.on('scroll', function() {
disabled || setState();
});
$window.on('resize', function() {
disabled || (calc(true), setState());
});
hasInit = true;
}
}
setOptions(options);
if (!disabled) {
init();
}
$window.on('resize', window.throttle(function() {
init();
}, 200));
return {
setOptions: setOptions,
refresh: function() {
calc(true, { animation: false }); setState();
}
};
}
$.fn.affix = affix;
});
})();
(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
function toc(options) {
var $root = this, $window = $(window), $scrollTarget, $scroller, $tocUl = $('<ul class="toc toc--ellipsis"></ul>'), $tocLi, $headings, $activeLast, $activeCur,
selectors = 'h1,h2,h3', container = 'body', scrollTarget = window, scroller = 'html, body', disabled = false,
headingsPos, scrolling = false, hasRendered = false, hasInit = false;
function setOptions(options) {
var _options = options || {};
_options.selectors && (selectors = _options.selectors);
_options.container && (container = _options.container);
_options.scrollTarget && (scrollTarget = _options.scrollTarget);
_options.scroller && (scroller = _options.scroller);
_options.disabled !== undefined && (disabled = _options.disabled);
$headings = $(container).find(selectors).filter('[id]');
$scrollTarget = $(scrollTarget);
$scroller = $(scroller);
}
function calc() {
headingsPos = [];
$headings.each(function() {
headingsPos.push(Math.floor($(this).position().top));
});
}
function setState(element, disabled) {
var scrollTop = $scrollTarget.scrollTop(), i;
if (disabled || !headingsPos || headingsPos.length < 1) { return; }
if (element) {
$activeCur = element;
} else {
for (i = 0; i < headingsPos.length; i++) {
if (scrollTop >= headingsPos[i]) {
$activeCur = $tocLi.eq(i);
} else {
$activeCur || ($activeCur = $tocLi.eq(i));
break;
}
}
}
$activeLast && $activeLast.removeClass('active');
($activeLast = $activeCur).addClass('active');
}
function render() {
if(!hasRendered) {
$root.append($tocUl);
$headings.each(function() {
var $this = $(this);
$tocUl.append($('<li></li>').addClass('toc-' + $this.prop('tagName').toLowerCase())
.append($('<a></a>').text($this.text()).attr('href', '#' + $this.prop('id'))));
});
$tocLi = $tocUl.children('li');
$tocUl.on('click', 'a', function(e) {
e.preventDefault();
var $this = $(this);
scrolling = true;
setState($this.parent());
$scroller.scrollToAnchor($this.attr('href'), 400, function() {
scrolling = false;
});
});
}
hasRendered = true;
}
function init() {
var interval, timeout;
if(!hasInit) {
render(); calc(); setState(null, scrolling);
// run calc every 100 millisecond
interval = setInterval(function() {
calc();
}, 100);
timeout = setTimeout(function() {
clearInterval(interval);
}, 45000);
window.pageLoad.then(function() {
setTimeout(function() {
clearInterval(interval);
clearTimeout(timeout);
}, 3000);
});
$scrollTarget.on('scroll', function() {
disabled || setState(null, scrolling);
});
$window.on('resize', window.throttle(function() {
if (!disabled) {
render(); calc(); setState(null, scrolling);
}
}, 100));
}
hasInit = true;
}
setOptions(options);
if (!disabled) {
init();
}
$window.on('resize', window.throttle(function() {
init();
}, 200));
return {
setOptions: setOptions
};
}
$.fn.toc = toc;
});
})();
/*(function () {
})();*/
</script><script>
/* toc must before affix, since affix need to konw toc' height. */(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
var TOC_SELECTOR = window.TEXT_VARIABLES.site.toc.selectors;
window.Lazyload.js(SOURCES.jquery, function() {
var $window = $(window);
var $articleContent = $('.js-article-content');
var $tocRoot = $('.js-toc-root'), $col2 = $('.js-col-aside');
var toc;
var tocDisabled = false;
var hasSidebar = $('.js-page-root').hasClass('layout--page--sidebar');
var hasToc = $articleContent.find(TOC_SELECTOR).length > 0;
function disabled() {
return $col2.css('display') === 'none' || !hasToc;
}
tocDisabled = disabled();
toc = $tocRoot.toc({
selectors: TOC_SELECTOR,
container: $articleContent,
scrollTarget: hasSidebar ? '.js-page-main' : null,
scroller: hasSidebar ? '.js-page-main' : null,
disabled: tocDisabled
});
$window.on('resize', window.throttle(function() {
tocDisabled = disabled();
toc && toc.setOptions({
disabled: tocDisabled
});
}, 100));
});
})();
(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
var $window = $(window), $pageFooter = $('.js-page-footer');
var $pageAside = $('.js-page-aside');
var affix;
var tocDisabled = false;
var hasSidebar = $('.js-page-root').hasClass('layout--page--sidebar');
affix = $pageAside.affix({
offsetBottom: $pageFooter.outerHeight(),
scrollTarget: hasSidebar ? '.js-page-main' : null,
scroller: hasSidebar ? '.js-page-main' : null,
scroll: hasSidebar ? $('.js-page-main').children() : null,
disabled: tocDisabled
});
$window.on('resize', window.throttle(function() {
affix && affix.setOptions({
disabled: tocDisabled
});
}, 100));
window.pageAsideAffix = affix;
});
})();
</script><!---->
</div>
<script>(function () {
var $root = document.getElementsByClassName('root')[0];
if (window.hasEvent('touchstart')) {
$root.dataset.isTouch = true;
document.addEventListener('touchstart', function(){}, false);
}
})();
</script>
</body>
</html>