共计 11200 个字符,预计需要花费 28 分钟才能阅读完成。
LDAP 服务器用于统一认证账户信息,有点类似通讯录,实现集中管理用户账户的功能。系统为 CentOS6.4。
安装 openldap 和 Berkeley DB, openldap 使用 Berkeley DB 存储数据。
1)服务端 yum install openldap openldap-servers openldap-clients openldap-devel compat-openldapyum install db4 db4-utils
2)客户端 yum install nss-pam-ldapd pam_ldap openldap-clients
二、服务端配置
1) 首先生成管理员密码:slappasswd 输完两遍密码后会生成一个加密散列字符串,保存下来。如:
{SSHA}JiW3WU7jREOTOMZKT6CklgJZriLIj738
2)编辑数据库配置文件,设置域名:vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif 找到:olcSuffix: dc=my-domain,dc=com 修改 dc:olcSuffix: dc=ldap,dc=stone,dc=com 设置目录树后缀(域名),作用是定义根的名字。
找到:olcRootDN: cn=Manager,dc=my-domain,dc=com 修改 dc:olcRootDN: cn= Manager,dc=ldap, dc=stone,dc=com 设置管理员 DN。PS:LDAP 管理员 cn 默认为 Manager,可以改成自己需要的名字。
在 olcDatabase={2}bdb.ldif 最后添加:olcRootPW: {SSHA}JiW3WU7jREOTOMZKT6CklgJZriLIj738 设置管理员密码。
3)指定监控权限:vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif 找到:dn.base=”cn=manager,dc=my-domain,dc=com”修改为:dn.base=”cn= Manager,dc=ldap,dc=stone,dc=com”修改默认域名。
4) /etc/openldap/slapd.conf
************************************
include/etc/openldap/schema/corba.schema
include/etc/openldap/schema/core.schema
include/etc/openldap/schema/cosine.schema
include/etc/openldap/schema/duaconf.schema
include/etc/openldap/schema/dyngroup.schema
include/etc/openldap/schema/inetorgperson.schema
include/etc/openldap/schema/Java.schema
include/etc/openldap/schema/misc.schema
include/etc/openldap/schema/nis.schema
include/etc/openldap/schema/openldap.schema
include/etc/openldap/schema/ppolicy.schema
include/etc/openldap/schema/collective.schema
include/etc/openldap/schema/sudo.schema
allow bind_v2
pidfile/var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile“\”OpenLDAP Server\””
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth”manage
by * none
database monitor
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth”read
by dn.exact=”cn=Manager,dc=stone,dc=com”read
by * none
databasebdb
suffix“dc=ldap,dc=stone,dc=com”
checkpoint1024 15
rootdn“cn=Manager,dc=ldap,dc=stone,dc=com”
rootpw{SSHA}hcZ+9TR6qnqjbzCK9KlJOdqkUBmi9irL
directory/var/lib/ldap
index sudoUser eq
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
***************************************************************
5)设置 Database Cache:cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 设置权限:chown -R ldap:ldap /var/lib/ldap/
从.schema 生成.ldif 配置
slaptest -v -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
测试配置文件是否有错:slaptest - u 提示:
config file testing succeeded
测试通过。
三、创建 LDAP 数据库
# ldap.stone.com
dn: dc=ldap,dc=stone,dc=com
dc: ldap
objectClass: top
objectClass: domain
# people.ldap. stone.com
dn: ou=people,dc=ldap,dc=stone,dc=com
objectClass: organizationalUnit
ou: people
# group.ldap.ciwong.com
dn: ou=group,dc=ldap,dc=ciwong,dc=com
objectClass: organizationalUnit
ou: group
# sudoers.ldap. ciwong.com
dn: ou=sudoers,dc=ldap,dc=ciwong,dc=com
objectClass: top
objectClass: organizationalUnit
description: sudo configuration subtree
ou: sudoers
#用户组
dn: cn=a1,ou=group,dc=ldap,dc=ciwong,dc=com
objectClass: posixGroup
objectClass: top
cn: a1
userPassword: {crypt}x
gidNumber: 501
dn: cn=a2,ou=group,dc=ldap,dc=ciwong,dc=com
objectClass: posixGroup
objectClass: top
cn: a2
userPassword: {crypt}x
gidNumber: 502
#用户:
# a1, people, stone.com
dn: uid=a1,ou=people,dc=ldap,dc=ciwong,dc=com
uid: a1
cn: a1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDNpTEw4cFpvJGdwN1RidlBOQjRkSU1ZL0d4eWZ2THNESGtBN2R
CWkcvbWZEelRYZzhQU2FlWWNucFV6S3hSR2VBcXZnL1VRTE1Qbkt6aTR3cExDa2NJMk54M3hOZkIu
shadowLastChange: 15922
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/a1
# a2, people, stone.com
dn: uid=a2,ou=people,dc=ldap,dc=ciwong,dc=com
uid: a2
cn: a2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFRYbXNvU3RiJE9BS1JpYTZVZ0NyMHFFS28wUHJ0NUVPMnpUVmV
lTGVKZ0lZN2I2a3BWUmNIUWVFa3pOajJoQUR2dmE1US54amkua0lSY3hIWUJLdjhDUTZtejdrMGMv
shadowLastChange: 15922
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /home/a2
#具有 sudo 权限的用户
# role.sudoers.ldap. stone.com
dn: cn=role,ou=sudoers,dc=ldap,dc=stone,dc=com
objectClass: sudoRole
objectClass: top
cn: role
sudoUser: %a1
sudoHost: ALL
sudoRunASUSEr: root
sudoCommand: !/bin/sh
sudoCommand: ALL
**********************************************************
OpenLDAP 的详细介绍:请点这里
OpenLDAP 的下载地址:请点这里
相关阅读:
Liferay Portal 配置使用 Oracle 和 OpenLDAP http://www.linuxidc.com/Linux/2012-07/66928.htm
Axigen+OpenLDAP+BerkeleyDB+ejabberd 多域 +JWchat 详细配置 http://www.linuxidc.com/Linux/2012-06/61598.htm
CentOS 部署 OpenLDAP 认证 http://www.linuxidc.com/Linux/2012-04/57932.htm
客户端
1)运行 setup 命令,设置 LDAP 验证
2)/etc/nslcd.conf 配置如下:
uid nslcd
gid ldap
# This comment prevents repeated auto-migration of settings.
uri ldap://192.168.131.141/
base dc=stone,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts
************************
Sudo 配置 /etc/sudo-ldap.conf
uri ldap://192.168.1.167/
base dc=ldap,dc=ciwong,dc=com
sudoers_base ou=SUDOers,dc=ldap,dc=ciwong,dc=com
3)/etc/nsswitch.conf 添加一行:
sudoers:ldap files
可以查看到 ldap 服务器的用户,但家目录还是有问题
设定用户家目录两种方法
方法一:
家目录一样可以使用 autofs 来解决:
–在 ldap 服务端使用 nfs 共享家目录
[root@ldap config]# vim /etc/exports
/home *(rw)
[root@ldap config]# /etc/init.d/nfs restart
–在 ldap 客户端配置 autofs 服务
vim /etc/auto.master
/home/etc/auto.home
vim /etc/auto.home
* -rw 192.168.131.141:/home/&
/etc/init.d/autofsrestart
然后在客户端上对先前的 a1,a2,a3 用户及其密码进行验证,都 OK
方法二:
设置第一次登陆时建立家目录 vim /etc/pam.d/system-auth 在最后添加:session required pam_mkhomedir.so skel=/etc/skel umask=0022
Example of an LDAP entry formerly using the NOPASSWD tag:
sudoCommand: /sbin/whatever *sudoOption: !authenticatesudoHost: ALL or hostnamesudoRunAs: rootsudoUser: user with sudo privs
Translation of /etc/sudoers tags into sudoOption
NOPASSWD: !authenticate
PASSWD: authenticate
NOEXEC: noexec
EXEC: !noexec
LDAP 服务器用于统一认证账户信息,有点类似通讯录,实现集中管理用户账户的功能。系统为 CentOS6.4。
安装 openldap 和 Berkeley DB, openldap 使用 Berkeley DB 存储数据。
1)服务端 yum install openldap openldap-servers openldap-clients openldap-devel compat-openldapyum install db4 db4-utils
2)客户端 yum install nss-pam-ldapd pam_ldap openldap-clients
二、服务端配置
1) 首先生成管理员密码:slappasswd 输完两遍密码后会生成一个加密散列字符串,保存下来。如:
{SSHA}JiW3WU7jREOTOMZKT6CklgJZriLIj738
2)编辑数据库配置文件,设置域名:vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif 找到:olcSuffix: dc=my-domain,dc=com 修改 dc:olcSuffix: dc=ldap,dc=stone,dc=com 设置目录树后缀(域名),作用是定义根的名字。
找到:olcRootDN: cn=Manager,dc=my-domain,dc=com 修改 dc:olcRootDN: cn= Manager,dc=ldap, dc=stone,dc=com 设置管理员 DN。PS:LDAP 管理员 cn 默认为 Manager,可以改成自己需要的名字。
在 olcDatabase={2}bdb.ldif 最后添加:olcRootPW: {SSHA}JiW3WU7jREOTOMZKT6CklgJZriLIj738 设置管理员密码。
3)指定监控权限:vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif 找到:dn.base=”cn=manager,dc=my-domain,dc=com”修改为:dn.base=”cn= Manager,dc=ldap,dc=stone,dc=com”修改默认域名。
4) /etc/openldap/slapd.conf
************************************
include/etc/openldap/schema/corba.schema
include/etc/openldap/schema/core.schema
include/etc/openldap/schema/cosine.schema
include/etc/openldap/schema/duaconf.schema
include/etc/openldap/schema/dyngroup.schema
include/etc/openldap/schema/inetorgperson.schema
include/etc/openldap/schema/Java.schema
include/etc/openldap/schema/misc.schema
include/etc/openldap/schema/nis.schema
include/etc/openldap/schema/openldap.schema
include/etc/openldap/schema/ppolicy.schema
include/etc/openldap/schema/collective.schema
include/etc/openldap/schema/sudo.schema
allow bind_v2
pidfile/var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile“\”OpenLDAP Server\””
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth”manage
by * none
database monitor
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth”read
by dn.exact=”cn=Manager,dc=stone,dc=com”read
by * none
databasebdb
suffix“dc=ldap,dc=stone,dc=com”
checkpoint1024 15
rootdn“cn=Manager,dc=ldap,dc=stone,dc=com”
rootpw{SSHA}hcZ+9TR6qnqjbzCK9KlJOdqkUBmi9irL
directory/var/lib/ldap
index sudoUser eq
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
***************************************************************
5)设置 Database Cache:cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 设置权限:chown -R ldap:ldap /var/lib/ldap/
从.schema 生成.ldif 配置
slaptest -v -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
测试配置文件是否有错:slaptest - u 提示:
config file testing succeeded
测试通过。
三、创建 LDAP 数据库
# ldap.stone.com
dn: dc=ldap,dc=stone,dc=com
dc: ldap
objectClass: top
objectClass: domain
# people.ldap. stone.com
dn: ou=people,dc=ldap,dc=stone,dc=com
objectClass: organizationalUnit
ou: people
# group.ldap.ciwong.com
dn: ou=group,dc=ldap,dc=ciwong,dc=com
objectClass: organizationalUnit
ou: group
# sudoers.ldap. ciwong.com
dn: ou=sudoers,dc=ldap,dc=ciwong,dc=com
objectClass: top
objectClass: organizationalUnit
description: sudo configuration subtree
ou: sudoers
#用户组
dn: cn=a1,ou=group,dc=ldap,dc=ciwong,dc=com
objectClass: posixGroup
objectClass: top
cn: a1
userPassword: {crypt}x
gidNumber: 501
dn: cn=a2,ou=group,dc=ldap,dc=ciwong,dc=com
objectClass: posixGroup
objectClass: top
cn: a2
userPassword: {crypt}x
gidNumber: 502
#用户:
# a1, people, stone.com
dn: uid=a1,ou=people,dc=ldap,dc=ciwong,dc=com
uid: a1
cn: a1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDNpTEw4cFpvJGdwN1RidlBOQjRkSU1ZL0d4eWZ2THNESGtBN2R
CWkcvbWZEelRYZzhQU2FlWWNucFV6S3hSR2VBcXZnL1VRTE1Qbkt6aTR3cExDa2NJMk54M3hOZkIu
shadowLastChange: 15922
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/a1
# a2, people, stone.com
dn: uid=a2,ou=people,dc=ldap,dc=ciwong,dc=com
uid: a2
cn: a2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFRYbXNvU3RiJE9BS1JpYTZVZ0NyMHFFS28wUHJ0NUVPMnpUVmV
lTGVKZ0lZN2I2a3BWUmNIUWVFa3pOajJoQUR2dmE1US54amkua0lSY3hIWUJLdjhDUTZtejdrMGMv
shadowLastChange: 15922
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /home/a2
#具有 sudo 权限的用户
# role.sudoers.ldap. stone.com
dn: cn=role,ou=sudoers,dc=ldap,dc=stone,dc=com
objectClass: sudoRole
objectClass: top
cn: role
sudoUser: %a1
sudoHost: ALL
sudoRunASUSEr: root
sudoCommand: !/bin/sh
sudoCommand: ALL
**********************************************************
OpenLDAP 的详细介绍:请点这里
OpenLDAP 的下载地址:请点这里
相关阅读:
Liferay Portal 配置使用 Oracle 和 OpenLDAP http://www.linuxidc.com/Linux/2012-07/66928.htm
Axigen+OpenLDAP+BerkeleyDB+ejabberd 多域 +JWchat 详细配置 http://www.linuxidc.com/Linux/2012-06/61598.htm
CentOS 部署 OpenLDAP 认证 http://www.linuxidc.com/Linux/2012-04/57932.htm