标签:配置ldap服务器 增加用户账户 配置ldap客户端 ldap over tls ldap replication multi-master replication
Configure LDAP Server in order to share users‘ accounts in your local networks.
[1] Install OpenLDAP Server.
[root@dlp ~]# yum -y install openldap-servers openldap-clients
[root@dlp ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@dlp ~]# chown ldap. /var/lib/ldap/DB_CONFIG
[root@dlp ~]# systemctl start slapd
[root@dlp ~]# systemctl enable slapd
[2] Set OpenLDAP admin password.
# generate encrypted password
[root@dlp ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@dlp ~]# vi chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
[3] Import basic Schemas.
[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
[4] Set your domain name on LDAP DB.
# generate directory manager‘s password
[root@dlp ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@dlp ~]# vi chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=srv,dc=world" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=srv,dc=world
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=srv,dc=world
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=srv,dc=world" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=srv,dc=world" write by * read
[root@dlp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
[root@dlp ~]# vi basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=srv,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Server
dn: cn=Manager,dc=srv,dc=world
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=srv,dc=world
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=srv,dc=world
objectClass: organizationalUnit
ou: Group
[root@dlp ~]# ldapadd -x -D cn=Manager,dc=srv,dc=world -W -f basedomain.ldif
Enter LDAP Password: # directory manager‘s password
adding new entry "dc=srv,dc=world"
adding new entry "cn=Manager,dc=srv,dc=world"
adding new entry "ou=People,dc=srv,dc=world"
adding new entry "ou=Group,dc=srv,dc=world"
[5] If Firewalld is running, allow LDAP service. LDAP uses 389/TCP.
[root@dlp ~]# firewall-cmd --add-service=ldap --permanent
success
[root@dlp ~]# firewall-cmd --reload
Success
Add LDAP User Accounts in the OpenLDAP Server.
[1] Add a user.
# generate encrypted password
[root@dlp ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxx
[root@dlp ~]# vi ldapuser.ldif
# create new
# replace to your own domain name for "dc=***,dc=***" section
dn: uid=cent,ou=People,dc=srv,dc=world
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Cent
sn: Linux
userPassword: {SSHA}xxxxxxxxxxxxxxxxx
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cent
dn: cn=cent,ou=Group,dc=srv,dc=world
objectClass: posixGroup
cn: Cent
gidNumber: 1000
memberUid: cent
[root@dlp ~]# ldapadd -x -D cn=Manager,dc=srv,dc=world -W -f ldapuser.ldif
Enter LDAP Password:
adding new entry "uid=cent,ou=People,dc=srv,dc=world"
adding new entry "cn=cent,ou=Group,dc=srv,dc=world"
[2] Add users and groups in local passwd/group to LDAP directory.
[root@dlp ~]# vi ldapuser.sh
# extract local users and groups who have 1000-9999 digit UID
# replace "SUFFIX=***" to your own domain name
# this is an example
#!/bin/bash
SUFFIX=‘dc=srv,dc=world‘
LDIF=‘ldapuser.ldif‘
echo -n > $LDIF
GROUP_IDS=()
grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER
do
USER_ID="$(echo "$TARGET_USER" | cut -d‘:‘ -f1)"
USER_NAME="$(echo "$TARGET_USER" | cut -d‘:‘ -f5 | cut -d‘ ‘ -f1,2)"
[ ! "$USER_NAME" ] && USER_NAME="$USER_ID"
LDAP_SN="$(echo "$USER_NAME" | cut -d‘ ‘ -f2)"
[ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME"
LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d‘:‘ -f3)"
[ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0"
SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d‘:‘ -f9)"
[ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0"
GROUP_ID="$(echo "$TARGET_USER" | cut -d‘:‘ -f4)"
[ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID")
echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF
echo "objectClass: inetOrgPerson" >> $LDIF
echo "objectClass: posixAccount" >> $LDIF
echo "objectClass: shadowAccount" >> $LDIF
echo "sn: $LDAP_SN" >> $LDIF
echo "givenName: $(echo "$USER_NAME" | awk ‘{print $1}‘)" >> $LDIF
echo "cn: $USER_NAME" >> $LDIF
echo "displayName: $USER_NAME" >> $LDIF
echo "uidNumber: $(echo "$TARGET_USER" | cut -d‘:‘ -f3)" >> $LDIF
echo "gidNumber: $(echo "$TARGET_USER" | cut -d‘:‘ -f4)" >> $LDIF
echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d‘:‘ -f2)" >> $LDIF
echo "gecos: $USER_NAME" >> $LDIF
echo "loginShell: $(echo "$TARGET_USER" | cut -d‘:‘ -f7)" >> $LDIF
echo "homeDirectory: $(echo "$TARGET_USER" | cut -d‘:‘ -f6)" >> $LDIF
echo "shadowExpire: $(passwd -S "$USER_ID" | awk ‘{print $7}‘)" >> $LDIF
echo "shadowFlag: $SHADOW_FLAG" >> $LDIF
echo "shadowWarning: $(passwd -S "$USER_ID" | awk ‘{print $6}‘)" >> $LDIF
echo "shadowMin: $(passwd -S "$USER_ID" | awk ‘{print $4}‘)" >> $LDIF
echo "shadowMax: $(passwd -S "$USER_ID" | awk ‘{print $5}‘)" >> $LDIF
echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF
echo >> $LDIF
done
for TARGET_GROUP_ID in "${GROUP_IDS[@]}"
do
LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d‘:‘ -f1)"
echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF
echo "objectClass: posixGroup" >> $LDIF
echo "cn: $LDAP_CN" >> $LDIF
echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF
for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d‘:‘ -f1,3)
do
UID_NUM=$(echo "$MEMBER_UID" | cut -d‘:‘ -f2)
[ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d‘:‘ -f1)" >> $LDIF
done
echo >> $LDIF
done
)
[root@dlp ~]# sh ldapuser.sh
[root@dlp ~]# ldapadd -x -D cn=Manager,dc=srv,dc=world -W -f ldapuser.ldif
Enter LDAP Password:
adding new entry "uid=cent,ou=People,dc=srv,dc=world"
adding new entry "uid=redhat,ou=People,dc=srv,dc=world"
adding new entry "uid=ubuntu,ou=People,dc=srv,dc=world"
adding new entry "uid=debian,ou=People,dc=srv,dc=world"
adding new entry "cn=cent,ou=Group,dc=srv,dc=world"
adding new entry "cn=redhat,ou=Group,dc=srv,dc=world"
adding new entry "cn=ubuntu,ou=Group,dc=srv,dc=world"
adding new entry "cn=debian,ou=Group,dc=srv,dc=world"
[3] If you‘d like to delete LDAP User or Group, Do as below.
[root@dlp ~]# ldapdelete -x -W -D ‘cn=Manager,dc=srv,dc=world‘ "uid=cent,ou=People,dc=srv,dc=world"
Enter LDAP Password:
[root@dlp ~]# ldapdelete -x -W -D ‘cn=Manager,dc=srv,dc=world‘ "cn=cent,ou=Group,dc=srv,dc=world"
Enter LDAP Password:
Configure LDAP Client in order to share users‘ accounts in your local networks.
[1] Install OpenLDAP Client.
[root@www ~]# yum -y install openldap-clients nss-pam-ldapd
# ldapserver=(LDAP server‘s hostname or IP address)
# ldapbasedn="dc=(your own domain name)"
[root@www ~]# authconfig --enableldap \
--enableldapauth \
--ldapserver=dlp.srv.world \
--ldapbasedn="dc=srv,dc=world" \
--enablemkhomedir \
--update
[root@www ~]# exit
logout
CentOS Linux 7 (Core)
Kernel 3.10.0-123.20.1.el7.x86_64 on an x86_64
www login: redhat # LDAP user
Password:# password
Creating directory ‘/home/redhat‘.
[redhat@www ~]$ # logined normally
[redhat@www ~]$ passwd# try to change the LDAP password
Changing password for user redhat.
Enter login(LDAP) password: # current password
New password: # new password
Retype new password:
LDAP password information changed for redhat
passwd: all authentication tokens updated successfully.
[2] If SELinux is enabled, it needs to add a rule to allow creating home directories automatically by mkhomedir.
[root@www ~]# vi mkhomedir.te
# create new
module mkhomedir 1.0;
require {
type unconfined_t;
type oddjob_mkhomedir_exec_t;
class file entrypoint;
}
#============= unconfined_t ==============
allow unconfined_t oddjob_mkhomedir_exec_t:file entrypoint;
[root@www ~]# checkmodule -m -M -o mkhomedir.mod mkhomedir.te
checkmodule: loading policy configuration from mkhomedir.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 17) to mkhomedir.mod
[root@www ~]# semodule_package --outfile mkhomedir.pp --module mkhomedir.mod
[root@www ~]# semodule -i mkhomedir.pp
Configure LDAP over TLS to make connection be secure.
[1] Create SSL certificate first. See here.
[2] Configure LDAP Server.
[root@dlp ~]# cp /etc/pki/tls/certs/server.key \
/etc/pki/tls/certs/server.crt \
/etc/pki/tls/certs/ca-bundle.crt \
/etc/openldap/certs/
[root@dlp ~]# chown ldap. /etc/openldap/certs/server.key \
/etc/openldap/certs/server.crt \
/etc/openldap/certs/ca-bundle.crt
[root@dlp ~]# vi mod_ssl.ldif
# create new
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
[root@dlp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
[root@dlp ~]# vi /etc/sysconfig/slapd
# line 9: add
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
[root@dlp ~]# systemctl restart slapd
[3] Configure LDAP Client for TLS connection.
[root@www ~]# echo "TLS_REQCERT allow" >> /etc/openldap/ldap.conf
[root@www ~]# echo "tls_reqcert allow" >> /etc/nslcd.conf
[root@www ~]# authconfig --enableldaptls --update
getsebool: SELinux is disabled
[root@www ~]# exit
logout
CentOS Linux 7 (Core)
Kernel 3.10.0-123.20.1.el7.x86_64 on an x86_64
www login: redhat
Password:
Last login: Tue Aug 19 19:55:52 on ttyS0
[redhat@www ~]$ # logined normally
Configure OpenLDAP Replication to continue Directory service if OpenLDAP master server would be down. OpenLDAP master server is called "Provider" and OpenLDAP Slave server is called "Consumer" on OpenLDAP.
[1] Configure Basic LDAP Server settings on both Provider and Consumer, refer to here.
[2] Configure LDAP Provider. Add syncprov module.
[root@dlp ~]# vi mod_syncprov.ldif
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
[root@dlp ~]# vi syncprov.ldif
# create new
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
[3] Configure LDAP Consumer.
[root@slave ~]# vi syncrepl.ldif
# create new
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
# LDAP server‘s URI
provider=ldap://10.0.0.30:389/
bindmethod=simple
# own domain name
binddn="cn=Manager,dc=srv,dc=world"
# directory manager‘s password
credentials=password
searchbase="dc=srv,dc=world"
# includes subtree
scope=sub
schemachecking=on
type=refreshAndPersist
# [retry interval] [retry times] [interval of re-retry] [re-retry times]
retry="30 5 300 3"
# replication interval
interval=00:00:05:00
[root@slave ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
# confirm settings to search datas
[root@slave ~]# ldapsearch -x -b ‘ou=People,dc=srv,dc=world‘
# People, srv.world
dn: ou=People,dc=srv,dc=world
objectClass: organizationalUnit
ou: People
...
...
[4] Configure LDAP Client to bind LDAP Consumer, too.
[root@www ~]# authconfig --ldapserver=dlp.srv.world,slave.srv.world –update
Configure OpenLDAP Multi-Master Replication.
For the Settings of Provider/Consumer, it‘s impossible to add datas on Consumer server, but if configure this Multi-Master Settings, it‘s possbile to add on any Master server.
[1] Configure Basic LDAP Server settings on all server, refer to here.
[2] Configure like follows on all servers. Add syncprov module.
[root@slapd01 ~]# vi mod_syncprov.ldif
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
[root@slapd01 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
[root@slapd01 ~]# vi syncprov.ldif
# create new
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
[root@slapd01 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
[3] Configure like follows on all servers. But only the parameters "olcServerID" and "provider=***", set different value on each server.
[root@slapd01 ~]# vi master01.ldif
# create new
dn: cn=config
changetype: modify
replace: olcServerID
# specify uniq ID number on each server
olcServerID: 0
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
# specify another LDAP server‘s URI
provider=ldap://10.0.0.50:389/
bindmethod=simple
# own domain name
binddn="cn=Manager,dc=srv,dc=world"
# directory manager‘s password
credentials=password
searchbase="dc=srv,dc=world"
# includes subtree
scope=sub
schemachecking=on
type=refreshAndPersist
# [retry interval] [retry times] [interval of re-retry] [re-retry times]
retry="30 5 300 3"
# replication interval
interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
[root@slapd01 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
[4] Configure LDAP Client to bind all LDAP server.
[root@www ~]# authconfig --ldapserver=slapd01.srv.world,slapd02.srv.world –update
Install phpLDAPadmin to operate LDAP server via Web browser.
[1] Install and start Apache httpd, refer to here.
[2] Install PHP, refer to here.
[3] Install phpLDAPadmin.
# install from EPEL
[root@dlp ~]# yum --enablerepo=epel -y install phpldapadmin
[root@dlp ~]# vi /etc/phpldapadmin/config.php
# line 397: uncomment, line 398: comment out
$servers->setValue(‘login‘,‘attr‘,‘dn‘);
// $servers->setValue(‘login‘,‘attr‘,‘uid‘);
[root@dlp ~]# vi /etc/httpd/conf.d/phpldapadmin.conf
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4
# line 12: add access permission
Require local
Require ip 10.0.0.0/24
[root@dlp ~]# systemctl restart httpd
[4] Access to the "http://(server‘s hostname or IP address)/ldapadmin/" from a client which is in the network allowed by http server and then Click "login".
[5] Authenticate with Directory Manager account. Specify uname name like follows. By the way, it‘s possible to login with a common user, too.
[6] Just logined. It‘s possible to manage LDAP server on here.
本文出自 “11830455” 博客,转载请与作者联系!
Linux与云计算——第二阶段Linux服务器架设 第六章:目录Directory服务器架设—OpenLDAP
标签:配置ldap服务器 增加用户账户 配置ldap客户端 ldap over tls ldap replication multi-master replication
原文地址:http://11840455.blog.51cto.com/11830455/1833079