更新和升级您的系统软件包;
dnf update
dnf upgrade
要在Fedora上安装LDAP服务器,请运行以下命令;
dnf install openldap-clients openldap-servers
启动并启用OpenLDAP服务器服务以运行系统重新引导。
systemctl enable slapd
systemctl start slapd
在Fedora上配置OpenLDAP服务器
设置OpenLDAP管理员密码。
可以使用slappasswd生成加密密码哈希的命令来完成。
slappasswd
New password: password
Re-enter new password: password
{SSHA}MI/malE7t763EWw7YiRzXsojGETmqMJq
您也可以在一行命令中设置密码。。用您的密码替换“密码”。 slappasswd -h {SHA} -s password
保存生成的哈希,因为稍后我们会需要它。
配置OpenLDAP数据库
首先,复制示例OpenLDAP数据库配置,将其重命名如下:
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
设置LDAP数据库配置目录ldap用户的所有权。
chown -R ldap:ldap /var/lib/ldap
导入OpenLDAP基本模式
导航到OpenLDAP模式目录,然后导入余弦,nis和inetorgperson模式。
cd /etc/openldap/schema
for schema in cosine.ldif nis.ldif inetorgperson.ldif; do ldapadd -Y EXTERNAL -H ldapi:/// -f $schema; done
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
通过修改以下属性的值来更新OpenLDAP数据库配置文件;
- olcSuffix –将值设置为您的基本域
- olcRootDN –将值设置为您的LDAP域管理条目
- olcRootPW –这设置为上面生成的LDAP管理员密码。
另外,为LDAP监视器后端(olcDatabase\=\{1\}monitor.ldif)和主数据库后端(olcDatabase={2}mdb.ldif)配置访问控制列表。
可以使用单个ldif文件来实现所有这些修改,如下所示;
vi mod_domain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=example,dc=com" read by * none
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}MI/malE7t763EWw7YiRzXsojGETmqMJq
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read
可以使用ldapmodify命令来实现这些修改。
ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_domain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
您可以使用ldapsearch命令进行验证。
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={2}mdb -LLL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW: {SSHA}MI/malE7t763EWw7YiRzXsojGETmqMJq
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=exam
ple,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}monitor -LLL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
创建基本域并将其添加到LDAP以创建目录。适当替换域条目。
vi basedn.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Com
dc: Example
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: LDAP Directory Manager
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
要添加基本域条目,请运行以下命令;
ldapadd -x -D cn=Manager,dc=example,dc=com -W -f basedn.ldif
Enter LDAP Password: LDAP manager's password set above
adding new entry "dc=example,dc=com"
adding new entry "cn=Manager,dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
OpenLDAP服务器配置即将完成。
创建OpenLDAP服务器用户帐户
使用slappasswd命令为用户生成密码;
slappasswd
New password:
Re-enter new password:
{SSHA}QLXFlVsiNY7bLgcwx8yurJqMZVaErD9b
创建一个ldif文件来指定用户属性。
vi add_user.ldif
dn: uid=user,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Amos
sn: Mibey
userPassword: {SSHA}QLXFlVsiNY7bLgcwx8yurJqMZVaErD9b
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/user
dn: cn=user,ou=Group,dc=example,dc=com
objectClass: posixGroup
cn: Amos
gidNumber: 10000
memberUid: user
ldapadd -x -D cn=Manager,dc=example,dc=com -W -f add_user.ldif
Enter LDAP Password:
adding new entry "uid=user,ou=People,dc=example,dc=com"
adding new entry "cn=user,ou=Group,dc=example,dc=com"
要验证是否创建了用户,您可以使用ldapsearchcommand查询其详细信息。
ldapsearch -x uid=user -b dc=example,dc=com -LLL
dn: uid=user,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: user
sn: user
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/user
uid: user
好了,这一切都需要在Fedora上安装和配置OpenLDAP服务器。一切似乎都很好。随时添加更多用户并探索OpenLDAP的全部功能。在总结之前,请在防火墙上打开OpenLDAP服务器服务以允许外部访问。
firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload
剩下要做的就是配置LDAP客户端以通过OpenLDAP服务器进行身份验证。