openldap双主
In this post, how to unified Linux login and home directory using OpenLDAP and NFS/automount will be introduced.
在本文中,将介绍如何使用OpenLDAP和NFS / automount统一Linux登录名和主目录。
0.系统环境 (0. System environment)
This solution is tested on Fedora 12 systems and CentOS 5.
该解决方案已在Fedora 12 系统和CentOS 5上进行了测试。
LDAP and NFS server:
IP: 10.0.0.2
OS: Fedora 12 x86_64
ldap base dn: “dc=lgcpu1″
LDAP和NFS服务器:
IP:10.0.0.2
作业系统:Fedora 12 x86_64
ldap基本dn:“ dc = lgcpu1”
Clients:
IP: 10.0.0.1/24
OS: Fedora 12 x86_64
客户:
IP:10.0.0.1/24
作业系统:Fedora 12 x86_64
1. LDAP服务器 (1. LDAP server)
软件包安装: (Package installation:)
# yum install openldap-servers
# /sbin/chkconfig ldap on
# /sbin/service ldap start
添加或编辑以下配置: ( Add or edit these configurations:)
Edit /etc/openldap/slapd.conf. Add or edit:
编辑/etc/openldap/slapd.conf 。 添加或编辑:
include /etc/openldap/schema/redhat/autofs.schema
#########################################################
# ldbm and/or bdb database definitions
#########################################################
database bdb
suffix "dc=lgcpu1"
checkpoint 1024 15
rootdn "cn=Manager,dc=lgcpu1"
rootpw {crypt}x
# Access Control
access to attrs=userPassword
by self write
by anonymous auth
by dn="cn=manager,dc=lgcpu1" write
by * compare
access to *
by self write
by dn="cn=manager,dc=lgcpu1" write
by * read
How to get the rootpw:
如何获得rootpw:
perl -e "print crypt('passwd', 'salt_string',);"
添加top.ldif (Add top.ldif)
top.ldif:
top.ldif:
dn: dc=lgcpu1
objectclass: dcObject
objectclass: organization
o: lgcpu1 group
dc: lgcpu1
dn: cn=manager,dc=lgcpu1
objectclass: organizationalRole
cn: manager
dn: ou=people,dc=lgcpu1
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: lgcpu1
dn: ou=contacts,ou=people,dc=lgcpu1
ou: contacts
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: lgcpu1
dn: ou=group,dc=lgcpu1
ou: group
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: lgcpu1
Add top.ldif to ldap server:
将top.ldif添加到ldap服务器:
$ ldapadd -x -D 'cn=manager,dc=lgcpu1' -W -f top.ldif
Then search all the content in the ldap server by:
然后通过以下方式搜索ldap服务器中的所有内容:
ldapsearch -x -D 'cn=manager,dc=lgcpu1' -W
If the previous work is correctly processed. ldapsearch will print out all the content in ldap database.
如果先前的工作得到正确处理。 ldapsearch将打印出ldap数据库中的所有内容。
通过本地配置添加用户和组: (Add users and groups from local configuration:)
Copy passwd shadow group from /etc/ to some tmp location
Edit them and only keep the normal users, that means no system users.
将passwd影子组从/ etc /复制到某个tmp位置
编辑它们,只保留普通用户,这意味着没有系统用户。
$ vim /usr/share/openldap/migration/migrate_common.ph
Edit these values:
编辑这些值:
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "cse.ust.hk";
# Default base
$DEFAULT_BASE = "dc=lgcpu1";
Then add the encryped password from shadow file to userPassword like this:
然后将加密文件中的加密密码从影子文件添加到userPassword中,如下所示:
$ /usr/share/openldap/migration/migrate_passwd.pl ./passwd > people.ldif
The password is in this format:
密码采用以下格式:
userPassword: {crypt}$1$Zlkjsdf...
Then add people.ldif to ldap server
然后将people.ldif添加到ldap服务器
$ /usr/share/openldap/migration/migrate_group.ph ./group > group.ldif
Then add group.ldif to ldap server
然后将group.ldif添加到ldap服务器
添加auto.master.ldif (Add auto.master.ldif)
dn: ou=auto.master,dc=lgcpu1
objectClass: top
objectClass: automountMap
ou: auto.master
dn: cn=/home,ou=auto.master,dc=lgcpu1
objectClass: automount
automountInformation: ldap:ou=auto.home,dc=lgcpu1
cn: /home
dn: cn=/share,ou=auto.master,dc=lgcpu1
objectClass: automount
automountInformation: ldap:ou=auto.misc, dc=lgcpu1
cn: /share
add auto.master.ldif
添加auto.master.ldif
添加auto.home.ldif (Add auto.home.ldif)
Add for every users
为每个用户添加
add auto.home.ldif
添加auto.home.ldif
auto.misc.ldif (auto.misc.ldif)
Add for some common share directories
添加一些常见的共享目录
dn: ou=auto.misc,dc=lgcpu1
objectClass: top
objectClass: automountMap
ou: auto.misc
add auto.misc.ldif
添加auto.misc.ldif
2. NFS服务器 (2. NFS server)
Please refer to How to Set Up and Configure NFS Server and Clients for how to set up a NFS server.
请参阅如何设置和配置NFS服务器和客户端以了解如何设置NFS服务器。
编辑/ etc / exports (Edit /etc/exports)
Allow the servers inside subnet 10.0.0.1/24 to mount the /home directory with read/write permission. Add this line to /etc/exports:
允许子网10.0.0.1/24内的服务器安装具有读/写权限的/ home目录。 将此行添加到/ etc / exports:
/home 10.0.0.1/24(rw)
启动服务 (Start up service)
Enable nfs service on the NFS server so that the service automatically starts each time the server starts:
在NFS服务器上启用nfs服务,以便该服务在每次服务器启动时自动启动:
# /sbin/chkconfig nfs on
You may also manually start it
您也可以手动启动它
# service nfs start
3.客户端配置 (3. Client configuration)
3.1软件包安装 (3.1 Packages installation)
# yum install nss_ldap autofs nfs-utils
# chkconfig autofs on
# service rpcbind restart
# service autofs restart
3.2配置 (3.2 Configuration)
# authconfig-tui
Select like this:
像这样选择:
| User Information Authentication │
│ [ ] Cache Information [*] Use MD5 Passwords │
│ [ ] Use Hesiod [*] Use Shadow Passwords │
│ [*] Use LDAP [*] Use LDAP Authentication │
│ [ ] Use NIS [ ] Use Kerberos │
│ [ ] Use Winbind [ ] Use Fingerprint reader │
│ [ ] Use Winbind Authentication │
│ [*] Local authorization is sufficient │
In next step:
下一步:
│ [ ] Use TLS │
│ Server: ldap://10.0.0.2/________________________ │
│ Base DN: dc=lgcpu1_______________________________ │
3.3在以下位置删除旧的用户条目: (3.3 Delete old user entries in:)
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow
/ etc / passwd
/ etc / shadow
/ etc / group
/ etc / gshadow
4.添加个人 (4. add individual person)
将people.sample.ldif添加到ldap (Add people.sample.ldif to ldap)
dn: uid=sample,ou=People,dc=lgcpu1
uid: sample
cn: sample
sn: sample
mail: sample@cse.ust.hk
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}$6$encryped password here
loginShell: /bin/bash
uidNumber: 507
gidNumber: 507
homeDirectory: /home/sample
将group.sample.ldif添加到ldap (Add group.sample.ldif to ldap)
dn: cn=sample,ou=Group,dc=lgcpu1
objectClass: posixGroup
objectClass: top
cn: sample
userPassword: {crypt}x
gidNumber: 507
将auto.home.sample.ldif添加到ldap (Addauto.home.sample.ldif to ldap)
dn: cn=sample,ou=auto.home,dc=lgcpu1
objectClass: automount
automountInformation: 10.0.0.2:/home/sample
cn: sample
删除以下位置的旧条目: (Delete old entries in:)
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow
/ etc / passwd
/ etc / shadow
/ etc / group
/ etc / gshadow
在NFS服务器上创建主目录: (Create home directory on NFS server:)
# mkdir /home/sample
# cp /etc/skel/.[a-z]* /home/sample/
# chown -R 507:507 /home/sample/
翻译自: https://www.systutorials.com/unified-linux-login-and-home-directory-using-openldap-and-nfsautomount/
openldap双主