1. 简单的目录
1.slapd.conf文件
- 这是一个示例slapd.conf,它将让我们开始使用Oracle Berkeley数据库(BDB)后端(OpenLDAP过去推荐的数据库——目前是mdb):
#
###### SAMPLE 1 - SIMPLE DIRECTORY ############
#
# NOTES: inetorgperson picks up attributes and objectclasses
# from all three schemas
#
# NB: RH Linux schemas in /etc/openldap
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
# NO SECURITY - no access clause
# defaults to anonymous access for read
# only rootdn can write
# NO REFERRALS
# DON'T bother with ARGS file unless you feel strongly
# slapd scripts stop scripts need this to work
pidfile /var/run/openldap/slapd.pid
# enable a lot of logging - we might need it
# but generates huge logs
loglevel -1
# MODULELOAD definitions
# not required (comment out) before version 2.3
moduleload back_bdb.la
# NO TLS-enabled connections
# backend definition not required
#######################################################################
# bdb database definitions
#
# replace example and com below with a suitable domain
#
# If you don't have a domain you can leave it since example.com
# is reserved for experimentation or change them to my and inc
#
#######################################################################
database bdb
suffix "dc=example, dc=com"
# root or superuser
rootdn "cn=jimbob, dc=example, dc=com"
rootpw dirtysecret
# The database directory MUST exist prior to running slapd AND
# change path as necessary
directory /var/lib/ldap
# Indices to maintain for this directory
# unique id so equality match only
index uid eq
# allows general searching on commonname, givenname and email
index cn,gn,mail eq,sub
# allows multiple variants on surname searching
index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index default eq,sub
# indices missing - uses default eq,sub
index telephonenumber eq
# other database parameters
# read more in slapd.conf reference section
cachesize 10000
checkpoint 128 15
- 使用命令检查配置是否有问题
slaptest -f /etc/openldap/slapd.conf
- 可能问题1
could not stat config file "/usr/local/etc/openldap/schema/core.schema
解决: cp -r /etc/openldap/schema /usr/local/etc/openldap/schema
2. LDIF File
- 这个文件中有基础的用户信息。
## DEFINE DIT ROOT/BASE/SUFFIX ####
## uses RFC 2377 format
## replace example and com as necessary below
## or for experimentation leave as is
## dcObject is an AUXILLIARY objectclass and MUST
## have a STRUCTURAL objectclass (organization in this case)
# this is an ENTRY sequence and is preceded by a BLANK line
dn: dc=example,dc=com
dc: example
description: My wonderful company as much text as you want to place
in this line up to 32K continuation data for the line above must
have <CR> or <CR><LF> i.e. ENTER works
on both Windows and *nix system - new line MUST begin with ONE SPACE
objectClass: dcObject
objectClass: organization
o: Example, Inc.
## FIRST Level hierarchy - people
## uses mixed upper and lower case for objectclass
# this is an ENTRY sequence and is preceded by a BLANK line
dn: ou=people, dc=example,dc=com
ou: people
description: All people in organisation
objectclass: organizationalunit
## SECOND Level hierarchy
## ADD a single entry under FIRST (people) level
# this is an ENTRY sequence and is preceded by a BLANK line
# the ou: Human Resources is the department name
dn: cn=Robert Smith,ou=people,dc=example,dc=com
objectclass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob smith
sn: smith
uid: rjsmith
userpassword: rJsmitH
carlicense: HISCAR 123
homephone: 555-111-2222
mail: r.smith@example.com
mail: rsmith@example.com
mail: bob.smith@example.com
description: swell guy
ou: Human Resources
3. 加载LDIF file文件
- 启动服务
systemctl start slapd
- 通过命令添加ldif文件
ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/createdit.ldif -w dirtysecret
4. 添加新的条目
- 下面的LDIF显示了如何使用LDIF添加其他条目。
version: 1
## ADD a single entry to people level
dn: cn=John Smith,ou=people,dc=example,dc=com
objectclass: inetOrgPerson
cn: John Smith
cn: John J Smith
sn: Smith
uid: jsmith
userpassword: jSmitH
carlicense: HISCAR 124
homephone: 555-111-2223
mail: j.smith@example.com
mail: jsmith@example.com
mail: john.smith@example.com
ou: Sales
## ADD another single entry to people level
dn: cn=Sheri Smith,ou=people,dc=example,dc=com
objectclass: inetOrgPerson
cn: Sheri Smith
sn: smith
uid: ssmith
userpassword: sSmitH
carlicense: HERCAR 125
homephone: 555-111-2225
mail: s.smith@example.com
mail: ssmith@example.com
mail: sheri.smith@example.com
ou: IT
- 我们将上面的LDIF保存为addentry。在我们的/tmp目录中,我们使用ldapadd加载ldif文件,命令如下:
ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/addentry.ldif -w dirtysecret
5.修改条目
- 下面的LDIF显示了我们如何使用LDIF修改条目——使用LDAP浏览器通常更快,但是如果您有批量更改,LDIF会更快。
version: 1
## MODIFY the Robert Smith entry
dn: cn=Robert Smith,ou=people,dc=example,dc=com
changetype: modify
add: telephonenumber
telephonenumber: 555-555-1212
telephonenumber: 212
-
replace: uid
uid: rjosmith
-
replace: mail
mail: robert.smith@example.com
mail: bob.smith@example.com
-
# adds using URL format
add: jpegphoto
jpegphoto: < file://path/to/jpeg/file.jpg
-
delete: description
- 我们将上面的LDIF保存为modentry。在我们的/tmp目录中,我们使用ldapadd加载ldif文件,命令如下:
ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/modentry.ldif -w dirtysecret
2.目录权限
1. 安全策略
现在,我们将使用slapd.conf中的access指令为我们的目录添加一些简单的安全性。
我们将根据公司政策(哇)建立一个访问控制策略(ACP aka ACL),该政策规定:
- 目录条目所有者能够查看和更新所有目录属性,包括密码。
- 人力资源必须能够更新任何条目,但必须无法读取或写入用户密码。
- 除人力资源和目录条目的所有者之外,任何人都不得读取目录条目carlicence,homepostaddress和homephone。
- 所有用户都必须进行身份验证(不允许匿名访问)。
- IT部门必须能够更新或更改所有目录条目上的密码条目
2. 添加组
- 以下LDIF显示了我们如何添加组。
version: 1
# create FIRST Level groups branch
dn: ou=groups,dc=example,dc=com
objectclass:organizationalunit
ou: groups
description: generic groups branch
# create the itpeople entry under groups
dn: cn=itpeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: itpeople
description: IT security group
member: cn=Sheri Smith,ou=people,dc=example,dc=com
# create the hrpeople entry under groups
dn: cn=hrpeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: hrpeople
description: Human Resources group
member: cn=Robert Smith,ou=people,dc=example,dc=com
- 添加命令
ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/addgroups.ldif -w dirtysecret
3. ACL slapd.conf访问定义
- 下面的文本展示了完整的slapd.conf的配置
###### SAMPLE 1 - SIMPLE DIRECTORY ############
##
## NOTES: inetorgperson picks up attributes and objectclasses
## from all three schemas
##
## NB: RH Linux schemas in /etc/openldap
##
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
#
#
## NO SECURITY - no access clause
## defaults to anonymous access for read
## only rootdn can write
#
## NO REFERRALS
#
## DON'T bother with ARGS file unless you feel strongly
## slapd scripts stop scripts need this to work
pidfile /var/run/openldap/slapd.pid
#
## enable a lot of logging - we might need it
## but generates huge logs
loglevel -1
#
## MODULELOAD definitions
## not required (comment out) before version 2.3
#moduleload back_bdb.la
#
## NO TLS-enabled connections
#
## backend definition not required
#
########################################################################
## bdb database definitions
##
## replace example and com below with a suitable domain
##
## If you don't have a domain you can leave it since example.com
## is reserved for experimentation or change them to my and inc
##
########################################################################
#
database bdb
suffix "dc=example, dc=com"
#ACL1
access to attrs=userpassword
by self write
by anonymous auth
by group.exact="cn=itpeople,ou=groups,dc=example,dc=com"
write
by * none
#ACL2
access to attrs=carlicense,homepostaladdress,homephone
by self write
by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com"
write
by * none
#ACL3
access to *
by self write
by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com"
write
by users read
by * none
#
## root or superuser
rootdn "cn=jimbob, dc=example, dc=com"
rootpw dirtysecret
## The database directory MUST exist prior to running slapd AND
## change path as necessary
directory /var/lib/ldap
#
## Indices to maintain for this directory
## unique id so equality match only
index uid eq
## allows general searching on commonname, givenname and email
index cn,gn,mail eq,sub
## allows multiple variants on surname searching
index sn eq,sub
## sub above includes subintial,subany,subfinal
## optimise department searches
index ou eq
## if searches will include objectClass uncomment following
## index objectClass eq
## shows use of default index parameter
#index default eq,sub
## indices missing - uses default eq,sub
index telephonenumber eq
#
## other database parameters
## read more in slapd.conf reference section
cachesize 10000
#checkpoint 128 15
- 修改完服务后我们需要重启slapd服务
systemctl restart slapd
4. 测试ACL
- 配置LDAP浏览器绑定或验证,使用dn: cn=Robert Smith, ou=people, dc=example, dc=com ,密码 : rJsmitH(区分大小写),因为这个条目有hrpeople特权,并能够修改所有条目,包括carlicense, homepostaladdress 和 homephone,但不能修改userpassword(除了他自己的)
- 配置LDAP浏览器绑定或验证,使用 dn: cn=Sheri Smith, ou=people, dc=example, dc=com ,密码 : sSmitH(区分大小写),因为这个条目有itpeople特权,并能够将修改所有条目的userpassword属性,但看不到 carlicense, homepostaladdress and homephone ,除了她自己的外.
- 配置LDAP浏览器绑定或验证,使用 dn: cn=John Smith,ou=people,dc=example,dc=com ,密码:jSmitH ,由于这个条目没有特权,所以除了他自己的条目(他也可以修改自己的条目),其他任何条目都不能看到
- 为匿名访问配置LDAP浏览器,并确认访问被拒绝。
- 最后验证为我们的rootdn或超级用户(在slapd.conf中定义为 cn=jimbob,dc=example,dc=com, password dirtysecret),并确认这将覆盖我们的所有特权,并且可以查看和修改所有内容。
3. 扩展的层次结构
1. 扩展实施
- 当我们细分需求时,我们需要实现以下内容:
1. 将新的销售人员组添加到现有的组分支。
2. 在我们的DIT中添加一个新的设备分支。这将使用设备对象。
3.将新客户分支添加到我们的DIT。这将使用标准的inetorgperson对象类。
4. 在每个人的条目下添加一个新的地址薄分支。
2. 扩展LDIF
# create FIRST level customers branch
dn: ou=customers,dc=example,dc=com
objectclass: organizationalunit
ou: customers
description: customer address book branch
# create FIRST level equipment branch
dn: ou=equipment,dc=example,dc=com
objectclass: organizationalunit
ou: equipment
description: IT assets branch
# create an entry under equipment entry under groups
dn: cn=LP1,ou=equipment,dc=example,dc=com
objectclass: device
cn: LP1
description: Some brand of printer
serialnumber: 1-77-23-15
l: Room 17
owner: cn=John Smith,ou=people,dc=example,dc=com
ou: printers
# create the salespeople entry under groups
dn: cn=salespeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: salespeople
description: Sales group
member: cn=John Smith,ou=people,dc=example,dc=com
# create the addressbook entry for each person
dn: ou=addressbook,cn=John Smith,ou=people,dc=example,dc=com
objectclass: organizationalunit
ou: addressbook
description: Personal Address Book
dn: ou=addressbook,cn=Sheri Smith,ou=people,dc=example,dc=com
objectclass: organizationalunit
ou: addressbook
description: Personal Address Book
dn: ou=addressbook,cn=Robert Smith,ou=people,dc=example,dc=com
objectclass: organizationalunit
ou: addressbook
description: Personal Address Book
- 执行命令添加ldif文件.
ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/enhance.ldif -w dirtysecre
3. ACL - slapd.conf的配置
ACL4
# allows creation of entries in own addressbook; no-one else can
# access it, needs write access to the ENTRY attribute (ACL5 or ACL6A)
# and the entries CHILDREN (ACL4)
access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$"
attrs=children
by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write
by users none
# ACL5 - only required prior to 2.2
# allow creation of entries in own addressbook; no-one else can
# access it, needs write access to the ENTRY attribute (ACL5 or ACL6A)
# and the entries CHILDREN (ACL4)
#access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$"
# attrs=entry
# by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write
# by users none
# ACL6 - only required prior to 2.2
# allow creation of entries in own addressbook; no-one else can
# access it
#access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$"
# filter=(objectclass=inetorgperson)
# by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write
# by users none
# ACL6A - 2.2+ replace both ACL5 and ACL6 with this ACL
access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$"
attrs=entry,@inetorgperson
by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write
by users none
# ACL7
# allows sales to create entries in customers
# authenticated user can only read
access to dn.one="ou=customers,dc=example,dc=com"
attrs=children
by group.exact="cn=salespeople,ou=groups,dc=example,dc=com" write
by users read
# ACL8
access to attrs=carlicense,homepostaladdress,homephone
by self write
by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write
by * none
# ACL8A - control access to equipment
access to dn.one="ou=equipment,dc=example,dc=com"
by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write
by users read
by * none
# ACL9
access to *
by self write
by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write
by users read
by * none
- 重启服务
systemctl restart slapd.service
4. 测试ACL
-
dc=com ,密码: rJsmitH.也因为这个项目有hrpeople权限,能够看到并修改carlicense,homepostaladdress和homephone,并且可以读取客户和设备条目但不能写入它们。Robert Smith也可以查看并添加他自己的地址簿条目.
-
配置LDAP浏览器绑定DN验证: cn=Sheri Smith, ou=people, dc=example, dc=com ,密码: sSmitH ,也因为这个项目有itpeople权限将看到并能够修改所有条目的userpassword属性.但除了她自己的条目外,无法查看carlicense,homepostaladdress和homephone,此条目可以读取客户条目,但不能写入它们,但可以读取和写入设备条目。Sheri Smith还可以查看并添加自己的地址簿条目,并可以查看地址簿每个人(但不是条目)。她还可以删除每个条目的地址簿
-
配置LDAP浏览器绑定DN验证:cn=John Smith, ou=people, dc=example, dc=com ,密码: jSmitH.因为该条目没有特权,所以不能看到carlicense,homepostaladdress,homephone和userpassword这些属性。此条目因为它是salespeople组的成员可以读取和写入customers条目,但只能读取设备条目。
4. 创建新的对象以及属性结构
1. 要求
- 一个dohicky属性。此属性是布尔值。它只能由所有者和hrpeople组的任何成员查看和更新。
- 一个ageAtBirth属性。它只能由所有者和hrpeople组的任何成员查看和更新。
- gobbledegook。此属性是字符串值,对所有经过身份验证的用户公开可见。它只能由所有者和hrpeople组的任何成员更新.它将允许 <= or >= search filters.
- 作为我们转向单点登录(SSO)的一部分,我们将为每个用户添加标准的posixAccount对象类。该记录仅对itpeople组可见。
2. 实施
cat > /usr/local/etc/openldap/schema/ourco.schema <<EOF
# EXAMPLE.COM SCHEMA FILE
# takes values:
# true = wears clean socks on monday
# false = does not wear clean socks on monday
attributetype ( 1.3.6.1.4.1.6863.2.3.107 NAME 'dohicky'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
# if present must take the value = 0
attributetype ( 1.3.6.1.4.1.6863.2.3.108 NAME 'ageAtBirth'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
# string used to describe the height of the person in either feet/inches or meters
# may be expressed as xfyi e.g. 5f7i (5 feet 7 inches) or x.ym e.g. 1.95m (1.95 meters)
# the values f, i, m above are case insensitive
attributetype ( 1.3.6.1.4.1.6863.2.3.109 NAME 'gobbledegook'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{200} )
# objectclass used with people address book to define required information
# for State Law 5.7.3 - data is defined by law to be private - limited access allowed
objectclass ( 1.3.6.1.4.1.6863.2.4.57 NAME 'ourObject'
DESC 'A very useful object'
SUP top AUXILIARY
MUST ( dohicky $ gobbledegook )
MAY ageAtBirth )
EOF
3. 修改slapd.conf文件
- 添加以下语句到slapd.conf文件中.
include /usr/local/etc/openldap/schema/ourco.schema
- 重新启动服务
systemctl restart slapd
4. 添加LDIF
cat > /tmp/modify.ldif <<EOF
dn: cn=john smith,ou=people,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: 200
-
add: gidnumber
gidnumber: 203
-
add: homedirectory
homedirectory: /var/mail/example.com/jsmith
-
add: objectclass
objectclass: ourObject
-
add: dohicky
dohicky: FALSE
-
add: gobbledegook
gobbledegook: john
-
add: ageatbirth
ageatbirth: 0
-
dn: cn=sheri smith,ou=people,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: 201
-
add: gidnumber
gidnumber: 203
-
add: homedirectory
homedirectory: /var/mail/example.com/ssmith
-
add: objectclass
objectclass: ourObject
-
add: dohicky
dohicky: TURE
-
add: gobbledegook
gobbledegook: sheri
-
dn: cn=robert smith,ou=people,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: 202
-
add: gidnumber
gidnumber: 203
-
add: homedirectory
homedirectory: /var/mail/example.com/rsmith
-
add: objectclass
objectclass: ourObject
-
add: dohicky
dohicky: FALSE
-
add: gobbledegook
gobbledegook: robert
-
add: ageatbirth
ageatbirth: 17
EOF
- 执行修改语句
ldapmodify -x -D "cn=jimbob,dc=example,dc = com" -f /tmp/modify.ldif -w dirtysecret
你可以发现已经添加成功。新的属性已经建好.
该文章大部分翻译于:
http://www.zytrax.com/books/ldap/ch5/index.html#step1