RHEL7下openldap的安装与配置

我们的测试环境包含两台 RHEL 7机器:

  1. Server: 192.168.1.122. FQDNrh1.dweye.net
  2. Client: 192.168.1.126. FQDN: rh2.dweye.net 

一:LDAP服务器端安装

1.安装服务端/客户端
在 RHEL 7 中, LDAP 由 OpenLDAP 实现。为了安装服务器和客户端,分别使用下面的命令:

  1. # yum -y install openldap openldap-clients openldap-servers
  2. # yum -y install openldap openldap-clients nss-pam-ldapd

2.生成全局密码

slappasswd -s password -n > /etc/openldap/passwd

3.生成证书文件
openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
cert.pem --public key
priv.pem --private key
|--------|--------------------------------------------------------------|
|参数说明| |
|--------|--------------------------------------------------------------|
|req |PKCS#10 X.509 Certificate Signing Request (CSR) Management. |
|-new |new request. |
|-x509 |output a x509 structure instead of a cert. req. |
|-nodes |don't encrypt the output key |
|-out |output file. |
|-keyout |file to send the key to. |
|-days |number of days a certificate generated by -x509 is valid for. |
|-----------------------------------------------------------------------|
Generating a 2048 bit RSA private key
.............................+++
..............................................................................+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:example
Common Name (eg, your name or your server's hostname) []:rh1.dweye.net
Email Address []:root@dweye.net
4.设置文件权限
# chown ldap:ldap /etc/openldap/certs/*
# chmod 600 /etc/openldap/certs/priv.pem

 

由于 slapd 服务是由 ldap 用户来运行的(你可以使用 ps -e -o pid,uname,comm | grep slapd 来验证),为了使得服务器能够更改由管理工具创建的条目,该用户应该有目录 /var/lib/ldap 的所有权,而这些管理工具仅可以由 root 用户来运行(紧接着有更多这方面的内容)。

在递归地更改这个目录的所有权之前,将 slapd 的示例数据库配置文件复制进这个目录:

5.生成基础数据
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown ldap:ldap /var/lib/ldap/*
# slaptest

会有报错,无碍:)


6.启动LDAP服务
|--------|--------------------------|
|重启服务|systemctl restart slapd |
|开机自启|systemctl enable slapd |
|检查状态|systemctl status slapd |

[root@rh1 slapd.d]# systemctl restart slapd
[root@rh1 slapd.d]# systemctl enable slapd
[root@rh1 slapd.d]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2018-07-07 14:30:19 CST; 16s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Main PID: 4742 (slapd)
CGroup: /system.slice/slapd.service
└─4742 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

Jul 07 14:30:19 rh1.dweye.net runuser[4725]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4727]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4729]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4731]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4733]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4735]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4737]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net slapd[4739]: @(#) $OpenLDAP: slapd 2.4.44 (Jun...$
mockbuild@x86-019.build.e...d
Jul 07 14:30:19 rh1.dweye.net slapd[4742]: slapd starting
Jul 07 14:30:19 rh1.dweye.net systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.


二 配置LDAP本地服务器域
1.配置基础用户认证结构
ldapadd命令用于将LDIF文件导入到目录服务数据库中,格式为:“ldapadd [参数] LDIF文件”。

|--------|--------------------------------|
|参数 |作用 |
|--------|--------------------------------|
|-x |进行简单认证。 |
|-D |用于绑定服务器的dn。 |
|-h |目录服务的地址。 |
|-w |绑定dn的密码。 |
|-f |使用LDIF文件进行条目添加的文件。|
|--------|--------------------------------|
添加cosine和nis模块
# cd /etc/openldap/schema/
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
[root@rh1 slapd.d]# cd /etc/openldap/schema
[root@rh1 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
2.配置自定义的结构文件并导入到LDAP服务器
2.1 创建/etc/openldap/changes.ldif文件
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}2SkwaLojFlUXJZ58NSxBvwj19eXhZPUA

其中:

  • 2SkwaLojFlUXJZ58NSxBvwj19eXhZPUA 是先前得到的经过哈希处理的字符串。
  • cn=config 指的是全局配置选项。
  • olcDatabase 指的是一个特定的数据库实例的名称,并且通常可以在 /etc/openldap/slapd.d/cn=config 目录中发现。

根据上面提供的理论背景,ldaprootpasswd.ldif 文件将添加一个条目到 LDAP 目录中。在那个条目中,每一行代表一个属性键值对(其中 dn,changetype,add 和 olcRootPW 为属性,每个冒号右边的字符串为相应的键值)。

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none

2.2 将新的配置文件更新到slapd服务程序
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "cn=config"

modifying entry "cn=config"

modifying entry "cn=config"

modifying entry "olcDatabase={1}monitor,cn=config"

2.3 创建/etc/openldap/base.ldif文件
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit


2.4 创建目录的结构服务
3.将本地用户认证信息导入到LDAP服务
3.1 创建用户
# for i in $(seq -w 10)
> do
> useradd -d /home/ldapuser$i -m ldapuser$i
> echo ldapuser$i | passwd --stdin ldapuser$i
> done


3.2 帐户迁移
3.3 将当前系统中的用户和组迁移至LDAP服务
把用户信息转换成ldif文件,并导入到LDAP中
# grep "^ldapuser" /etc/passwd > /tmp/users
# /usr/share/migrationtools/migrate_passwd.pl /tmp/users /tmp/users.ldif
# ldapadd -x -w password -D cn=Manager,dc=example,dc=com -f /tmp/users.ldif

把用户组group信息转换成ldif文件,并导入到LDAP中
# grep "^ldapuser" /etc/group > /tmp/groups
# /usr/share/migrationtools/migrate_group.pl /tmp/groups /tmp/groups.ldif
# ldapadd -x -w password -D cn=Manager,dc=example,dc=com -f /tmp/groups.ldif

测试LDAP服务器上的用户认证信息
# ldapsearch -x cn=ldapuser08 -b dc=example,dc=com
[root@rh1 openldap]# ldapsearch -x cn=ldapuser08 -b dc=example,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=ldapuser08
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

转载于:https://www.cnblogs.com/gloriazhang/p/9277429.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值