JavaScript must be enabled in order for you to see "WP Copy Data Protect" effect. However, it seems JavaScript is either disabled or not supported by your browser. To see full result of "WP Copy Data Protector", enable JavaScript by changing your browser options, then try again.

LDAP基本安裝及整合登入認證機制的架設 on CentOS 6.2_x64


LDAP前身是重量級的目錄服務為X.500,但是因為東西太多且太大,後來才有輕量型目錄服務LDAP (Lightweight Directory Access Protocol),因此讓管理者有另種選擇,一般能存取通訊錄、使用者授權機制及APP的整合等等,而LDAP模型的基礎元素有Object(資料結構物件的代表)、Entrise(真實的資訊)、樹狀結構(DN[Distinguish Name(絕對路徑)]與RDN[Relative Distinguish Name(相對路徑)])與有各種屬性之級別式的架構(Schema),用ASN.1 的語法來定義屬性,其中常見的屬性介紹如下:

Attribute Description Example
objectClass entry type posixAccount
cn common name(人名部門) Mui Chen
sn surname(Last name) Chen
dc domain component com
o organization ACME Inc.
ou Organization unit Sales
c country tw


以上為LDAP的簡介,所以接下來直接來實作LDAP基本安裝及整合登入認證機制的架設共兩個部分,分別如下:

I.LDAP基本安裝與驗證入門

1) 安裝OpenLDAP伺服與客戶端的套件,並確認安裝版本
#yum -y install openldap-servers openldap-clients
#rpm -qa | grep -i 'openldap'
openldap-2.4.23-20.el6.x86_64
openldap-devel-2.4.23-20.el6.x86_64
openldap-servers-2.4.23-20.el6.x86_64
openldap-clients-2.4.23-20.el6.x86_64

2) 規劃整個LDAP組織圖(類似關聯性資料庫的概念)
labs.com
/ \
login company
/ \ / \
user group unit customer
/ | \
mis account hr

3) 從範例複製一份slapd.conf與DB_CONFIG到對應目錄下(DB_CONFIG檔案設定了Index的快取數量,可調整效能的表現)
#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

4) 產生LDAP管理的密碼並在slapd.conf設定Root
#slappasswd
New password:輸入管理密碼
Re-enter new password:輸入管理密碼
{SSHA}???????????????????????????????
#vi /etc/openldap/slapd.conf
#suffix:就是用來定義你LDAP根的尾碼
#rootdn:指LDAP的root,可做新增、刪除、修改等動作
#rootpw:管理者加密過的密碼
database bdb
suffix "dc=labs,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=labs,dc=com"
rootpw {SSHA}????????????????????????????????

5) 建立root-unit.ldif來定義整個樹狀結構(LDIF:LDAP Data Interchange Format,類似XML 格式,語法嚴謹,其中要注意冒號後都必須多空一格,每個Section設定結束多空一列表該項設定結束,檔頭不能有任意空行)
#mkdir -p /etc/openldap/data
#vi /etc/openldap/data/root-unit.ldif
#root node
dn: dc=labs,dc=com
dc: labs
objectClass: dcObject
objectClass: organizationalUnit
ou: labs Dot com
#login top
dn: ou=login,dc=labs,dc=com
ou: login
objectClass: organizationalUnit
#user, uid, password
dn: ou=user,ou=login,dc=labs,dc=com
ou: user
objectClass: organizationalUnit
#group
dn: ou=group,ou=login,dc=labs,dc=com
ou: group
objectClass: organizationalUnit
##for company organization top
dn: ou=company,dc=labs,dc=com
ou: company
objectClass: organizationalUnit
#for company organization (unit)
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
#human resource (under unit)
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
#MIS (under unit)
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
#Account (under unit)
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
# for customers information
dn: ou=customer,ou=company,dc=labs,dc=com
ou: customer
objectClass: organizationalUnit

6) 將剛定義的root-unit.ldif加入到LDAP的資料庫內並刪除舊的資料
#rm -rf /etc/openldap/slapd.d/*
#slapadd -v -l /etc/openldap/data/root-unit.ldif
The first database does not allow slapadd; using the first available one (2)
added: "dc=labs,dc=com" (00000001)
added: "ou=login,dc=labs,dc=com" (00000002)
added: "ou=user,ou=login,dc=labs,dc=com" (00000003)
added: "ou=group,ou=login,dc=labs,dc=com" (00000004)
added: "ou=company,dc=labs,dc=com" (00000005)
added: "ou=unit,ou=company,dc=labs,dc=com" (00000006)
added: "ou=hr,ou=unit,ou=company,dc=labs,dc=com" (00000007)
added: "ou=mis,ou=unit,ou=company,dc=labs,dc=com" (00000008)
added: "ou=account,ou=unit,ou=company,dc=labs,dc=com" (00000009)
added: "ou=customer,ou=company,dc=labs,dc=com" (0000000a)
_#################### 100.00% eta none elapsed none fast!
Closing DB...

7) 將LDAP新的資料庫內容產生檔案到slapd.d的目錄內並改變擁有權
#slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded
#ll /etc/openldap/slapd.d
total 8
drwxr-x---. 3 root root 4096 Jun 16 15:17 cn=config
-rw-------. 1 root root 986 Jun 16 15:17 cn=config.ldif
#chown -R ldap:ldap /var/lib/ldap
#chown -R ldap:ldap /etc/openldap/slapd.d

◎若之後欲並變更slapd.conf的內容,處理方式如下:
#rm -rf /etc/openldap/slapd.d/*
#slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
#chown -R ldap:ldap /etc/openldap/slapd.d
#service slapd restart

8) 啟動LDAP Server並確認與設定開機時是否要啟動該服務
#service slapd start
#chkconfig --list slapd
#chkconfig --level 345 slapd on

9) 透過ldapsearch確認是否已經完成LDAP樹狀結構(-x:Use simple authentication instead of SASL/-b:searchbase)
#ldapsearch -x -b 'dc=labs,dc=com'
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# labs.com
dn: dc=labs,dc=com
dc: labs
objectClass: dcObject
objectClass: organizationalUnit
ou: labs Dot com
# login, labs.com
dn: ou=login,dc=labs,dc=com
ou: login
objectClass: organizationalUnit
# user, login, labs.com
dn: ou=user,ou=login,dc=labs,dc=com
ou: user
objectClass: organizationalUnit
# group, login, labs.com
dn: ou=group,ou=login,dc=labs,dc=com
ou: group
objectClass: organizationalUnit
# company, labs.com
dn: ou=company,dc=labs,dc=com
ou: company
objectClass: organizationalUnit
# unit, company, labs.com
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
# hr, unit, company, labs.com
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
# mis, unit, company, labs.com
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
# account, unit, company, labs.com
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
# customer, company, labs.com
dn: ou=customer,ou=company,dc=labs,dc=com
ou: customer
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 11
# numEntries: 10

10) 用users.ldif建立人員名冊(與機關設計原理一樣,注意語法)
#vi /etc/openldap/data/users.ldif
#Evan McNabb
dn: cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Evan McNabb
sn: McNabb
objectclass: person
objectclass: inetOrgPerson
givenName: Evan McNabb
mail: c293831287@labs.com
telephoneNumber: 02-29587572
title: Employee
#Jenny Smith
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
title: Manager
#Dax Kelson
dn: cn=Dax Kelson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Dax Kelson
sn: Kelson
objectclass: person
objectclass: inetOrgPerson
givenName: Dax Kelson
mail: d295723341@labs.com
telephoneNumber: 02-29587572
title: employee
#Bryan Croft
dn: cn=Bryan Croft,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Bryan Croft
sn: Croft
objectclass: person
objectclass: inetOrgPerson
givenName: Bryan Croft
mail: c297303122@labs.com
telephoneNumber: 02-29587572
title: employee
#Fred Smith
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Fred Smith
mail: d191627793@labs.com
telephoneNumber: 02-29587572
title: employee
#Nancy Smith
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
title: employee
#Lamont Peterson
dn: cn=Lamont Peterson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Lamont Peterson
sn: Peterson
objectclass: person
objectclass: inetOrgPerson
givenName: Lamont Peterson
mail: c293190610@labs.com
telephoneNumber: 02-29587572
title: employee
#Cameron Christensen
dn: cn=Cameron Christensen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Cameron Christensen
sn: Christensen
objectclass: person
objectclass: inetOrgPerson
givenName: Cameron Christensen
mail: h191497299@labs.com
telephoneNumber: 02-29587572
title: Manager
#Jane Smith
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
title: engineer
#Derek Carter
dn: cn=Derek Carter,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Derek Carter
sn: Carter
objectclass: person
objectclass: inetOrgPerson
givenName: Derek Carter
mail: c291677874@labs.com
telephoneNumber: 02-29587572
title: engineer
#Stuart Jansen
dn: cn=Stuart Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Stuart Jansen
sn: Jansen
objectclass: person
objectclass: inetOrgPerson
givenName: Stuart Jansen
mail: b297933030@labs.com
telephoneNumber: 02-29587572
title: engineer
#Sally Jansen
dn: cn=Sally Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Sally Jansen
sn: Jansen
objectclass: person
objectclass: inetOrgPerson
givenName: Sally Jansen
mail: f296974826@labs.com
telephoneNumber: 02-29587572
title: engineer
#Jan Johnson
dn: cn=Jan Johnson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Jan Johnson
sn: Johnson
objectclass: person
objectclass: inetOrgPerson
givenName: Jan Johnson
mail: b299136575@labs.com
telephoneNumber: 02-29587572
title: Manager
#John Smith
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
title: accountant
#Tim Peterson
dn: cn=Tim Peterson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Tim Peterson
sn: Peterson
objectclass: person
objectclass: inetOrgPerson
givenName: Tim Peterson
mail: a293893990@labs.com
telephoneNumber: 02-29587572
title: accountant
#Joan Jett
dn: cn=Joan Jett,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Joan Jett
sn: Jett
objectclass: person
objectclass: inetOrgPerson
givenName: Joan Jett
mail: f192426229@labs.com
telephoneNumber: 02-29587572
title: accountant
#Cindy Jackson
dn: cn=Cindy Jackson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Cindy Jackson
sn: Jackson
objectclass: person
objectclass: inetOrgPerson
givenName: Cindy Jackson
mail: d295380453@labs.com
telephoneNumber: 02-29587572
title: accountant

11) 將人員名冊加入到LDAP的資料庫內
#ldapmodify -D "cn=Manager,dc=labs,dc=com" -w LDAP的管理密碼 -x -a -f /etc/openldap/data/users.ldif
adding new entry "cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Dax Kelson,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Bryan Croft,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Lamont Peterson,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Cameron Christensen,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Derek Carter,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Stuart Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Sally Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Jan Johnson,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Tim Peterson,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Joan Jett,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Cindy Jackson,ou=account,ou=unit,ou=company,dc=labs,dc=com"

12) 舉幾個查詢例子來驗證人員名冊已經加到LDAP資料庫內
#ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=com'
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# unit, company, labs.com
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
# hr, unit, company, labs.com
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
# mis, unit, company, labs.com
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
# account, unit, company, labs.com
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
# Evan McNabb, hr, unit, company, labs.com
dn: cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Evan McNabb
sn: McNabb
objectClass: person
objectClass: inetOrgPerson
givenName: Evan McNabb
mail: c293831287@labs.com
telephoneNumber: 02-29587572
title: Employee
# Jenny Smith, hr, unit, company, labs.com
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
title: Manager
# Dax Kelson, hr, unit, company, labs.com
dn: cn=Dax Kelson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Dax Kelson
sn: Kelson
objectClass: person
objectClass: inetOrgPerson
givenName: Dax Kelson
mail: d295723341@labs.com
telephoneNumber: 02-29587572
title: employee
# Bryan Croft, hr, unit, company, labs.com
dn: cn=Bryan Croft,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Bryan Croft
sn: Croft
objectClass: person
objectClass: inetOrgPerson
givenName: Bryan Croft
mail: c297303122@labs.com
telephoneNumber: 02-29587572
title: employee
# Fred Smith, hr, unit, company, labs.com
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Fred Smith
mail: d191627793@labs.com
telephoneNumber: 02-29587572
title: employee
# Nancy Smith, hr, unit, company, labs.com
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
title: employee
# Lamont Peterson, hr, unit, company, labs.com
dn: cn=Lamont Peterson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Lamont Peterson
sn: Peterson
objectClass: person
objectClass: inetOrgPerson
givenName: Lamont Peterson
mail: c293190610@labs.com
telephoneNumber: 02-29587572
title: employee
# Cameron Christensen, mis, unit, company, labs.com
dn: cn=Cameron Christensen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Cameron Christensen
sn: Christensen
objectClass: person
objectClass: inetOrgPerson
givenName: Cameron Christensen
mail: h191497299@labs.com
telephoneNumber: 02-29587572
title: Manager
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
title: engineer
# Derek Carter, mis, unit, company, labs.com
dn: cn=Derek Carter,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Derek Carter
sn: Carter
objectClass: person
objectClass: inetOrgPerson
givenName: Derek Carter
mail: c291677874@labs.com
telephoneNumber: 02-29587572
title: engineer
# Stuart Jansen, mis, unit, company, labs.com
dn: cn=Stuart Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Stuart Jansen
sn: Jansen
objectClass: person
objectClass: inetOrgPerson
givenName: Stuart Jansen
mail: b297933030@labs.com
telephoneNumber: 02-29587572
title: engineer
# Sally Jansen, mis, unit, company, labs.com
dn: cn=Sally Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Sally Jansen
sn: Jansen
objectClass: person
objectClass: inetOrgPerson
givenName: Sally Jansen
mail: f296974826@labs.com
telephoneNumber: 02-29587572
title: engineer
# Jan Johnson, account, unit, company, labs.com
dn: cn=Jan Johnson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Jan Johnson
sn: Johnson
objectClass: person
objectClass: inetOrgPerson
givenName: Jan Johnson
mail: b299136575@labs.com
telephoneNumber: 02-29587572
title: Manager
# John Smith, account, unit, company, labs.com
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
title: accountant
# Tim Peterson, account, unit, company, labs.com
dn: cn=Tim Peterson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Tim Peterson
sn: Peterson
objectClass: person
objectClass: inetOrgPerson
givenName: Tim Peterson
mail: a293893990@labs.com
telephoneNumber: 02-29587572
title: accountant
# Joan Jett, account, unit, company, labs.com
dn: cn=Joan Jett,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Joan Jett
sn: Jett
objectClass: person
objectClass: inetOrgPerson
givenName: Joan Jett
mail: f192426229@labs.com
telephoneNumber: 02-29587572
title: accountant
# Cindy Jackson, account, unit, company, labs.com
dn: cn=Cindy Jackson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Cindy Jackson
sn: Jackson
objectClass: person
objectClass: inetOrgPerson
givenName: Cindy Jackson
mail: d295380453@labs.com
telephoneNumber: 02-29587572
title: accountant
# search result
search: 2
result: 0 Success
# numResponses: 22
# numEntries: 21
#ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=' '(sn='Smith')';
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (sn=Smith)
# requesting: ALL
#
# Jenny Smith, hr, unit, company, labs.com
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
title: Manager
# Fred Smith, hr, unit, company, labs.com
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Fred Smith
mail: d191627793@labs.com
telephoneNumber: 02-29587572
title: employee
# Nancy Smith, hr, unit, company, labs.com
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
title: employee
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
title: engineer
# John Smith, account, unit, company, labs.com
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
title: accountant
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
#ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=com' '(&(sn='Smith')(title='engineer'))'
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (sn=Smith)
# requesting: ALL
#
# Jenny Smith, hr, unit, company, labs.com
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
title: Manager
# Fred Smith, hr, unit, company, labs.com
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Fred Smith
mail: d191627793@labs.com
telephoneNumber: 02-29587572
title: employee
# Nancy Smith, hr, unit, company, labs.com
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
title: employee
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
title: engineer
# John Smith, account, unit, company, labs.com
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
title: accountant
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
#ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=com' '(&(sn='Smith')(title='engineer'))'
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (&(sn=Smith)(title=engineer))
# requesting: ALL
#
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
title: engineer
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

13) 啟用OpenLDAP的加密傳輸(刪除舊的並重建)
#cd /etc/pki/tls/certs
#rm slapd.pem
#make slapd.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ;
\
cat $PEM1 > slapd.pem ; \
echo "" >> slapd.pem ; \
cat $PEM2 >> slapd.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
..........+++
....................................................+++
writing new private key to '/tmp/openssl.Znr5LE'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Taipei County
Organization Name (eg, company) [Default Company Ltd]:Labs Corp.
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ldap.labs.com
Email Address []:iori@labs.com
#chmod 640 slapd.pem
#chown :ldap slapd.pem
#ln -s /etc/pki/tls/certs/slapd.pem /etc/openldap/cacerts/slapd.pem
#vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes
#vi /etc/openldap/slapd.conf
#取消註解以下內容
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
#vi /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never
#rm -rf /etc/openldap/slapd.d/*
#slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded
#chown -R ldap:ldap /etc/openldap/slapd.d
#service slapd restart

14) 檢查是否有開啟LDAP的通訊埠(Port 389[TSL]與636[SASL])
#netstat -tunpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1227/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 5053/sshd
tcp 0 0 0.0.0.0:34742 0.0.0.0:* LISTEN 1245/rpc.statd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 5131/master
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 4916/slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 4916/slapd
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 5174/qpidd
tcp 0 0 :::111 :::* LISTEN 1227/rpcbind
tcp 0 0 :::22 :::* LISTEN 5053/sshd
tcp 0 0 :::44376 :::* LISTEN 1245/rpc.statd
tcp 0 0 ::1:25 :::* LISTEN 5131/master
tcp 0 0 :::636 :::* LISTEN 4916/slapd
tcp 0 0 :::389 :::* LISTEN 4916/slapd
udp 0 0 0.0.0.0:52246 0.0.0.0:* 4945/avahi-daemon
udp 0 0 0.0.0.0:52894 0.0.0.0:* 1245/rpc.statd
udp 0 0 0.0.0.0:978 0.0.0.0:* 1227/rpcbind
udp 0 0 0.0.0.0:997 0.0.0.0:* 1245/rpc.statd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 4945/avahi-daemon
udp 0 0 0.0.0.0:111 0.0.0.0:* 1227/rpcbind
udp 0 0 :::978 :::* 1227/rpcbind
udp 0 0 :::57707 :::* 1245/rpc.statd
udp 0 0 :::111 :::* 1227/rpcbind

◎最後記得要去確認是否防火牆允許讓LDAP的服務通行

15) LDAP客戶端的安裝與設定(若為Client連到Server的情況)
#yum -y install openldap-clients
#vi /etc/openldap/ldap.conf
#第一行為LDAP Server本地端才需要設,Client不需要
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never

16) 下面是以TLS/SASL的方式查詢做LDAP資料的查詢
#ldapsearch -x -ZZ -H ldaps://LDAP_Server_IP -b "ou=unit,ou=company,dc=labs,dc=com" "(&(sn="Smith")(title="engineer"))"
#ldapsearch -x -ZZ -h LDAP_Server_IP -b 'ou=unit,ou=company,dc=labs,dc=com' '(&(sn='Smith')(title='engineer'))'
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (&(sn=Smith)(title=engineer))
# requesting: ALL
#
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
title: engineer
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1

II.LDAP整合登入認證機制的架設

自從Sun推出了Sun Yellow Pages(也就是目前在Unix/Linux世界常聽到有漏洞的Network Information Service[NIS]之後,Unix/Linux的帳號管理因此就有了完整的統一方案,所以趕緊來實作如何使用LDAP來統一帳號密碼的管理,如下:

1) 設定slapd.conf的Schema與Attribute(確認有下列該行)
#vi /etc/openldap/slapd.conf
include /etc/openldap/schema/nis.schema

2) 規劃user-login.ldif的架構與原本的對照

管過系統的都知道/etc/passwd是用來存放個人的帳號資料、/etc/shadow是存放個人的密碼資訊與/etc/group是存放群組資訊,而/etc/passwd的設定格式如下:
steven:x:500:500::/home/steven:/bin/bash
(id:password:uid:gid:full_name:Home Directory:Login shell)

所以對於LDAP而言,也要引用相關的Atrribute才可以正確的做應對登入,下表則為posix到/etc/passwd的對應:

objectClass: posixAccount
id uid
password userPassword
uid uidNumber
gid gidNumber
full_name gecos
Home Directory homeDirectory
Login shell loginShell

/etc/shadow的設定格式如下:
steven:$1$xGQPf1Cs$Y/kQw5TmUXvWY/1z3QgNZ/:13001:0:99999:7:::
(username:passwd:last:may:must:warn:expire:disable:reserved)

則posix到/etc/shadow的表格對應如下:

objectClass: shadowAccount
username uid
password userPassword
last shadowLastChange
may shadowMin
must shadowMax
warn shadowWarning
expire shadowExpire
disable shadowInactive
reserved shadowFlag

由上面兩個對應的表格得知,若要設計ldif檔案時,最少也要引用上述的這些Attribute才能達到目的,除了這兩個對應之外,還有/etc/group,它的設定格式如下:
steven:x:500:
(group name:password:group id:other account)

則posix到/etc/group的表格對應如下:

objectClass: posixGroup
group name cn
password userPassword
group id gidNumber
other account memberUid

所以說對系統管理而言,群組也是很重要,千萬別忘了它

3) 按照上面的對照建立user-login.ldif(登入認證的LDAP資料庫)
#vi /etc/openldap/data/user-login.ldif
#Evan McNabb
dn: cn=c293831287,ou=user,ou=login,dc=labs,dc=com
uid: c293831287
cn: c293831287
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: hrC293831287
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 600
gidNumber: 510
homeDirectory: /home/c293831287
gecos: Evan McNabb
#Jenny Smith
dn: cn=d197700415,ou=user,ou=login,dc=labs,dc=com
uid: d197700415
cn: d197700415
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: hrD197700415
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 601
gidNumber: 510
homeDirectory: /home/d197700415
gecos: Jenny Smith
#Dax Kelson
dn: cn=d295723341,ou=user,ou=login,dc=labs,dc=com
uid: d295723341
cn: d295723341
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: hrD295723341
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 602
gidNumber: 510
homeDirectory: /home/d295723341
gecos: Dax Kelson
#Bryan Croft
dn: cn=c297303122,ou=user,ou=login,dc=labs,dc=com
uid: c297303122
cn: c297303122
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: hrC297303122
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 603
gidNumber: 510
homeDirectory: /home/c297303122
gecos: Bryan Croft
#Fred Smith
dn: cn=d191627793,ou=user,ou=login,dc=labs,dc=com
uid: d191627793
cn: d191627793
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: hrD191627793
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 604
gidNumber: 510
homeDirectory: /home/d191627793
gecos: Fred Smith
#Nancy Smith
dn: cn=b192927969,ou=user,ou=login,dc=labs,dc=com
uid: b192927969
cn: b192927969
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: hrB192927969
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 605
gidNumber: 510
homeDirectory: /home/b192927969
gecos: Nancy Smith
#Lamont Peterson
dn: cn=c293190610,ou=user,ou=login,dc=labs,dc=com
uid: c293190610
cn: c293190610
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: hrC293190610
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 606
gidNumber: 510
homeDirectory: /home/c293190610
gecos: Lamont Peterson
#Cameron Christensen
dn: cn=h191497299,ou=user,ou=login,dc=labs,dc=com
uid: h191497299
cn: h191497299
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: miH191497299
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 607
gidNumber: 511
homeDirectory: /home/h191497299
gecos: Cameron Christensen
#Jane Smith
dn: cn=b299479351,ou=user,ou=login,dc=labs,dc=com
uid: b299479351
cn: b299479351
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: miB299479351
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 608
gidNumber: 511
homeDirectory: /home/b299479351
gecos: Jane Smith
#Derek Carter
dn: cn=c291677874,ou=user,ou=login,dc=labs,dc=com
uid: c291677874
cn: c291677874
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: miC291677874
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 609
gidNumber: 511
homeDirectory: /home/c291677874
gecos: Derek Carter
#Stuart Jansen
dn: cn=b297933030,ou=user,ou=login,dc=labs,dc=com
uid: b297933030
cn: b297933030
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: miB297933030
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 610
gidNumber: 511
homeDirectory: /home/b297933030
gecos: Stuart Jansen
#Sally Jansen
dn: cn=f296974826,ou=user,ou=login,dc=labs,dc=com
uid: f296974826
cn: f296974826
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: miF296974826
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 611
gidNumber: 511
homeDirectory: /home/f296974826
gecos: Sally Jansen
#Jan Johnson
dn: cn=b299136575,ou=user,ou=login,dc=labs,dc=com
uid: b299136575
cn: b299136575
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: acB299136575
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 612
gidNumber: 512
homeDirectory: /home/b299136575
gecos: Jan Johnson
#John Smith
dn: cn=e295689078,ou=user,ou=login,dc=labs,dc=com
uid: e295689078
cn: e295689078
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: acE295689078
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 613
gidNumber: 512
homeDirectory: /home/e295689078
gecos: John Smith
#Tim Peterson
dn: cn=a293893990,ou=user,ou=login,dc=labs,dc=com
uid: a293893990
cn: a293893990
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: acA293893990
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 614
gidNumber: 512
homeDirectory: /home/a293893990
gecos: Tim Peterson
#Joan Jett
dn: cn=f192426229,ou=user,ou=login,dc=labs,dc=com
uid: f192426229
cn: f192426229
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: acF192426229
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 615
gidNumber: 512
homeDirectory: /home/f192426229
gecos: Joan Jett
#Cindy Jackson
dn: cn=d295380453,ou=user,ou=login,dc=labs,dc=com
uid: d295380453
cn: d295380453
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: acD295380453
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 616
gidNumber: 512
homeDirectory: /home/d295380453
gecos: Cindy Jackson

4) 將users-login.ldif透過LDAP管理帳號匯入至LDAP資料庫內
#ldapmodify -D "cn=Manager,dc=labs,dc=com" -w LDAP的管理密碼 -x -a -f /etc/openldap/data/users-login.ldif
adding new entry "cn=c293831287,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=d197700415,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=d295723341,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=c297303122,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=d191627793,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=b192927969,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=c293190610,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=h191497299,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=b299479351,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=c291677874,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=b297933030,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=f296974826,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=b299136575,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=e295689078,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=a293893990,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=f192426229,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=d295380453,ou=user,ou=login,dc=labs,dc=com"

5) 透過ldapsearch來查詢登入認證的資料是否已匯入至LDAP資料庫內
#ldapsearch -x -b 'ou=user,ou=login,dc=labs,dc=com'
...
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (cn=d295380453)
# requesting: ALL
#
# d295380453, user, login, labs.com
# f192426229, user, login, labs.com
dn: cn=f192426229,ou=user,ou=login,dc=labs,dc=com
uid: f192426229
cn: f192426229
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: YWNGMTkyNDI2MjI5
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 615
gidNumber: 512
homeDirectory: /home/f192426229
gecos: Joan Jett
# d295380453, user, login, labs.com
dn: cn=d295380453,ou=user,ou=login,dc=labs,dc=com
uid: d295380453
cn: d295380453
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: YWNEMjk1MzgwNDUz
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 616
gidNumber: 512
homeDirectory: /home/d295380453
gecos: Cindy Jackson
# search result
search: 2
result: 0 Success
# numResponses: 19
# numEntries: 18

6) 按照上面的對照建立group.ldif(群組的LDAP資料庫)並匯入
#vi /etc/openldap/data/group.ldif
#Human Resource
dn: cn=hr,ou=group,ou=login,dc=labs,dc=com
objectClass: posixGroup
cn: hr
gidNumber: 510
#MIS
dn: cn=mis,ou=group,ou=login,dc=labs,dc=com
objectClass: posixGroup
cn: mis
gidNumber: 511
#Account
dn: cn=account,ou=group,ou=login,dc=labs,dc=com
objectClass: posixGroup
cn: account
gidNumber: 512
#ldapmodify -D "cn=Manager,dc=labs,dc=com" -w LDAP的管理密碼 -x -a -f /etc/openldap/data/group.ldif
adding new entry "cn=hr,ou=group,ou=login,dc=labs,dc=com"
adding new entry "cn=mis,ou=group,ou=login,dc=labs,dc=com"
adding new entry "cn=account,ou=group,ou=login,dc=labs,dc=com"

7) 編輯slapd.conf去更改LDAP的ACLs(因其中有包含password項目,若不限制則每個人都可查別人的password)
#vi /etc/openldap/slapd.conf
#######################################################################
# 以下為 ACL Rules 存取安全設定 (增加 Access Control 部份)
# 合法的使用者能讀取 LDAP 資料庫,但不能讀/寫其它人的密碼
#######################################################################
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=labs,dc=com" write
by * none
#######################################################################
# 為了讓 nss_ldap 機制能夠運作,必須開啟 anonymous 讀取的權限,但是限制它不能從任何 IP 讀取
#######################################################################
access to *
by self write
by users read
by anonymous peername.IP=127.0.0.1 read
by anonymous peername.IP=192.168.73.0%255.255.255.0 read
by dn.base="cn=Manager,dc=labs,dc=org" write
by * none
#service slapd restart

◎權限控制部分的驗證並與想像的不符,詳細設定的說明請參考官方文件

8) 在Client設定登入認證使用LDAP
#yum -y install pam_ldap nss-pam-ldapd
#setup


Starting nslcd: [ OK ]

◎若你想要挑戰手動設定,方法如下:
#vi /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never
URI ldap://LDAP_Server_IP/
BASE ou=user,ou=login,dc=labs,dc=com
#vi /etc/nslcd.conf
uid nslcd
gid ldap
# This comment prevents repeated auto-migration of settings.
uri ldap://LDAP_Server_IP/
base ou=login,dc=labs,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts
#vi /etc/pam_ldap.conf
base ou=login,dc=labs,dc=com
# add at the last line
uri ldap://LDAP_Server_IP/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
#vi /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
# add if you need ( create home directory automatically if it's none )
session optional pam_mkhomedir.so skel=/etc/skel umask=077
#vi /etc/nsswitch.conf
passwd: files ldap # line 33: add
shadow: files ldap # add
group: files ldap # add
netgroup: files ldap # line 57: change
automount: files ldap # line 61: change
#vi /etc/sysconfig/authconfig
USELDAP= yes # line 18: change
#chkconfig --level 345 nslcd on
#reboot

以上設定參考朱老師筆記內的LDAP用戶端設定,所以還是手動的好吧!

9) 透過Secure Shell(SSH)驗證LDAP登入驗證機制
#ssh b299136575@LDAP_Server_IP
b299136575@LDAP_Server_IP's password:
Last login: Sat Jun 16 23:03:50 2012 from LDAP_Server_IP
Could not chdir to home directory /home/b299136575: No such file or directory

◎在使用LDAP帳號登入時出現"Could not chdir to home directory /home/b299136575: No such file or directory",是因為你並沒有建立該User的Home Directory,所以您可以再建立該使用者的Home Directory就可以解決了,若你手邊剛好有File Server的服務,可以使用NFS的方法並搭配Automount來掛載使用者家目錄,剩下一些細部的設定可以參考StevenWeithennJamyy關於LDAP的說明,累了,收工!

Leave a comment ?

11 Comments.

  1. 可以請教一下,為何裝了ldap後,我的joomla連接不到mysql

    • 您的意思是在安裝LDAP之前,Joomla是可以正常工作的嗎?因為這兩者我認為並沒有很直接的關係,您要不要先確認MySQL是否有正常在工作,並且有對外開放連線(假如Web與DB是分開的,防火牆等設定),若您是想要將LDAP整合到Joomla的帳戶資料庫內的話,可能要再找找相關的文章喔!

  2. 大大您好,請教一下,有試過讓user改變自己的密碼嗎?

    • 抱歉,我沒試過讓User修改自己的密碼,不過應該可以透過ldappasswd或是ldapmodify來做修改,待我再嘗試看看
      這篇另一篇討論有提到關於因為User的ACL問題,導致無法修改自己的密碼,可以參考看看

  3. 感謝 哆啦大的詳細教學

  4. 在客户机器的/etc/openldap/ldap.conf文件里,加上
    session optional pam_mkhomedir.so skel=/etc/skel umask=077就可以自动建立用户个人目录了

  5. $ldapsearch -x -b "dc=labs,dc=com"
    # extended LDIF
    #
    # LDAPv3
    # base with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #

    # search result
    search: 2
    result: 32 No such object

    # numResponses: 1

    导入的数据才这么一点,请问哪里出了问题。

  6. 都设置成功了
    成功图片

    怎么用新增的LDAP账号SSH登录没有用?

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 
This site is protected by WP-CopyRightPro