LDAP前身是重量級的目錄服務為X.500,但是因為東西太多且太大,後來才有輕量型目錄服務LDAP (Lightweight Directory Access Protocol),因此讓管理者有另種選擇,一般能存取通訊錄、使用者授權機制及APP的整合等等,而LDAP模型的基礎元素有Object(資料結構物件的代表)、Entrise(真實的資訊)、樹狀結構(DN[Distinguish Name(絕對路徑)]與RDN[Relative Distinguish Name(相對路徑)])與有各種屬性之級別式的架構(Schema),用ASN.1 的語法來定義屬性,其中常見的屬性介紹如下:
Attribute | Description | Example | objectClass | entry type | posixAccount |
---|---|---|
cn | common name(人名部門) | Mui Chen |
sn | surname(Last name) | Chen |
dc | domain component | com |
o | organization | ACME Inc. |
ou | Organization | unit Sales |
c | country | tw |
以上為LDAP的簡介,所以接下來直接來實作LDAP基本安裝及整合登入認證機制的架設共兩個部分,分別如下:
I.LDAP基本安裝與驗證入門
1) 安裝OpenLDAP伺服與客戶端的套件,並確認安裝版本
#yum -y install openldap-servers openldap-clients
#rpm -qa | grep -i 'openldap'
openldap-2.4.23-20.el6.x86_64
openldap-devel-2.4.23-20.el6.x86_64
openldap-servers-2.4.23-20.el6.x86_64
openldap-clients-2.4.23-20.el6.x86_64
2) 規劃整個LDAP組織圖(類似關聯性資料庫的概念)
labs.com
/ \
login company
/ \ / \
user group unit customer
/ | \
mis account hr
3) 從範例複製一份slapd.conf與DB_CONFIG到對應目錄下(DB_CONFIG檔案設定了Index的快取數量,可調整效能的表現)
#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
4) 產生LDAP管理的密碼並在slapd.conf設定Root
#slappasswd
New password:輸入管理密碼
Re-enter new password:輸入管理密碼
{SSHA}???????????????????????????????
#vi /etc/openldap/slapd.conf
#suffix:就是用來定義你LDAP根的尾碼
#rootdn:指LDAP的root,可做新增、刪除、修改等動作
#rootpw:管理者加密過的密碼
database bdb
suffix "dc=labs,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=labs,dc=com"
rootpw {SSHA}????????????????????????????????
5) 建立root-unit.ldif來定義整個樹狀結構(LDIF:LDAP Data Interchange Format,類似XML 格式,語法嚴謹,其中要注意冒號後都必須多空一格,每個Section設定結束多空一列表該項設定結束,檔頭不能有任意空行)
#mkdir -p /etc/openldap/data
#vi /etc/openldap/data/root-unit.ldif
#root node
dn: dc=labs,dc=com
dc: labs
objectClass: dcObject
objectClass: organizationalUnit
ou: labs Dot com
#login top
dn: ou=login,dc=labs,dc=com
ou: login
objectClass: organizationalUnit
#user, uid, password
dn: ou=user,ou=login,dc=labs,dc=com
ou: user
objectClass: organizationalUnit
#group
dn: ou=group,ou=login,dc=labs,dc=com
ou: group
objectClass: organizationalUnit
##for company organization top
dn: ou=company,dc=labs,dc=com
ou: company
objectClass: organizationalUnit
#for company organization (unit)
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
#human resource (under unit)
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
#MIS (under unit)
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
#Account (under unit)
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
# for customers information
dn: ou=customer,ou=company,dc=labs,dc=com
ou: customer
objectClass: organizationalUnit
6) 將剛定義的root-unit.ldif加入到LDAP的資料庫內並刪除舊的資料
#rm -rf /etc/openldap/slapd.d/*
#slapadd -v -l /etc/openldap/data/root-unit.ldif
The first database does not allow slapadd; using the first available one (2)
added: "dc=labs,dc=com" (00000001)
added: "ou=login,dc=labs,dc=com" (00000002)
added: "ou=user,ou=login,dc=labs,dc=com" (00000003)
added: "ou=group,ou=login,dc=labs,dc=com" (00000004)
added: "ou=company,dc=labs,dc=com" (00000005)
added: "ou=unit,ou=company,dc=labs,dc=com" (00000006)
added: "ou=hr,ou=unit,ou=company,dc=labs,dc=com" (00000007)
added: "ou=mis,ou=unit,ou=company,dc=labs,dc=com" (00000008)
added: "ou=account,ou=unit,ou=company,dc=labs,dc=com" (00000009)
added: "ou=customer,ou=company,dc=labs,dc=com" (0000000a)
_#################### 100.00% eta none elapsed none fast!
Closing DB...
7) 將LDAP新的資料庫內容產生檔案到slapd.d的目錄內並改變擁有權
#slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded
#ll /etc/openldap/slapd.d
total 8
drwxr-x---. 3 root root 4096 Jun 16 15:17 cn=config
-rw-------. 1 root root 986 Jun 16 15:17 cn=config.ldif
#chown -R ldap:ldap /var/lib/ldap
#chown -R ldap:ldap /etc/openldap/slapd.d
◎若之後欲並變更slapd.conf的內容,處理方式如下:
#rm -rf /etc/openldap/slapd.d/*
#slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
#chown -R ldap:ldap /etc/openldap/slapd.d
#service slapd restart
8) 啟動LDAP Server並確認與設定開機時是否要啟動該服務
#service slapd start
#chkconfig --list slapd
#chkconfig --level 345 slapd on
9) 透過ldapsearch確認是否已經完成LDAP樹狀結構(-x:Use simple authentication instead of SASL/-b:searchbase)
#ldapsearch -x -b 'dc=labs,dc=com'
# extended LDIF
#
# LDAPv3
# base
# filter: (objectclass=*)
# requesting: ALL
#
# labs.com
dn: dc=labs,dc=com
dc: labs
objectClass: dcObject
objectClass: organizationalUnit
ou: labs Dot com
# login, labs.com
dn: ou=login,dc=labs,dc=com
ou: login
objectClass: organizationalUnit
# user, login, labs.com
dn: ou=user,ou=login,dc=labs,dc=com
ou: user
objectClass: organizationalUnit
# group, login, labs.com
dn: ou=group,ou=login,dc=labs,dc=com
ou: group
objectClass: organizationalUnit
# company, labs.com
dn: ou=company,dc=labs,dc=com
ou: company
objectClass: organizationalUnit
# unit, company, labs.com
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
# hr, unit, company, labs.com
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
# mis, unit, company, labs.com
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
# account, unit, company, labs.com
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
# customer, company, labs.com
dn: ou=customer,ou=company,dc=labs,dc=com
ou: customer
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 11
# numEntries: 10
10) 用users.ldif建立人員名冊(與機關設計原理一樣,注意語法)
#vi /etc/openldap/data/users.ldif
#Evan McNabb
dn: cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Evan McNabb
sn: McNabb
objectclass: person
objectclass: inetOrgPerson
givenName: Evan McNabb
mail: c293831287@labs.com
telephoneNumber: 02-29587572
title: Employee
#Jenny Smith
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
title: Manager
#Dax Kelson
dn: cn=Dax Kelson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Dax Kelson
sn: Kelson
objectclass: person
objectclass: inetOrgPerson
givenName: Dax Kelson
mail: d295723341@labs.com
telephoneNumber: 02-29587572
title: employee
#Bryan Croft
dn: cn=Bryan Croft,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Bryan Croft
sn: Croft
objectclass: person
objectclass: inetOrgPerson
givenName: Bryan Croft
mail: c297303122@labs.com
telephoneNumber: 02-29587572
title: employee
#Fred Smith
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Fred Smith
mail: d191627793@labs.com
telephoneNumber: 02-29587572
title: employee
#Nancy Smith
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
title: employee
#Lamont Peterson
dn: cn=Lamont Peterson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Lamont Peterson
sn: Peterson
objectclass: person
objectclass: inetOrgPerson
givenName: Lamont Peterson
mail: c293190610@labs.com
telephoneNumber: 02-29587572
title: employee
#Cameron Christensen
dn: cn=Cameron Christensen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Cameron Christensen
sn: Christensen
objectclass: person
objectclass: inetOrgPerson
givenName: Cameron Christensen
mail: h191497299@labs.com
telephoneNumber: 02-29587572
title: Manager
#Jane Smith
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
title: engineer
#Derek Carter
dn: cn=Derek Carter,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Derek Carter
sn: Carter
objectclass: person
objectclass: inetOrgPerson
givenName: Derek Carter
mail: c291677874@labs.com
telephoneNumber: 02-29587572
title: engineer
#Stuart Jansen
dn: cn=Stuart Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Stuart Jansen
sn: Jansen
objectclass: person
objectclass: inetOrgPerson
givenName: Stuart Jansen
mail: b297933030@labs.com
telephoneNumber: 02-29587572
title: engineer
#Sally Jansen
dn: cn=Sally Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Sally Jansen
sn: Jansen
objectclass: person
objectclass: inetOrgPerson
givenName: Sally Jansen
mail: f296974826@labs.com
telephoneNumber: 02-29587572
title: engineer
#Jan Johnson
dn: cn=Jan Johnson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Jan Johnson
sn: Johnson
objectclass: person
objectclass: inetOrgPerson
givenName: Jan Johnson
mail: b299136575@labs.com
telephoneNumber: 02-29587572
title: Manager
#John Smith
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
title: accountant
#Tim Peterson
dn: cn=Tim Peterson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Tim Peterson
sn: Peterson
objectclass: person
objectclass: inetOrgPerson
givenName: Tim Peterson
mail: a293893990@labs.com
telephoneNumber: 02-29587572
title: accountant
#Joan Jett
dn: cn=Joan Jett,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Joan Jett
sn: Jett
objectclass: person
objectclass: inetOrgPerson
givenName: Joan Jett
mail: f192426229@labs.com
telephoneNumber: 02-29587572
title: accountant
#Cindy Jackson
dn: cn=Cindy Jackson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Cindy Jackson
sn: Jackson
objectclass: person
objectclass: inetOrgPerson
givenName: Cindy Jackson
mail: d295380453@labs.com
telephoneNumber: 02-29587572
title: accountant
11) 將人員名冊加入到LDAP的資料庫內
#ldapmodify -D "cn=Manager,dc=labs,dc=com" -w LDAP的管理密碼 -x -a -f /etc/openldap/data/users.ldif
adding new entry "cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Dax Kelson,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Bryan Croft,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Lamont Peterson,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Cameron Christensen,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Derek Carter,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Stuart Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Sally Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Jan Johnson,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Tim Peterson,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Joan Jett,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=Cindy Jackson,ou=account,ou=unit,ou=company,dc=labs,dc=com"
12) 舉幾個查詢例子來驗證人員名冊已經加到LDAP資料庫內
#ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=com'
# extended LDIF
#
# LDAPv3
# base
# filter: (objectclass=*)
# requesting: ALL
#
# unit, company, labs.com
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
# hr, unit, company, labs.com
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
# mis, unit, company, labs.com
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
# account, unit, company, labs.com
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
# Evan McNabb, hr, unit, company, labs.com
dn: cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Evan McNabb
sn: McNabb
objectClass: person
objectClass: inetOrgPerson
givenName: Evan McNabb
mail: c293831287@labs.com
telephoneNumber: 02-29587572
title: Employee
# Jenny Smith, hr, unit, company, labs.com
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
title: Manager
# Dax Kelson, hr, unit, company, labs.com
dn: cn=Dax Kelson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Dax Kelson
sn: Kelson
objectClass: person
objectClass: inetOrgPerson
givenName: Dax Kelson
mail: d295723341@labs.com
telephoneNumber: 02-29587572
title: employee
# Bryan Croft, hr, unit, company, labs.com
dn: cn=Bryan Croft,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Bryan Croft
sn: Croft
objectClass: person
objectClass: inetOrgPerson
givenName: Bryan Croft
mail: c297303122@labs.com
telephoneNumber: 02-29587572
title: employee
# Fred Smith, hr, unit, company, labs.com
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Fred Smith
mail: d191627793@labs.com
telephoneNumber: 02-29587572
title: employee
# Nancy Smith, hr, unit, company, labs.com
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
title: employee
# Lamont Peterson, hr, unit, company, labs.com
dn: cn=Lamont Peterson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Lamont Peterson
sn: Peterson
objectClass: person
objectClass: inetOrgPerson
givenName: Lamont Peterson
mail: c293190610@labs.com
telephoneNumber: 02-29587572
title: employee
# Cameron Christensen, mis, unit, company, labs.com
dn: cn=Cameron Christensen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Cameron Christensen
sn: Christensen
objectClass: person
objectClass: inetOrgPerson
givenName: Cameron Christensen
mail: h191497299@labs.com
telephoneNumber: 02-29587572
title: Manager
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
title: engineer
# Derek Carter, mis, unit, company, labs.com
dn: cn=Derek Carter,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Derek Carter
sn: Carter
objectClass: person
objectClass: inetOrgPerson
givenName: Derek Carter
mail: c291677874@labs.com
telephoneNumber: 02-29587572
title: engineer
# Stuart Jansen, mis, unit, company, labs.com
dn: cn=Stuart Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Stuart Jansen
sn: Jansen
objectClass: person
objectClass: inetOrgPerson
givenName: Stuart Jansen
mail: b297933030@labs.com
telephoneNumber: 02-29587572
title: engineer
# Sally Jansen, mis, unit, company, labs.com
dn: cn=Sally Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Sally Jansen
sn: Jansen
objectClass: person
objectClass: inetOrgPerson
givenName: Sally Jansen
mail: f296974826@labs.com
telephoneNumber: 02-29587572
title: engineer
# Jan Johnson, account, unit, company, labs.com
dn: cn=Jan Johnson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Jan Johnson
sn: Johnson
objectClass: person
objectClass: inetOrgPerson
givenName: Jan Johnson
mail: b299136575@labs.com
telephoneNumber: 02-29587572
title: Manager
# John Smith, account, unit, company, labs.com
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
title: accountant
# Tim Peterson, account, unit, company, labs.com
dn: cn=Tim Peterson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Tim Peterson
sn: Peterson
objectClass: person
objectClass: inetOrgPerson
givenName: Tim Peterson
mail: a293893990@labs.com
telephoneNumber: 02-29587572
title: accountant
# Joan Jett, account, unit, company, labs.com
dn: cn=Joan Jett,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Joan Jett
sn: Jett
objectClass: person
objectClass: inetOrgPerson
givenName: Joan Jett
mail: f192426229@labs.com
telephoneNumber: 02-29587572
title: accountant
# Cindy Jackson, account, unit, company, labs.com
dn: cn=Cindy Jackson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Cindy Jackson
sn: Jackson
objectClass: person
objectClass: inetOrgPerson
givenName: Cindy Jackson
mail: d295380453@labs.com
telephoneNumber: 02-29587572
title: accountant
# search result
search: 2
result: 0 Success
# numResponses: 22
# numEntries: 21
#ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=' '(sn='Smith')';
# extended LDIF
#
# LDAPv3
# base
# filter: (sn=Smith)
# requesting: ALL
#
# Jenny Smith, hr, unit, company, labs.com
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
title: Manager
# Fred Smith, hr, unit, company, labs.com
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Fred Smith
mail: d191627793@labs.com
telephoneNumber: 02-29587572
title: employee
# Nancy Smith, hr, unit, company, labs.com
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
title: employee
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
title: engineer
# John Smith, account, unit, company, labs.com
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
title: accountant
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
#ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=com' '(&(sn='Smith')(title='engineer'))'
# extended LDIF
#
# LDAPv3
# base
# filter: (sn=Smith)
# requesting: ALL
#
# Jenny Smith, hr, unit, company, labs.com
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
title: Manager
# Fred Smith, hr, unit, company, labs.com
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Fred Smith
mail: d191627793@labs.com
telephoneNumber: 02-29587572
title: employee
# Nancy Smith, hr, unit, company, labs.com
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
title: employee
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
title: engineer
# John Smith, account, unit, company, labs.com
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
title: accountant
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
#ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=com' '(&(sn='Smith')(title='engineer'))'
# extended LDIF
#
# LDAPv3
# base
# filter: (&(sn=Smith)(title=engineer))
# requesting: ALL
#
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
title: engineer
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
13) 啟用OpenLDAP的加密傳輸(刪除舊的並重建)
#cd /etc/pki/tls/certs
#rm slapd.pem
#make slapd.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ;
\
cat $PEM1 > slapd.pem ; \
echo "" >> slapd.pem ; \
cat $PEM2 >> slapd.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
..........+++
....................................................+++
writing new private key to '/tmp/openssl.Znr5LE'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Taipei County
Organization Name (eg, company) [Default Company Ltd]:Labs Corp.
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ldap.labs.com
Email Address []:iori@labs.com
#chmod 640 slapd.pem
#chown :ldap slapd.pem
#ln -s /etc/pki/tls/certs/slapd.pem /etc/openldap/cacerts/slapd.pem
#vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes
#vi /etc/openldap/slapd.conf
#取消註解以下內容
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
#vi /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never
#rm -rf /etc/openldap/slapd.d/*
#slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded
#chown -R ldap:ldap /etc/openldap/slapd.d
#service slapd restart
14) 檢查是否有開啟LDAP的通訊埠(Port 389[TSL]與636[SASL])
#netstat -tunpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1227/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 5053/sshd
tcp 0 0 0.0.0.0:34742 0.0.0.0:* LISTEN 1245/rpc.statd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 5131/master
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 4916/slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 4916/slapd
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 5174/qpidd
tcp 0 0 :::111 :::* LISTEN 1227/rpcbind
tcp 0 0 :::22 :::* LISTEN 5053/sshd
tcp 0 0 :::44376 :::* LISTEN 1245/rpc.statd
tcp 0 0 ::1:25 :::* LISTEN 5131/master
tcp 0 0 :::636 :::* LISTEN 4916/slapd
tcp 0 0 :::389 :::* LISTEN 4916/slapd
udp 0 0 0.0.0.0:52246 0.0.0.0:* 4945/avahi-daemon
udp 0 0 0.0.0.0:52894 0.0.0.0:* 1245/rpc.statd
udp 0 0 0.0.0.0:978 0.0.0.0:* 1227/rpcbind
udp 0 0 0.0.0.0:997 0.0.0.0:* 1245/rpc.statd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 4945/avahi-daemon
udp 0 0 0.0.0.0:111 0.0.0.0:* 1227/rpcbind
udp 0 0 :::978 :::* 1227/rpcbind
udp 0 0 :::57707 :::* 1245/rpc.statd
udp 0 0 :::111 :::* 1227/rpcbind
◎最後記得要去確認是否防火牆允許讓LDAP的服務通行
15) LDAP客戶端的安裝與設定(若為Client連到Server的情況)
#yum -y install openldap-clients
#vi /etc/openldap/ldap.conf
#第一行為LDAP Server本地端才需要設,Client不需要
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never
16) 下面是以TLS/SASL的方式查詢做LDAP資料的查詢
#ldapsearch -x -ZZ -H ldaps://LDAP_Server_IP -b "ou=unit,ou=company,dc=labs,dc=com" "(&(sn="Smith")(title="engineer"))"
#ldapsearch -x -ZZ -h LDAP_Server_IP -b 'ou=unit,ou=company,dc=labs,dc=com' '(&(sn='Smith')(title='engineer'))'
# extended LDIF
#
# LDAPv3
# base
# filter: (&(sn=Smith)(title=engineer))
# requesting: ALL
#
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
title: engineer
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
II.LDAP整合登入認證機制的架設
自從Sun推出了Sun Yellow Pages(也就是目前在Unix/Linux世界常聽到有漏洞的Network Information Service[NIS]之後,Unix/Linux的帳號管理因此就有了完整的統一方案,所以趕緊來實作如何使用LDAP來統一帳號密碼的管理,如下:
1) 設定slapd.conf的Schema與Attribute(確認有下列該行)
#vi /etc/openldap/slapd.conf
include /etc/openldap/schema/nis.schema
2) 規劃user-login.ldif的架構與原本的對照
管過系統的都知道/etc/passwd是用來存放個人的帳號資料、/etc/shadow是存放個人的密碼資訊與/etc/group是存放群組資訊,而/etc/passwd的設定格式如下:
steven:x:500:500::/home/steven:/bin/bash
(id:password:uid:gid:full_name:Home Directory:Login shell)
所以對於LDAP而言,也要引用相關的Atrribute才可以正確的做應對登入,下表則為posix到/etc/passwd的對應:
objectClass: posixAccount | |
id | uid |
password | userPassword |
uid | uidNumber |
gid | gidNumber |
full_name | gecos |
Home Directory | homeDirectory |
Login shell | loginShell |
而/etc/shadow的設定格式如下:
steven:$1$xGQPf1Cs$Y/kQw5TmUXvWY/1z3QgNZ/:13001:0:99999:7:::
(username:passwd:last:may:must:warn:expire:disable:reserved)
則posix到/etc/shadow的表格對應如下:
objectClass: shadowAccount | |
username | uid |
password | userPassword |
last | shadowLastChange |
may | shadowMin |
must | shadowMax |
warn | shadowWarning |
expire | shadowExpire |
disable | shadowInactive |
reserved | shadowFlag |
由上面兩個對應的表格得知,若要設計ldif檔案時,最少也要引用上述的這些Attribute才能達到目的,除了這兩個對應之外,還有/etc/group,它的設定格式如下:
steven:x:500:
(group name:password:group id:other account)
則posix到/etc/group的表格對應如下:
objectClass: posixGroup | |
group name | cn |
password | userPassword |
group id | gidNumber |
other account | memberUid |
所以說對系統管理而言,群組也是很重要,千萬別忘了它
3) 按照上面的對照建立user-login.ldif(登入認證的LDAP資料庫)
#vi /etc/openldap/data/user-login.ldif
#Evan McNabb
dn: cn=c293831287,ou=user,ou=login,dc=labs,dc=com
uid: c293831287
cn: c293831287
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: hrC293831287
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 600
gidNumber: 510
homeDirectory: /home/c293831287
gecos: Evan McNabb
#Jenny Smith
dn: cn=d197700415,ou=user,ou=login,dc=labs,dc=com
uid: d197700415
cn: d197700415
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: hrD197700415
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 601
gidNumber: 510
homeDirectory: /home/d197700415
gecos: Jenny Smith
#Dax Kelson
dn: cn=d295723341,ou=user,ou=login,dc=labs,dc=com
uid: d295723341
cn: d295723341
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: hrD295723341
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 602
gidNumber: 510
homeDirectory: /home/d295723341
gecos: Dax Kelson
#Bryan Croft
dn: cn=c297303122,ou=user,ou=login,dc=labs,dc=com
uid: c297303122
cn: c297303122
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: hrC297303122
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 603
gidNumber: 510
homeDirectory: /home/c297303122
gecos: Bryan Croft
#Fred Smith
dn: cn=d191627793,ou=user,ou=login,dc=labs,dc=com
uid: d191627793
cn: d191627793
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: hrD191627793
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 604
gidNumber: 510
homeDirectory: /home/d191627793
gecos: Fred Smith
#Nancy Smith
dn: cn=b192927969,ou=user,ou=login,dc=labs,dc=com
uid: b192927969
cn: b192927969
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: hrB192927969
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 605
gidNumber: 510
homeDirectory: /home/b192927969
gecos: Nancy Smith
#Lamont Peterson
dn: cn=c293190610,ou=user,ou=login,dc=labs,dc=com
uid: c293190610
cn: c293190610
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: hrC293190610
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 606
gidNumber: 510
homeDirectory: /home/c293190610
gecos: Lamont Peterson
#Cameron Christensen
dn: cn=h191497299,ou=user,ou=login,dc=labs,dc=com
uid: h191497299
cn: h191497299
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: miH191497299
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 607
gidNumber: 511
homeDirectory: /home/h191497299
gecos: Cameron Christensen
#Jane Smith
dn: cn=b299479351,ou=user,ou=login,dc=labs,dc=com
uid: b299479351
cn: b299479351
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: miB299479351
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 608
gidNumber: 511
homeDirectory: /home/b299479351
gecos: Jane Smith
#Derek Carter
dn: cn=c291677874,ou=user,ou=login,dc=labs,dc=com
uid: c291677874
cn: c291677874
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: miC291677874
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 609
gidNumber: 511
homeDirectory: /home/c291677874
gecos: Derek Carter
#Stuart Jansen
dn: cn=b297933030,ou=user,ou=login,dc=labs,dc=com
uid: b297933030
cn: b297933030
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: miB297933030
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 610
gidNumber: 511
homeDirectory: /home/b297933030
gecos: Stuart Jansen
#Sally Jansen
dn: cn=f296974826,ou=user,ou=login,dc=labs,dc=com
uid: f296974826
cn: f296974826
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: miF296974826
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 611
gidNumber: 511
homeDirectory: /home/f296974826
gecos: Sally Jansen
#Jan Johnson
dn: cn=b299136575,ou=user,ou=login,dc=labs,dc=com
uid: b299136575
cn: b299136575
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: acB299136575
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 612
gidNumber: 512
homeDirectory: /home/b299136575
gecos: Jan Johnson
#John Smith
dn: cn=e295689078,ou=user,ou=login,dc=labs,dc=com
uid: e295689078
cn: e295689078
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: acE295689078
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 613
gidNumber: 512
homeDirectory: /home/e295689078
gecos: John Smith
#Tim Peterson
dn: cn=a293893990,ou=user,ou=login,dc=labs,dc=com
uid: a293893990
cn: a293893990
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: acA293893990
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 614
gidNumber: 512
homeDirectory: /home/a293893990
gecos: Tim Peterson
#Joan Jett
dn: cn=f192426229,ou=user,ou=login,dc=labs,dc=com
uid: f192426229
cn: f192426229
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: acF192426229
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 615
gidNumber: 512
homeDirectory: /home/f192426229
gecos: Joan Jett
#Cindy Jackson
dn: cn=d295380453,ou=user,ou=login,dc=labs,dc=com
uid: d295380453
cn: d295380453
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: acD295380453
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 616
gidNumber: 512
homeDirectory: /home/d295380453
gecos: Cindy Jackson
4) 將users-login.ldif透過LDAP管理帳號匯入至LDAP資料庫內
#ldapmodify -D "cn=Manager,dc=labs,dc=com" -w LDAP的管理密碼 -x -a -f /etc/openldap/data/users-login.ldif
adding new entry "cn=c293831287,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=d197700415,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=d295723341,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=c297303122,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=d191627793,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=b192927969,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=c293190610,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=h191497299,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=b299479351,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=c291677874,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=b297933030,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=f296974826,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=b299136575,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=e295689078,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=a293893990,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=f192426229,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=d295380453,ou=user,ou=login,dc=labs,dc=com"
5) 透過ldapsearch來查詢登入認證的資料是否已匯入至LDAP資料庫內
#ldapsearch -x -b 'ou=user,ou=login,dc=labs,dc=com'
...
# extended LDIF
#
# LDAPv3
# base
# filter: (cn=d295380453)
# requesting: ALL
#
# d295380453, user, login, labs.com
# f192426229, user, login, labs.com
dn: cn=f192426229,ou=user,ou=login,dc=labs,dc=com
uid: f192426229
cn: f192426229
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: YWNGMTkyNDI2MjI5
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 615
gidNumber: 512
homeDirectory: /home/f192426229
gecos: Joan Jett
# d295380453, user, login, labs.com
dn: cn=d295380453,ou=user,ou=login,dc=labs,dc=com
uid: d295380453
cn: d295380453
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: YWNEMjk1MzgwNDUz
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 616
gidNumber: 512
homeDirectory: /home/d295380453
gecos: Cindy Jackson
# search result
search: 2
result: 0 Success
# numResponses: 19
# numEntries: 18
6) 按照上面的對照建立group.ldif(群組的LDAP資料庫)並匯入
#vi /etc/openldap/data/group.ldif
#Human Resource
dn: cn=hr,ou=group,ou=login,dc=labs,dc=com
objectClass: posixGroup
cn: hr
gidNumber: 510
#MIS
dn: cn=mis,ou=group,ou=login,dc=labs,dc=com
objectClass: posixGroup
cn: mis
gidNumber: 511
#Account
dn: cn=account,ou=group,ou=login,dc=labs,dc=com
objectClass: posixGroup
cn: account
gidNumber: 512
#ldapmodify -D "cn=Manager,dc=labs,dc=com" -w LDAP的管理密碼 -x -a -f /etc/openldap/data/group.ldif
adding new entry "cn=hr,ou=group,ou=login,dc=labs,dc=com"
adding new entry "cn=mis,ou=group,ou=login,dc=labs,dc=com"
adding new entry "cn=account,ou=group,ou=login,dc=labs,dc=com"
7) 編輯slapd.conf去更改LDAP的ACLs(因其中有包含password項目,若不限制則每個人都可查別人的password)
#vi /etc/openldap/slapd.conf
#######################################################################
# 以下為 ACL Rules 存取安全設定 (增加 Access Control 部份)
# 合法的使用者能讀取 LDAP 資料庫,但不能讀/寫其它人的密碼
#######################################################################
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=labs,dc=com" write
by * none
#######################################################################
# 為了讓 nss_ldap 機制能夠運作,必須開啟 anonymous 讀取的權限,但是限制它不能從任何 IP 讀取
#######################################################################
access to *
by self write
by users read
by anonymous peername.IP=127.0.0.1 read
by anonymous peername.IP=192.168.73.0%255.255.255.0 read
by dn.base="cn=Manager,dc=labs,dc=org" write
by * none
#service slapd restart
◎權限控制部分的驗證並與想像的不符,詳細設定的說明請參考官方文件
8) 在Client設定登入認證使用LDAP
#yum -y install pam_ldap nss-pam-ldapd
#setup
Starting nslcd: [ OK ]
◎若你想要挑戰手動設定,方法如下:
#vi /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never
URI ldap://LDAP_Server_IP/
BASE ou=user,ou=login,dc=labs,dc=com
#vi /etc/nslcd.conf
uid nslcd
gid ldap
# This comment prevents repeated auto-migration of settings.
uri ldap://LDAP_Server_IP/
base ou=login,dc=labs,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts
#vi /etc/pam_ldap.conf
base ou=login,dc=labs,dc=com
# add at the last line
uri ldap://LDAP_Server_IP/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
#vi /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
# add if you need ( create home directory automatically if it's none )
session optional pam_mkhomedir.so skel=/etc/skel umask=077
#vi /etc/nsswitch.conf
passwd: files ldap # line 33: add
shadow: files ldap # add
group: files ldap # add
netgroup: files ldap # line 57: change
automount: files ldap # line 61: change
#vi /etc/sysconfig/authconfig
USELDAP= yes # line 18: change
#chkconfig --level 345 nslcd on
#reboot
以上設定參考朱老師筆記內的LDAP用戶端設定,所以還是手動的好吧!
9) 透過Secure Shell(SSH)驗證LDAP登入驗證機制
#ssh b299136575@LDAP_Server_IP
b299136575@LDAP_Server_IP's password:
Last login: Sat Jun 16 23:03:50 2012 from LDAP_Server_IP
Could not chdir to home directory /home/b299136575: No such file or directory
◎在使用LDAP帳號登入時出現"Could not chdir to home directory /home/b299136575: No such file or directory",是因為你並沒有建立該User的Home Directory,所以您可以再建立該使用者的Home Directory就可以解決了,若你手邊剛好有File Server的服務,可以使用NFS的方法並搭配Automount來掛載使用者家目錄,剩下一些細部的設定可以參考Steven、Weithenn或Jamyy關於LDAP的說明,累了,收工!
可以請教一下,為何裝了ldap後,我的joomla連接不到mysql
您的意思是在安裝LDAP之前,Joomla是可以正常工作的嗎?因為這兩者我認為並沒有很直接的關係,您要不要先確認MySQL是否有正常在工作,並且有對外開放連線(假如Web與DB是分開的,防火牆等設定),若您是想要將LDAP整合到Joomla的帳戶資料庫內的話,可能要再找找相關的文章喔!
大大您好,請教一下,有試過讓user改變自己的密碼嗎?
抱歉,我沒試過讓User修改自己的密碼,不過應該可以透過ldappasswd或是ldapmodify來做修改,待我再嘗試看看
這篇和另一篇討論有提到關於因為User的ACL問題,導致無法修改自己的密碼,可以參考看看
感謝 哆啦大的詳細教學
在客户机器的/etc/openldap/ldap.conf文件里,加上
session optional pam_mkhomedir.so skel=/etc/skel umask=077就可以自动建立用户个人目录了
$ldapsearch -x -b "dc=labs,dc=com"
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
导入的数据才这么一点,请问哪里出了问题。
不知道是你的訪問權限的問題,還是說資料並沒有匯入LDAP的DB中吧,我個人的粗淺猜測…..
确实是我没导入进去。拷贝user-login.ldif的时候回车行多了一个点。
都设置成功了
成功图片
怎么用新增的LDAP账号SSH登录没有用?
所以在Local上面作su是有效用的囉?