Linux Admin 简明教程
Install and Configure Open LDAP
LDAP 是 Light Weight Directory Access Protocol 的别称,是一种协议,用于访问目录中的企业内 X.500 服务容器。那些熟悉 Windows Server 管理的人可以将 LDAP 视为在本质上非常类似于 Active Directory。在把 Windows 工作站编织到 OpenLDAP CentOS 企业中时,这甚至是一个被广泛使用的方法。在另一方面,CentOS Linux 工作站可以共享资源,并参与 Windows 域中的基本功能。
LDAP known as Light Weight Directory Access Protocol is a protocol used for accessing X.500 service containers within an enterprise known from a directory. Those who are familiar with Windows Server Administration can think of LDAP as being very similar in nature to Active Directory. It is even a widely used concept of intertwining Windows workstations into an OpenLDAP CentOS enterprise. On the other spectrum, a CentOS Linux workstation can share resources and participate with the basic functionality in a Windows Domain.
将 LDAP 部署在 CentOS 上,作为目录服务器代理、目录系统代理或 DSA(所有这些首字母缩写词都相同),类似于使用 NDS 采用目录树结构的较旧 Novell Netware 安装。
Deploying LDAP on CentOS as a Directory Server Agent, Directory System Agent, or DSA (these acronyms are all one and the same) is similar to older Novell Netware installations using the Directory Tree structure with NDS.
Brief History of LDAP
LDAP 基本上是访问具有企业资源的 X.500 目录的高效方式。X.500 和 LDAP 具有相同的特性,并且非常相似,以至于 LDAP 客户端可以在一些帮助器的帮助下访问 X.500 目录。LDAP 也有自己的目录服务器,称为 slapd 。LDAP 和 DAP 之间的主要区别在于,轻量级版本被设计为在 TCP 上运行。
LDAP was basically created as an efficient way to access X.500 directories with enterprise resources. Both X.500 and LDAP share the same characteristics and are so similar that LDAP clients can access X.500 directories with some helpers. While LDAP also has its own directory server called slapd. The main difference between LDAP and DAP is, the lightweight version is designed to operate over TCP.
DAP 则使用完整的 OSI 模型。由于 TCP/IP 和以太网在当今网络中占据主导地位,因此很少遇到在特定遗留计算模型之外使用 DAP 和本机 X.500 企业目录的目录服务实现。
While DAP uses the full OSI Model. With the advent of the Internet, TCP/IP and Ethernet prominence in networks of today, it is rare to come across a Directory Services implantation using both DAP and native X.500 enterprise directories outside specific legacy computing models.
CentOS Linux 的 openldap 使用的主要组件如下:
The main components used with openldap for CentOS Linux are −
openldap |
LDAP support libraries |
openldap-server |
LDAP server |
openldap-clients |
LDAP client utlities |
openldap-devel |
Development libraries for OpenLDAP |
compay-openldap |
OpenLDAP shared libraries |
slapd |
Directory server daemon of OpenLDAP |
slurpd |
Used for LDAP replication across an enterprise domain |
Note - 为企业命名时,最佳做法是使用 .local TLD。当分离在线和内部域基础设施时,使用 .net 或 .com 可能会带来困难。想象一下一家公司同时对外部和内部操作使用 acme.com,其内部工作量会增加多少。因此,明智的做法是让互联网资源称为 acme.com 或 acme.net。然后,本地网络企业资源被描绘成 acme.local。这需要配置 DNS 记录,但可以在简单、表达和安全性方面获得回报。
Note − When naming your enterprise, it is a best practice to use the .local TLD. Using a .net or .com can cause difficulties when segregating an online and internal domain infrastructure. Imagine the extra work for a company internally using acme.com for both external and internal operations. Hence, it can be wise to have Internet resources called acme.com or acme.net. Then, the local networking enterprise resources is depicted as acme.local. This will entail configuring DNS records, but will pay in simplicity, eloquence and security.
Install Open LDAP on CentOS
从 YUM 安装 openldap、openldap-servers、openldap-clients 和 migrationtools。
Install the openldap, openldap-servers, openldap-clients and migrationstools from YUM.
[root@localhost]# yum -y install openldap openldap-servers openldap-clients
migration tools
Loaded plugins: fastestmirror, langpacks
updates
| 3.4 kB 00:00:00
updates/7/x86_64/primary_db
| 2.2 MB 00:00:05
Determining fastest mirrors
(1/2): extras/7/x86_64/primary_db
| 121 kB 00:00:01
(2/2): base/7/x86_64/primary_db
| 5.6 MB 00:00:16
Package openldap-2.4.40-13.el7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package openldap-clients.x86_64 0:2.4.40-13.el7 will be installed
---> Package openldap-servers.x86_64 0:2.4.40-13.el7 will be installed
--> Finished Dependency Resolution
base/7/x86_64/group_gz
| 155 kB 00:00:00
Dependencies Resolved
===============================================================================
===============================================================================
Package Arch
Version Repository Size
===============================================================================
===============================================================================
Installing:
openldap-clients x86_64
2.4.40-13.el7 base 188 k
openldap-servers x86_64
2.4.40-13.el7 base 2.1 M
Transaction Summary
===============================================================================
===============================================================================
Install 2 Packages
Total download size: 2.3 M
Installed size: 5.3 M
Downloading packages:
Installed:
openldap-clients.x86_64 0:2.4.40-13.el7
openldap-servers.x86_64 0:2.4.40-13.el7
Complete!
[root@localhost]#现在,让我们启动并启用 slapd 服务 -
Now, let’s start and enable the slapd service −
[root@centos]# systemctl start slapd
[root@centos]# systemctl enable slapd此时,让我们确保我们在 /etc/openldap 中拥有 openldap 结构。
At this point, let’s assure we have our openldap structure in /etc/openldap.
root@localhost]# ls /etc/openldap/
certs check_password.conf ldap.conf schema slapd.d
[root@localhost]#然后确保我们的 slapd 服务正在运行。
Then make sure our slapd service is running.
root@centos]# netstat -antup | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1641/slapd
tcp6 0 0 :::389 :::* LISTEN 1641/slapd
[root@centos]#接下来,让我们配置我们的 Open LDAP 安装。
Next, let’s configure our Open LDAP installation.
确保已创建我们的系统 ldap 用户。
Make sure our system ldap user has been created.
[root@localhost]# id ldap
uid=55(ldap) gid=55(ldap) groups=55(ldap)
[root@localhost]#生成我们的 LDAP 凭据。
Generate our LDAP credentials.
[root@localhost]# slappasswd
New password:
Re-enter new password:
{SSHA}20RSyjVv6S6r43DFPeJgASDLlLoSU8g.a10
[root@localhost]#我们需要保存 slappasswd 的输出。
We need to save the output from slappasswd.
Configure Open LDAP
Step 1 - 为域配置 LDAP 并添加管理员用户。
Step 1 − Configure LDAP for domain and add administrative user.
首先,我们要设置我们的 openLDAP 环境。以下是与 ldapmodify 命令一起使用的模板。
First, we want to set up our openLDAP environment. Following is a template to use with the ldapmodify command.
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=vmnet,dc=local
dn: olcDatabase = {2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=vmnet,dc=local
dn: olcDatabase = {2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: <output from slap使用 ldapmodify 命令更改为:/etc/openldap/slapd.d/cn=config/olcDatabase = {1}monitor.ldif。
Make changes to: /etc/openldap/slapd.d/cn=config/olcDatabase = {1}monitor.ldif with the ldapmodify command.
[root@localhost]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /home/rdc/Documents/db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber = 0+uidNumber = 0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase = {2}hdb,cn=config"
modifying entry "olcDatabase = {2}hdb,cn=config"
modifying entry "olcDatabase = {2}hdb,cn=config"
[root@localhost cn=config]#让我们检查修改后的 LDAP 配置。
Let’s check the modified LDAP configuration.
root@linux1 ~]# vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
[root@centos]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 a163f14c
dn: olcDatabase = {2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 1bd9aa2a-8516-1036-934b-f7eac1189139
creatorsName: cn=config
createTimestamp: 20170212022422Z
olcSuffix: dc=vmnet,dc=local
olcRootDN: cn=ldapadm,dc=vmnet,dc=local
olcRootPW:: e1NTSEF1bUVyb1VzZTRjc2dkYVdGaDY0T0k =
entryCSN: 20170215204423.726622Z#000000#000#000000
modifiersName: gidNumber = 0+uidNumber = 0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170215204423Z
[root@centos]#如你所见,我们的 LDAP 企业修改已成功。
As you can see, our LDAP enterprise modifications were successful.
接下来,我们要为 OpenLDAP 创建一个自签名 SSL 证书。这将保护企业服务器和客户端之间的通信。
Next, we want to create an self-signed ssl certificate for OpenLDAP. This will secure the communication between the enterprise server and clients.
Step 2 - 为 OpenLDAP 创建自签名证书。
Step 2 − Create a self-signed certificate for OpenLDAP.
我们将使用 openssl 创建自签名 SSL 证书。转到下一章 Create LDAP SSL Certificate with openssl ,了解如何保护与 OpenLDAP 的通信。然后,当 SSL 证书配置好后,我们将完成我们的 OpenLDAP 企业配置。
We will use openssl to create a self-signed ssl certificate. Go to the next chapter, Create LDAP SSL Certificate with openssl for instructions to secure communications with OpenLDAP. Then when ssl certificates are configured, we will have completed our OpenLDAP enterprise configuration.
Step 3 - 配置 OpenLDAP 以使用证书进行安全通信。
Step 3 − Configure OpenLDAP to use secure communications with certificate.
在 vim 中使用以下信息创建一个 certs.ldif 文件 -
Create a certs.ldif file in vim with the following information −
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/yourGeneratedCertFile.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/youGeneratedKeyFile.pem接下来,再次使用 ldapmodify 命令将更改合并到 OpenLDAP 配置中。
Next, again, use the ldapmodify command to merge the changes into the OpenLDAP configuration.
[root@centos rdc]# ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber = 0+uidNumber = 0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
[root@centos]#最后,让我们测试我们的 OpenLDAP 配置。
Finally, let’s test our OpenLADP configuration.
[root@centos]# slaptest -u
config file testing succeeded
[root@centos]#Step 4 − 设置 slapd 数据库。
Step 4 − Set up slapd database.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG &&
chown ldap:ldap /var/lib/ldap/*更新 OpenLDAP 架构。
Updates the OpenLDAP Schema.
添加 cosine 和 nis LDAP 架构。
Add the cosine and nis LDAP schemas.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif最后,创建企业架构并将其添加到当前 OpenLDAP 配置。
Finally, create the enterprise schema and add it to the current OpenLDAP configuration.
以下是针对一个名为 vmnet.local 的域,其中 LDAP 管理员被称作 ldapadm。
Following is for a domain called vmnet.local with an LDAP Admin called ldapadm.
dn: dc=vmnet,dc=local
dc: vmnet
objectClass: top
objectClass: domain
dn: cn=ldapadm ,dc=vmnet,dc=local
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager
dn: ou = People,dc=vmnet,dc=local
objectClass: organizationalUnit
ou: People
dn: ou = Group,dc=vmnet,dc=local
objectClass: organizationalUnit
ou: Group最后,将其导入当前 OpenLDAP 架构。
Finally, import this into the current OpenLDAP schema.
[root@centos]# ldapadd -x -W -D "cn=ldapadm,dc=vmnet,dc=local" -f ./base.ldif
Enter LDAP Password:
adding new entry "dc=vmnet,dc=local"
adding new entry "cn=ldapadm ,dc=vmnet,dc=local"
adding new entry "ou=People,dc=vmnet,dc=local"
adding new entry "ou=Group,dc=vmnet,dc=local"
[root@centos]#Step 5 − 设置 OpenLDAP 企业用户。
Step 5 − Set up an OpenLDAP Enterprise Users.
打开 vim 或你最喜欢的文本编辑器,然后复制以下格式。这是针对“vmnet.local”LDAP 域中一个名为“entacct”的用户进行设置。
Open vim or your favorite text editor and copy the following format. This is setup for a user named "entacct" on the "vmnet.local" LDAP domain.
dn: uid=entacct,ou=People,dc=vmnet,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: entacct
uid: entacct
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/enyacct
loginShell: /bin/bash
gecos: Enterprise User Account 001
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7现在,按照保存的方式将上述文件导入 OpenLDAP 架构。
Now import the above files, as saved, into the OpenLdap Schema.
[root@centos]# ldapadd -x -W -D "cn=ldapadm,dc=vmnet,dc=local" -f entuser.ldif
Enter LDAP Password:
adding new entry "uid=entacct,ou=People,dc=vmnet,dc=local"
[root@centos]#在用户可以访问 LDAP 企业之前,我们需要分配密码,如下所述 -
Before the users can access the LDAP Enterprise, we need to assign a password as follows −
ldappasswd -s password123 -W -D "cn=ldapadm,dc=entacct,dc=local" -x "uid=entacct
,ou=People,dc=vmnet,dc=local"-s 为用户指定密码
-s specifies the password for the user
-x 是应用密码更新的用户名
-x is the username to which password updated is applied
-D 是针对 LDAP 架构进行身份验证的“指定名称”。
-D is the *distinguished name" to authenticate against LDAP schema.
最后,在登录企业帐户之前,让我们检查我们的 OpenLDAP 条目。
Finally, before logging into the Enterprise account, let’s check our OpenLDAP entry.
[root@centos rdc]# ldapsearch -x cn=entacct -b dc=vmnet,dc=local
# extended LDIF
#
# LDAPv3
# base <dc=vmnet,dc=local> with scope subtree
# filter: cn=entacct
# requesting: ALL
#
# entacct, People, vmnet.local
dn: uid=entacct,ou=People,dc=vmnet,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: entacct
uid: entacct
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/enyacct
loginShell: /bin/bash
gecos: Enterprise User Account 001
userPassword:: e2NyeXB0fXg=
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7将 /etc/passwd 和 /etc/groups 这样的内容转换为 OpenLDAP 身份验证需要使用迁移工具。这些包含在 migrationtools 包中。然后安装在 /usr/share/migrationtools 中。
Converting things like /etc/passwd and /etc/groups to OpenLDAP authentication requires the use of migration tools. These are included in the migrationtools package. Then, installed into /usr/share/migrationtools.
[root@centos openldap-servers]# ls -l /usr/share/migrationtools/
total 128
-rwxr-xr-x. 1 root root 2652 Jun 9 2014 migrate_aliases.pl
-rwxr-xr-x. 1 root root 2950 Jun 9 2014 migrate_all_netinfo_offline.sh
-rwxr-xr-x. 1 root root 2946 Jun 9 2014 migrate_all_netinfo_online.sh
-rwxr-xr-x. 1 root root 3011 Jun 9 2014 migrate_all_nis_offline.sh
-rwxr-xr-x. 1 root root 3006 Jun 9 2014 migrate_all_nis_online.sh
-rwxr-xr-x. 1 root root 3164 Jun 9 2014 migrate_all_nisplus_offline.sh
-rwxr-xr-x. 1 root root 3146 Jun 9 2014 migrate_all_nisplus_online.sh
-rwxr-xr-x. 1 root root 5267 Jun 9 2014 migrate_all_offline.sh
-rwxr-xr-x. 1 root root 7468 Jun 9 2014 migrate_all_online.sh
-rwxr-xr-x. 1 root root 3278 Jun 9 2014 migrate_automount.pl
-rwxr-xr-x. 1 root root 2608 Jun 9 2014 migrate_base.plStep 6 − 最后,我们需要允许访问 slapd 服务,以便它可以提供服务请求。
Step 6 − Finally, we need to allow access to the slapd service so it can service requests.
firewall-cmd --permanent --add-service=ldap
firewall-cmd --reloadConfigure LDAP Client Access
配置 LDAP 客户端访问要求客户端上装有以下包:openldap、open-ldap 客户端和 nss_ldap。
Configuring LDAP client access requires the following packages on the client: openldap, open-ldap clients, and nss_ldap.
为客户端系统配置 LDAP 身份验证会更容易。
Configuring LDAP authentication for client systems is a bit easier.
Step 1 − 安装依赖程序包 −
Step 1 − Install dependent packeges −
# yum install -y openldap-clients nss-pam-ldapdStep 2 − 利用 authconfig 配置 LDAP 认证。
Step 2 − Configure LDAP authentication with authconfig.
authconfig --enableldap --enableldapauth --ldapserver=10.25.0.1 --
ldapbasedn="dc=vmnet,dc=local" --enablemkhomedir --updateStep 3 − 重新启动 nslcd 服务。
Step 3 − Restart nslcd service.
systemctl restart nslcd