Linux環境下通過OpenLDAP實現用戶的統一認證和管理

測試環境：

OpenLDAP Server <-------------------------------------------->OpenLDAP Client

ip:192.168.4.178 ip:192.168.4.177

Centos 6.4 Centos 6.4

hostname:open*** hostname:open***-client

一、OpenLDAP Server的安裝和配置

[root@open*** ~]# yum install -y openldap openldap-servers openldap-clients
[root@open*** ~]# cd /etc/openldap/
[root@open*** openldap]# mv slapd.d slapd.d-bak
[root@open*** openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
創建slappasswd密碼：

[root@open*** ~]# slappasswd
New password:
Re-enter new password:
{SSHA}CoOOJ5NZCzKuWktw6t4lD76FsDgX9ItX

[root@open*** openldap]# vi /etc/openldap/slapd.conf

suffix "dc=test,dc=com"
rootpw {SSHA}CoOOJ5NZCzKuWktw6t4lD76FsDgX9ItX /將md5值粘貼到此

directory /var/lib/ldap

[root@open*** openldap]# slaptest -u -f /etc/openldap/slapd.conf
config file testing succeeded

[root@open*** openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@open*** openldap]#cd /var/lib/ldap

[root@open*** ldap]# chown ldap.ldap DB_CONFIG*

[root@open*** ldap]#cd

[root@open*** ~]# service slapd start
[root@open*** ~]#chkconfig slapd on

[root@open*** ldap]# ldapsearch -x -b "dc=test,dc=com"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

解決方法：
[root@open*** ldap]# vi /etc/sysconfig/ldap
SLAPD_LDAPI=no

[root@open*** ldap]# vi /etc/openldap/ldap.conf
base dc=test,dc=com
uri ldap://192.168.4.178

[root@open*** ldap]# service slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]

[root@open*** ldap]# ldapsearch -x -b "dc=test.com"
# extended LDIF
#
# LDAPv3
# base <dc=test.com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

創建用戶ldapuser1,ldapuser2其密碼分別爲123456

[root@open*** ldap]# useradd ldapuser1
[root@open*** ldap]# echo "123456" | passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
[root@open*** ldap]# useradd ldapuser2
[root@open*** ldap]# echo "123456" | passwd --stdin ldapuser2
Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.

安裝migrationtools遷移本地用戶到LDAP的工具包

[root@open*** ldap]# yum install -y migrationtools

[root@open*** ldap]# cd /usr/share/migrationtools/
[root@open*** migrationtools]# vi migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "test.com";

# Default base
$DEFAULT_BASE = "dc=test,dc=com";

[root@open*** migrationtools]# ./migrate_base.pl > base.ldif

[root@open*** migrationtools]# vi base.ldif
dn: dc=test,dc=com
dc: test
objectClass: top
objectClass: domain

dn: ou=People,dc=test,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=test,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

[root@open*** migrationtools]# ./migrate_passwd.pl /etc/passwd ./user.ldif /遷移用戶
[root@open*** migrationtools]# vi user.ldif
dn: uid=ldapuser1,ou=People,dc=test,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$fiweB1Cv$UrLDDL9yWi8W7djPJQosXGEb3v5VbSmyhzRdunpWHJso0hysXeus9i0c87vY2CVQSb0ySU.Uv6moqzZBB1nF//
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 502
homeDirectory: /home/ldapuser1

dn: uid=ldapuser2,ou=People,dc=test,dc=com
uid: ldapuser2
cn: ldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$RK3zu0Np$2FssBfu3XJIeKOmJzyOmZgWoXk9npkpZquGvac0HoWbeB6A1aNjX.a2mxQhPIi6mhScV.PNTdE2AIs1l758GC1
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 503
homeDirectory: /home/ldapuser2

[root@open*** migrationtools]# ./migrate_group.pl /etc/group ./group.ldif /遷移組
[root@open*** migrationtools]# vi group.ldif

n: cn=ldapuser1,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword: {crypt}x
gidNumber: 502

dn: cn=ldapuser2,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword: {crypt}x
gidNumber: 503

[root@open*** ~]# ldapadd -D "cn=open***,dc=test.com" -W -x -f /usr/share/migrationtools/base.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

解決方法：
[root@open*** ~]# ldapadd -D "cn=open***,dc=test,dc=com" -W -x -f /usr/share/migrationtools/base.ldif
Enter LDAP Password:
adding new entry "dc=test,dc=com"

adding new entry "ou=People,dc=test,dc=com"

adding new entry "ou=Group,dc=test,dc=com"

[root@open*** ~]# ldapadd -D "cn=open***,dc=test,dc=com" -W -x -f /usr/share/migrationtools/user.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=test,dc=com"

adding new entry "uid=ldapuser2,ou=People,dc=test,dc=com"

[root@open*** ~]# ldapadd -D "cn=open***,dc=test,dc=com" -W -x -f /usr/share/migrationtools/group.ldif
Enter LDAP Password:
adding new entry "cn=ldapuser1,ou=Group,dc=test,dc=com"

adding new entry "cn=ldapuser2,ou=Group,dc=test,dc=com"

[root@open*** ~]# ldapsearch -x -b "dc=test.com" /報錯
# extended LDIF
#
# LDAPv3
# base <dc=test.com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

解決方法：
[root@open*** ~]# ldapsearch -x -b "dc=test,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# test.com
dn: dc=test,dc=com
dc: test
objectClass: top
objectClass: domain

# People, test.com
dn: ou=People,dc=test,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# Group, test.com
dn: ou=Group,dc=test,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

# ldapuser1, People, test.com
dn: uid=ldapuser1,ou=People,dc=test,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JGZpd2VCMUN2JFVyTERETDl5V2k4VzdkalBKUW9zWEdFYjN2NVZ
iU215aHpSZHVucFdISnNvMGh5c1hldXM5aTBjODd2WTJDVlFTYjB5U1UuVXY2bW9xelpCQjFuRi8v
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 502
homeDirectory: /home/ldapuser1

# ldapuser2, People, test.com
dn: uid=ldapuser2,ou=People,dc=test,dc=com
uid: ldapuser2
cn: ldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFJLM3p1ME5wJDJGc3NCZnUzWEpJZUtPbUp6eU9tWmdXb1hrOW5
wa3BacXVHdmFjMEhvV2JlQjZBMWFOalguYTJteFFoUElpNm1oU2NWLlBOVGRFMkFJczFsNzU4R0Mx
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 503
homeDirectory: /home/ldapuser2

# ldapuser1, Group, test.com
dn: cn=ldapuser1,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 502

# ldapuser2, Group, test.com
dn: cn=ldapuser2,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword:: e2NyeXB0fXg=
gidNumber: 503

# search result
search: 2
result: 0 Success

# numResponses: 8
# numEntries: 7

二、OpenLDAP Client安裝和配置

[root@open***-client ~]# yum install openldap openldap-clients -y

[root@open***-client ~]# yum install -y nss-pam-ldapd pam_ldap

[root@open***-client ~]# vi /etc/openldap/ldap.conf

BASE dc=test,dc=com
URI ldap://192.168.4.178

[root@open***-client ~]# vi /etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:         files ldap

[root@open***-client ~]# vi /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

[root@open***-client ~]# vi /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required     pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so
auth        required      pam_deny.so

account     required     pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

[root@open***-client ~]# service nslcd restart

[root@open***-client ~]#chkconfig nslcd on

三、通過NFS實現LDAP用戶/home的自動掛載

四、通過Phpldapadmin實現LDAP用戶的WEB創建和管理

Linux環境下通過OpenLDAP實現用戶的統一認證和管理

如何使用 JS 判斷用戶是否處於活躍狀態

lightdb秒級增加列和刪除列（not null帶默認值）

lightdb數據庫超時相關控制參數

通過HPA+CronHPA組合應對業務複雜彈性伸縮場景

❤️‍🔥 Solon Cloud Event 新的事務特性與應用

lightdb mysql 8.0兼容之不可見主鍵

使用 JS 實現在瀏覽器控制檯打印圖片 console.image()

基於Ubuntu-22.04安裝K8s-v1.28.2實驗（四）使用域名訪問網站應用

遷移 VMware 虛擬機到 KVM

成功之道-李嘉誠演講

雲架構、雲網絡及雲技術不錯的幾篇博文

mysql維護管理的幾點小技巧（自我總結）

我的友情鏈接

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結