LDAP服務器用於統一認證賬戶信息,有點類似通訊錄,實現集中管理用戶賬戶的功能。系統爲CentOS6.4。
安裝openldap和Berkeley DB, openldap使用Berkeley DB存儲數據。1)服務端yum install openldap openldap-servers openldap-clients openldap-devel compat-openldapyum install db4 db4-utils
2)客戶端yum install nss-pam-ldapd pam_ldap openldap-clients
二、服務端配置
1) 首先生成管理員密碼:slappasswd輸完兩遍密碼後會生成一個加密散列字符串,保存下來。如:
{SSHA}JiW3WU7jREOTOMZKT6CklgJZriLIj738
2)編輯數據庫配置文件,設置域名:vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif找到:olcSuffix: dc=my-domain,dc=com修改dc:olcSuffix: dc=ldap,dc=stone,dc=com設置目錄樹後綴(域名),作用是定義根的名字。
找到:olcRootDN: cn=Manager,dc=my-domain,dc=com修改dc:olcRootDN: cn= Manager,dc=ldap, dc=stone,dc=com設置管理員DN。PS:LDAP管理員cn默認爲Manager,可以改成自己需要的名字。
在olcDatabase={2}bdb.ldif最後添加:olcRootPW: {SSHA}JiW3WU7jREOTOMZKT6CklgJZriLIj738設置管理員密碼。
3)指定監控權限:vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif找到:dn.base=”cn=manager,dc=my-domain,dc=com”修改爲:dn.base=”cn= Manager,dc=ldap,dc=stone,dc=com”修改默認域名。
4) /etc/openldap/slapd.conf
************************************
include/etc/openldap/schema/corba.schema
include/etc/openldap/schema/core.schema
include/etc/openldap/schema/cosine.schema
include/etc/openldap/schema/duaconf.schema
include/etc/openldap/schema/dyngroup.schema
include/etc/openldap/schema/inetorgperson.schema
include/etc/openldap/schema/java.schema
include/etc/openldap/schema/misc.schema
include/etc/openldap/schema/nis.schema
include/etc/openldap/schema/openldap.schema
include/etc/openldap/schema/ppolicy.schema
include/etc/openldap/schema/collective.schema
include/etc/openldap/schema/sudo.schema
allow bind_v2
pidfile/var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile “\”OpenLDAP Server\”"
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage
by * none
database monitor
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.exact=”cn=Manager,dc=stone,dc=com” read
by * none
databasebdb
suffix“dc=ldap,dc=stone,dc=com”
checkpoint1024 15
rootdn“cn=Manager,dc=ldap,dc=stone,dc=com”
rootpw{SSHA}hcZ+9TR6qnqjbzCK9KlJOdqkUBmi9irL
directory/var/lib/ldap
index sudoUser eq
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
***************************************************************
5)設置Database Cache:cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG設置權限:chown -R ldap:ldap /var/lib/ldap/
從.schema生成.ldif配置
slaptest -v -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
測試配置文件是否有錯:slaptest -u提示:
config file testing succeeded
測試通過。
三、創建LDAP數據庫
# ldap.stone.com
dn: dc=ldap,dc=stone,dc=com
dc: ldap
objectClass: top
objectClass: domain
# people.ldap. stone.com
dn: ou=people,dc=ldap,dc=stone,dc=com
objectClass: organizationalUnit
ou: people
# group.ldap.ciwong.com
dn: ou=group,dc=ldap,dc=ciwong,dc=com
objectClass: organizationalUnit
ou: group
# sudoers.ldap. ciwong.com
dn: ou=sudoers,dc=ldap,dc=ciwong,dc=com
objectClass: top
objectClass: organizationalUnit
description: sudo configuration subtree
ou: sudoers
#用戶組
dn: cn=a1,ou=group,dc=ldap,dc=ciwong,dc=com
objectClass: posixGroup
objectClass: top
cn: a1
userPassword: {crypt}x
gidNumber: 501
dn: cn=a2,ou=group,dc=ldap,dc=ciwong,dc=com
objectClass: posixGroup
objectClass: top
cn: a2
userPassword: {crypt}x
gidNumber: 502
#用戶:
# a1, people, stone.com
dn: uid=a1,ou=people,dc=ldap,dc=ciwong,dc=com
uid: a1
cn: a1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDNpTEw4cFpvJGdwN1RidlBOQjRkSU1ZL0d4eWZ2THNESGtBN2R
CWkcvbWZEelRYZzhQU2FlWWNucFV6S3hSR2VBcXZnL1VRTE1Qbkt6aTR3cExDa2NJMk54M3hOZkIu
shadowLastChange: 15922
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/a1
# a2, people, stone.com
dn: uid=a2,ou=people,dc=ldap,dc=ciwong,dc=com
uid: a2
cn: a2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFRYbXNvU3RiJE9BS1JpYTZVZ0NyMHFFS28wUHJ0NUVPMnpUVmV
lTGVKZ0lZN2I2a3BWUmNIUWVFa3pOajJoQUR2dmE1US54amkua0lSY3hIWUJLdjhDUTZtejdrMGMv
shadowLastChange: 15922
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /home/a2
#具有sudo權限的用戶
# role.sudoers.ldap. stone.com
dn: cn=role,ou=sudoers,dc=ldap,dc=stone,dc=com
objectClass: sudoRole
objectClass: top
cn: role
sudoUser: %a1
sudoHost: ALL
sudoRunAsUser: root
sudoCommand: !/bin/sh
sudoCommand: ALL
**********************************************************
客戶端
1)運行setup命令,設置LDAP驗證
2)/etc/nslcd.conf配置如下:
uid nslcd
gid ldap
# This comment prevents repeated auto-migration of settings.
uri ldap://192.168.131.141/
base dc=stone,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts
************************
Sudo 配置/etc/sudo-ldap.conf
uri ldap://192.168.1.167/
base dc=ldap,dc=ciwong,dc=com
sudoers_base ou=SUDOers,dc=ldap,dc=ciwong,dc=com
3)/etc/nsswitch.conf添加一行:
sudoers:ldap files
可以查看到ldap服務器的用戶,但家目錄還是有問題
設定用戶家目錄兩種方法
方法一:
家目錄一樣可以使用autofs來解決:
–在ldap服務端使用nfs共享家目錄
[root@ldap config]# vim /etc/exports
/home *(rw)
[root@ldap config]# /etc/init.d/nfs restart
–在ldap客戶端配置autofs服務
vim /etc/auto.master
/home/etc/auto.home
vim /etc/auto.home
* -rw 192.168.131.141:/home/&
/etc/init.d/autofsrestart
然後在客戶端上對先前的a1,a2,a3用戶及其密碼進行驗證,都OK
方法二:
設置第一次登陸時建立家目錄vim /etc/pam.d/system-auth在最後添加:session required pam_mkhomedir.so skel=/etc/skel umask=0022
Example of an LDAP entry formerly using the NOPASSWD tag:
sudoCommand: /sbin/whatever *sudoOption: !authenticatesudoHost: ALL or hostnamesudoRunAs: rootsudoUser: user with sudo privs
Translation of /etc/sudoers tags into sudoOption
NOPASSWD: !authenticate
PASSWD: authenticate
NOEXEC: noexec
EXEC: !noexec