注:以Ubuntu 10.04版本爲例,LDAP服務器和客戶端爲同一臺機器,最新openldap軟件服務器端無單獨的配置文件,而是將配置信息保存於數據庫中。
1. LDAP服務器端安裝與配置
1.1 安裝LDAP服務器相關軟件
sudo apt-get install slapd ldap-utils
1.2 配置LDAP服務器數據庫
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
(1)創建數據庫
在/var/lib/ldap/下創建create_database.ldif文件:
# Load hdb backend module
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb
# Create the hdb database and place the files under /var/lib/ldap
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=edu,dc=example,dc=org
olcRootDN: cn=admin,dc=edu,dc=example,dc=org
olcRootPW: {SSHA}5EdV7cSYlP44/gEWu+x3VKAKLN2HG4VX
olcDbConfig: {0}set_cachesize0 2097152 0
olcDbConfig: {1}set_lk_max_objects1500
olcDbConfig: {2}set_lk_max_locks1500
olcDbConfig: {3}set_lk_max_lockers1500
olcLastMod: TRUE
olcDbCheckpoint: 51230
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb
# Create the hdb database and place the files under /var/lib/ldap
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=edu,dc=example,dc=org
olcRootDN: cn=admin,dc=edu,dc=example,dc=org
olcRootPW: {SSHA}5EdV7cSYlP44/gEWu+x3VKAKLN2HG4VX
olcDbConfig: {0}set_cachesize0 2097152 0
olcDbConfig: {1}set_lk_max_objects1500
olcDbConfig: {2}set_lk_max_locks1500
olcDbConfig: {3}set_lk_max_lockers1500
olcLastMod: TRUE
olcDbCheckpoint: 51230
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
導入:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /var/lib/ldap/create_database.ldif
注:create_database.ldif文件中olcRootPW參數後面的密文對應明文爲"example",可用slappasswd命令獲取明文對應的密文
(2)初始化數據庫
在/var/lib/ldap/下創建init_database.ldif文件:
dn: dc=edu,dc=example,dc=org
objectClass: top
objectClass: dcObject
objectclass: organization
o: edu.example.org
dc: edu
#description: LDAP root
dn: ou=People,dc=edu,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=edu,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Groups
objectClass: top
objectClass: dcObject
objectclass: organization
o: edu.example.org
dc: edu
#description: LDAP root
dn: ou=People,dc=edu,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=edu,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Groups
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /var/lib/ldap/init_database.ldif
(3)modify the ACL to limit access to the database.
在/var/lib/ldap/下創建acls.ldif文件:
dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=edu,dc=example,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.subtree="" by* read
olcAccess: {2}to* by dn="cn=admin,dc=edu,dc=example,dc=org" write by* read
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=edu,dc=example,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.subtree="" by* read
olcAccess: {2}to* by dn="cn=admin,dc=edu,dc=example,dc=org" write by* read
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /var/lib/ldap/acls.ldif
(4)測試數據庫
sudo ldapsearch -x -h localhost -b dc=edu,dc=example,dc=org
1.3 使用遷移工具migrationtools
(1)安裝
sudo apt-get install migrationtools
(2)使用該工具遷移Linux系統中的用戶和組到LDAP服務器中
cd /usr/share/migrationtools/
./migrate_group.pl /etc/group ./group.ldif
./migrate_passwd.pl /etc/passwd ./passwd.ldif
修改group.ldif中組的父域名爲ou=Groups,dc=edu,dc=example,dc=org
修改passwd.ldif中用戶的父域名爲ou=People,dc=edu,dc=example,dc=org
ldapadd -x -W -D "cn=admin,dc=edu,dc=example,dc=org" -f ./group.ldif
ldapadd -x -W -D "cn=admin,dc=edu,dc=example,dc=org" -f ./passwd.ldif
1.4 使用ldap服務器管理工具ldapscripts
(1)安裝
sudo apt-get install ldapscripts
(2)修改配置文件
# LDAP Configuration
# DEBIAN: values from /etc/pam_ldap.conf are used.
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=edu,dc=example,dc=org"
# The following file contains the raw password of the binddn
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
# DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used.
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
#BINDPWD="secret"
# DEBIAN: values from /etc/pam_ldap.conf are used.
SUFFIX="dc=edu,dc=example,dc=org"# Global suffix
GSUFFIX="ou=Groups"# Groups ou (just under $SUFFIX)
USUFFIX="ou=People"# Users ou (just under $SUFFIX)
#MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX)
# User passwords generation
# Command-line used to generate a password for added users (you may use %u for username here)
# WARNING !!!! This is evaluated, everything specified here will be run !
# Special value "<ask>" will ask for a password interactively
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'"
#PASSWORDGEN="pwgen"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
PASSWORDGEN="<ask>"
# DEBIAN: values from /etc/pam_ldap.conf are used.
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=edu,dc=example,dc=org"
# The following file contains the raw password of the binddn
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
# DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used.
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
#BINDPWD="secret"
# DEBIAN: values from /etc/pam_ldap.conf are used.
SUFFIX="dc=edu,dc=example,dc=org"# Global suffix
GSUFFIX="ou=Groups"# Groups ou (just under $SUFFIX)
USUFFIX="ou=People"# Users ou (just under $SUFFIX)
#MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX)
# User passwords generation
# Command-line used to generate a password for added users (you may use %u for username here)
# WARNING !!!! This is evaluated, everything specified here will be run !
# Special value "<ask>" will ask for a password interactively
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'"
#PASSWORDGEN="pwgen"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
PASSWORDGEN="<ask>"
注:如紅字所示,照應前面的配置,向ldapscripts.passwd寫入密碼的命令爲:echo -n 'example' > /etc/ldapscripts/ldapscripts.passwd
(3)使用
sudo ldapaddgroup testgroup
sudo ldapadduser testuser testgroup
sudo ldapsetpasswd testuser
(4)測試
getent passwd
getent group
2. LDAP客戶端安裝與配置
2.2 安裝配置完成後,使用以下命令驗證訪問LDAP服務器是否成功
-----------------------------------------------
【參考】
2. LDAP客戶端安裝與配置
2.1 使用apt-get安裝相關服務
#sudo apt-get install libnss-ldapd libpam-ldapd
安裝過程中根據安裝嚮導輸入ldap服務器IP和相應base域名信息,最後,針對nss services勾選group和passwd兩項即可。
注:Ubuntu系統中LDAP客戶端的配置文件爲/etc/nslcd.conf和/etc/nsswitch.conf,以上配置信息都可以在該配置文件中隨時修改!修改後要重啓服務:service nslcd restart
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://127.0.0.1/
# The search base that will be used for all queries.
base dc=edu,dc=example,dc=org
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret
# SSL options
#ssl off
#tls_reqcert never
# The search scope.
#scope sub
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://127.0.0.1/
# The search base that will be used for all queries.
base dc=edu,dc=example,dc=org
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret
# SSL options
#ssl off
#tls_reqcert never
# The search scope.
#scope sub
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat ldap
group: compat ldap
shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat ldap
group: compat ldap
shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
2.2 安裝配置完成後,使用以下命令驗證訪問LDAP服務器是否成功
#getent passwd
#getent group
若不能正確顯示LDAP服務器上的相關用戶和組,則檢查以下原因:
①LDAP服務器是否開啓
②LDAP服務器防火牆是否關閉
③客戶端配置的LDAP服務器IP是否正確,可否ping通
④客戶端配置的base域名是否正確
⑤端口不對
⑥版本不對
-----------------------------------------------
【相關說明】
① libnss-ldap 被用於名字解析, libpam-ldap 用 pm 通過LDAP來認證用戶。
【參考】
①
http://labs.opinsys.com/blog/2010/01/27/setting-up-openldap-on-ubuntu-10-04-alpha2/ 服務器和客戶端都在Ubuntu上的參考文檔
②http://forum.ubuntu.org.cn/viewtopic.php?p=2225140
針對10.04及以後的詳細安裝過程(服務器和客戶端)
④
http://www.dasairen.com/Centos/18520711220.html 爲LDAP服務手動添加日誌功能