1. 簡單的目錄
1.slapd.conf文件
- 這是一個示例slapd.conf,它將讓我們開始使用Oracle Berkeley數據庫(BDB)後端(OpenLDAP過去推薦的數據庫——目前是mdb):
#
###### SAMPLE 1 - SIMPLE DIRECTORY ############
#
# NOTES: inetorgperson picks up attributes and objectclasses
# from all three schemas
#
# NB: RH Linux schemas in /etc/openldap
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
# NO SECURITY - no access clause
# defaults to anonymous access for read
# only rootdn can write
# NO REFERRALS
# DON'T bother with ARGS file unless you feel strongly
# slapd scripts stop scripts need this to work
pidfile /var/run/openldap/slapd.pid
# enable a lot of logging - we might need it
# but generates huge logs
loglevel -1
# MODULELOAD definitions
# not required (comment out) before version 2.3
moduleload back_bdb.la
# NO TLS-enabled connections
# backend definition not required
#######################################################################
# bdb database definitions
#
# replace example and com below with a suitable domain
#
# If you don't have a domain you can leave it since example.com
# is reserved for experimentation or change them to my and inc
#
#######################################################################
database bdb
suffix "dc=example, dc=com"
# root or superuser
rootdn "cn=jimbob, dc=example, dc=com"
rootpw dirtysecret
# The database directory MUST exist prior to running slapd AND
# change path as necessary
directory /var/lib/ldap
# Indices to maintain for this directory
# unique id so equality match only
index uid eq
# allows general searching on commonname, givenname and email
index cn,gn,mail eq,sub
# allows multiple variants on surname searching
index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index default eq,sub
# indices missing - uses default eq,sub
index telephonenumber eq
# other database parameters
# read more in slapd.conf reference section
cachesize 10000
checkpoint 128 15
- 使用命令檢查配置是否有問題
slaptest -f /etc/openldap/slapd.conf
- 可能問題1
could not stat config file "/usr/local/etc/openldap/schema/core.schema
解決: cp -r /etc/openldap/schema /usr/local/etc/openldap/schema
2. LDIF File
- 這個文件中有基礎的用戶信息。
## DEFINE DIT ROOT/BASE/SUFFIX ####
## uses RFC 2377 format
## replace example and com as necessary below
## or for experimentation leave as is
## dcObject is an AUXILLIARY objectclass and MUST
## have a STRUCTURAL objectclass (organization in this case)
# this is an ENTRY sequence and is preceded by a BLANK line
dn: dc=example,dc=com
dc: example
description: My wonderful company as much text as you want to place
in this line up to 32K continuation data for the line above must
have <CR> or <CR><LF> i.e. ENTER works
on both Windows and *nix system - new line MUST begin with ONE SPACE
objectClass: dcObject
objectClass: organization
o: Example, Inc.
## FIRST Level hierarchy - people
## uses mixed upper and lower case for objectclass
# this is an ENTRY sequence and is preceded by a BLANK line
dn: ou=people, dc=example,dc=com
ou: people
description: All people in organisation
objectclass: organizationalunit
## SECOND Level hierarchy
## ADD a single entry under FIRST (people) level
# this is an ENTRY sequence and is preceded by a BLANK line
# the ou: Human Resources is the department name
dn: cn=Robert Smith,ou=people,dc=example,dc=com
objectclass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob smith
sn: smith
uid: rjsmith
userpassword: rJsmitH
carlicense: HISCAR 123
homephone: 555-111-2222
mail: [email protected]
mail: [email protected]
mail: [email protected]
description: swell guy
ou: Human Resources
3. 加載LDIF file文件
- 啓動服務
systemctl start slapd
- 通過命令添加ldif文件
ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/createdit.ldif -w dirtysecret
4. 添加新的條目
- 下面的LDIF顯示瞭如何使用LDIF添加其他條目。
version: 1
## ADD a single entry to people level
dn: cn=John Smith,ou=people,dc=example,dc=com
objectclass: inetOrgPerson
cn: John Smith
cn: John J Smith
sn: Smith
uid: jsmith
userpassword: jSmitH
carlicense: HISCAR 124
homephone: 555-111-2223
mail: [email protected]
mail: [email protected]
mail: [email protected]
ou: Sales
## ADD another single entry to people level
dn: cn=Sheri Smith,ou=people,dc=example,dc=com
objectclass: inetOrgPerson
cn: Sheri Smith
sn: smith
uid: ssmith
userpassword: sSmitH
carlicense: HERCAR 125
homephone: 555-111-2225
mail: [email protected]
mail: [email protected]
mail: [email protected]
ou: IT
- 我們將上面的LDIF保存爲addentry。在我們的/tmp目錄中,我們使用ldapadd加載ldif文件,命令如下:
ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/addentry.ldif -w dirtysecret
5.修改條目
- 下面的LDIF顯示了我們如何使用LDIF修改條目——使用LDAP瀏覽器通常更快,但是如果您有批量更改,LDIF會更快。
version: 1
## MODIFY the Robert Smith entry
dn: cn=Robert Smith,ou=people,dc=example,dc=com
changetype: modify
add: telephonenumber
telephonenumber: 555-555-1212
telephonenumber: 212
-
replace: uid
uid: rjosmith
-
replace: mail
mail: [email protected]
mail: [email protected]
-
# adds using URL format
add: jpegphoto
jpegphoto: < file://path/to/jpeg/file.jpg
-
delete: description
- 我們將上面的LDIF保存爲modentry。在我們的/tmp目錄中,我們使用ldapadd加載ldif文件,命令如下:
ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/modentry.ldif -w dirtysecret
2.目錄權限
1. 安全策略
現在,我們將使用slapd.conf中的access指令爲我們的目錄添加一些簡單的安全性。
我們將根據公司政策(哇)建立一個訪問控制策略(ACP aka ACL),該政策規定:
- 目錄條目所有者能夠查看和更新所有目錄屬性,包括密碼。
- 人力資源必須能夠更新任何條目,但必須無法讀取或寫入用戶密碼。
- 除人力資源和目錄條目的所有者之外,任何人都不得讀取目錄條目carlicence,homepostaddress和homephone。
- 所有用戶都必須進行身份驗證(不允許匿名訪問)。
- IT部門必須能夠更新或更改所有目錄條目上的密碼條目
2. 添加組
- 以下LDIF顯示了我們如何添加組。
version: 1
# create FIRST Level groups branch
dn: ou=groups,dc=example,dc=com
objectclass:organizationalunit
ou: groups
description: generic groups branch
# create the itpeople entry under groups
dn: cn=itpeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: itpeople
description: IT security group
member: cn=Sheri Smith,ou=people,dc=example,dc=com
# create the hrpeople entry under groups
dn: cn=hrpeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: hrpeople
description: Human Resources group
member: cn=Robert Smith,ou=people,dc=example,dc=com
- 添加命令
ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/addgroups.ldif -w dirtysecret
3. ACL slapd.conf訪問定義
- 下面的文本展示了完整的slapd.conf的配置
###### SAMPLE 1 - SIMPLE DIRECTORY ############
##
## NOTES: inetorgperson picks up attributes and objectclasses
## from all three schemas
##
## NB: RH Linux schemas in /etc/openldap
##
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
#
#
## NO SECURITY - no access clause
## defaults to anonymous access for read
## only rootdn can write
#
## NO REFERRALS
#
## DON'T bother with ARGS file unless you feel strongly
## slapd scripts stop scripts need this to work
pidfile /var/run/openldap/slapd.pid
#
## enable a lot of logging - we might need it
## but generates huge logs
loglevel -1
#
## MODULELOAD definitions
## not required (comment out) before version 2.3
#moduleload back_bdb.la
#
## NO TLS-enabled connections
#
## backend definition not required
#
########################################################################
## bdb database definitions
##
## replace example and com below with a suitable domain
##
## If you don't have a domain you can leave it since example.com
## is reserved for experimentation or change them to my and inc
##
########################################################################
#
database bdb
suffix "dc=example, dc=com"
#ACL1
access to attrs=userpassword
by self write
by anonymous auth
by group.exact="cn=itpeople,ou=groups,dc=example,dc=com"
write
by * none
#ACL2
access to attrs=carlicense,homepostaladdress,homephone
by self write
by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com"
write
by * none
#ACL3
access to *
by self write
by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com"
write
by users read
by * none
#
## root or superuser
rootdn "cn=jimbob, dc=example, dc=com"
rootpw dirtysecret
## The database directory MUST exist prior to running slapd AND
## change path as necessary
directory /var/lib/ldap
#
## Indices to maintain for this directory
## unique id so equality match only
index uid eq
## allows general searching on commonname, givenname and email
index cn,gn,mail eq,sub
## allows multiple variants on surname searching
index sn eq,sub
## sub above includes subintial,subany,subfinal
## optimise department searches
index ou eq
## if searches will include objectClass uncomment following
## index objectClass eq
## shows use of default index parameter
#index default eq,sub
## indices missing - uses default eq,sub
index telephonenumber eq
#
## other database parameters
## read more in slapd.conf reference section
cachesize 10000
#checkpoint 128 15
- 修改完服務後我們需要重啓slapd服務
systemctl restart slapd
4. 測試ACL
- 配置LDAP瀏覽器綁定或驗證,使用dn: cn=Robert Smith, ou=people, dc=example, dc=com ,密碼 : rJsmitH(區分大小寫),因爲這個條目有hrpeople特權,並能夠修改所有條目,包括carlicense, homepostaladdress 和 homephone,但不能修改userpassword(除了他自己的)
- 配置LDAP瀏覽器綁定或驗證,使用 dn: cn=Sheri Smith, ou=people, dc=example, dc=com ,密碼 : sSmitH(區分大小寫),因爲這個條目有itpeople特權,並能夠將修改所有條目的userpassword屬性,但看不到 carlicense, homepostaladdress and homephone ,除了她自己的外.
- 配置LDAP瀏覽器綁定或驗證,使用 dn: cn=John Smith,ou=people,dc=example,dc=com ,密碼:jSmitH ,由於這個條目沒有特權,所以除了他自己的條目(他也可以修改自己的條目),其他任何條目都不能看到
- 爲匿名訪問配置LDAP瀏覽器,並確認訪問被拒絕。
- 最後驗證爲我們的rootdn或超級用戶(在slapd.conf中定義爲 cn=jimbob,dc=example,dc=com, password dirtysecret),並確認這將覆蓋我們的所有特權,並且可以查看和修改所有內容。
3. 擴展的層次結構
1. 擴展實施
- 當我們細分需求時,我們需要實現以下內容:
1. 將新的銷售人員組添加到現有的組分支。
2. 在我們的DIT中添加一個新的設備分支。這將使用設備對象。
3.將新客戶分支添加到我們的DIT。這將使用標準的inetorgperson對象類。
4. 在每個人的條目下添加一個新的地址薄分支。
2. 擴展LDIF
# create FIRST level customers branch
dn: ou=customers,dc=example,dc=com
objectclass: organizationalunit
ou: customers
description: customer address book branch
# create FIRST level equipment branch
dn: ou=equipment,dc=example,dc=com
objectclass: organizationalunit
ou: equipment
description: IT assets branch
# create an entry under equipment entry under groups
dn: cn=LP1,ou=equipment,dc=example,dc=com
objectclass: device
cn: LP1
description: Some brand of printer
serialnumber: 1-77-23-15
l: Room 17
owner: cn=John Smith,ou=people,dc=example,dc=com
ou: printers
# create the salespeople entry under groups
dn: cn=salespeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: salespeople
description: Sales group
member: cn=John Smith,ou=people,dc=example,dc=com
# create the addressbook entry for each person
dn: ou=addressbook,cn=John Smith,ou=people,dc=example,dc=com
objectclass: organizationalunit
ou: addressbook
description: Personal Address Book
dn: ou=addressbook,cn=Sheri Smith,ou=people,dc=example,dc=com
objectclass: organizationalunit
ou: addressbook
description: Personal Address Book
dn: ou=addressbook,cn=Robert Smith,ou=people,dc=example,dc=com
objectclass: organizationalunit
ou: addressbook
description: Personal Address Book
- 執行命令添加ldif文件.
ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/enhance.ldif -w dirtysecre
3. ACL - slapd.conf的配置
ACL4
# allows creation of entries in own addressbook; no-one else can
# access it, needs write access to the ENTRY attribute (ACL5 or ACL6A)
# and the entries CHILDREN (ACL4)
access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$"
attrs=children
by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write
by users none
# ACL5 - only required prior to 2.2
# allow creation of entries in own addressbook; no-one else can
# access it, needs write access to the ENTRY attribute (ACL5 or ACL6A)
# and the entries CHILDREN (ACL4)
#access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$"
# attrs=entry
# by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write
# by users none
# ACL6 - only required prior to 2.2
# allow creation of entries in own addressbook; no-one else can
# access it
#access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$"
# filter=(objectclass=inetorgperson)
# by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write
# by users none
# ACL6A - 2.2+ replace both ACL5 and ACL6 with this ACL
access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$"
attrs=entry,@inetorgperson
by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write
by users none
# ACL7
# allows sales to create entries in customers
# authenticated user can only read
access to dn.one="ou=customers,dc=example,dc=com"
attrs=children
by group.exact="cn=salespeople,ou=groups,dc=example,dc=com" write
by users read
# ACL8
access to attrs=carlicense,homepostaladdress,homephone
by self write
by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write
by * none
# ACL8A - control access to equipment
access to dn.one="ou=equipment,dc=example,dc=com"
by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write
by users read
by * none
# ACL9
access to *
by self write
by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write
by users read
by * none
- 重啓服務
systemctl restart slapd.service
4. 測試ACL
-
dc=com ,密碼: rJsmitH.也因爲這個項目有hrpeople權限,能夠看到並修改carlicense,homepostaladdress和homephone,並且可以讀取客戶和設備條目但不能寫入它們。Robert Smith也可以查看並添加他自己的地址簿條目.
-
配置LDAP瀏覽器綁定DN驗證: cn=Sheri Smith, ou=people, dc=example, dc=com ,密碼: sSmitH ,也因爲這個項目有itpeople權限將看到並能夠修改所有條目的userpassword屬性.但除了她自己的條目外,無法查看carlicense,homepostaladdress和homephone,此條目可以讀取客戶條目,但不能寫入它們,但可以讀取和寫入設備條目。Sheri Smith還可以查看並添加自己的地址簿條目,並可以查看地址簿每個人(但不是條目)。她還可以刪除每個條目的地址簿
-
配置LDAP瀏覽器綁定DN驗證:cn=John Smith, ou=people, dc=example, dc=com ,密碼: jSmitH.因爲該條目沒有特權,所以不能看到carlicense,homepostaladdress,homephone和userpassword這些屬性。此條目因爲它是salespeople組的成員可以讀取和寫入customers條目,但只能讀取設備條目。
4. 創建新的對象以及屬性結構
1. 要求
- 一個dohicky屬性。此屬性是布爾值。它只能由所有者和hrpeople組的任何成員查看和更新。
- 一個ageAtBirth屬性。它只能由所有者和hrpeople組的任何成員查看和更新。
- gobbledegook。此屬性是字符串值,對所有經過身份驗證的用戶公開可見。它只能由所有者和hrpeople組的任何成員更新.它將允許 <= or >= search filters.
- 作爲我們轉向單點登錄(SSO)的一部分,我們將爲每個用戶添加標準的posixAccount對象類。該記錄僅對itpeople組可見。
2. 實施
cat > /usr/local/etc/openldap/schema/ourco.schema <<EOF
# EXAMPLE.COM SCHEMA FILE
# takes values:
# true = wears clean socks on monday
# false = does not wear clean socks on monday
attributetype ( 1.3.6.1.4.1.6863.2.3.107 NAME 'dohicky'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
# if present must take the value = 0
attributetype ( 1.3.6.1.4.1.6863.2.3.108 NAME 'ageAtBirth'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
# string used to describe the height of the person in either feet/inches or meters
# may be expressed as xfyi e.g. 5f7i (5 feet 7 inches) or x.ym e.g. 1.95m (1.95 meters)
# the values f, i, m above are case insensitive
attributetype ( 1.3.6.1.4.1.6863.2.3.109 NAME 'gobbledegook'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{200} )
# objectclass used with people address book to define required information
# for State Law 5.7.3 - data is defined by law to be private - limited access allowed
objectclass ( 1.3.6.1.4.1.6863.2.4.57 NAME 'ourObject'
DESC 'A very useful object'
SUP top AUXILIARY
MUST ( dohicky $ gobbledegook )
MAY ageAtBirth )
EOF
3. 修改slapd.conf文件
- 添加以下語句到slapd.conf文件中.
include /usr/local/etc/openldap/schema/ourco.schema
- 重新啓動服務
systemctl restart slapd
4. 添加LDIF
cat > /tmp/modify.ldif <<EOF
dn: cn=john smith,ou=people,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: 200
-
add: gidnumber
gidnumber: 203
-
add: homedirectory
homedirectory: /var/mail/example.com/jsmith
-
add: objectclass
objectclass: ourObject
-
add: dohicky
dohicky: FALSE
-
add: gobbledegook
gobbledegook: john
-
add: ageatbirth
ageatbirth: 0
-
dn: cn=sheri smith,ou=people,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: 201
-
add: gidnumber
gidnumber: 203
-
add: homedirectory
homedirectory: /var/mail/example.com/ssmith
-
add: objectclass
objectclass: ourObject
-
add: dohicky
dohicky: TURE
-
add: gobbledegook
gobbledegook: sheri
-
dn: cn=robert smith,ou=people,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: 202
-
add: gidnumber
gidnumber: 203
-
add: homedirectory
homedirectory: /var/mail/example.com/rsmith
-
add: objectclass
objectclass: ourObject
-
add: dohicky
dohicky: FALSE
-
add: gobbledegook
gobbledegook: robert
-
add: ageatbirth
ageatbirth: 17
EOF
- 執行修改語句
ldapmodify -x -D "cn=jimbob,dc=example,dc = com" -f /tmp/modify.ldif -w dirtysecret
你可以發現已經添加成功。新的屬性已經建好.
該文章大部分翻譯於:
http://www.zytrax.com/books/ldap/ch5/index.html#step1