LDAP 服务部署
1、实验环境:
[root@ldapserver01 ~]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
[root@ldapserver01 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.191.131 netmask 255.255.255.0 broadcast 192.168.191.255inet6 fe80::6da6:bfa7:41da:455a prefixlen 64 scopeid 0x20<link>ether 00:0c:29:f7:1e:00 txqueuelen 1000 (Ethernet)RX packets 769 bytes 70419 (68.7 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 312 bytes 43742 (42.7 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1000 (Local Loopback)RX packets 200 bytes 16248 (15.8 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 200 bytes 16248 (15.8 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
2、部署过程
2.1、安装部署服务端和相应程序包
[root@ldapserver01 ~]# yum install openldap-servers openldap-clients
[root@ldapserver01 ~]# systemctl start slapd
[root@ldapserver01 ~]# systemctl enable slapd
[root@ldapserver01 ~]# systemctl status slapd
[root@ldapserver01 ~]# ps xua|grep slapd
ldap 1104 0.0 3.7 532752 37472 ? Ssl 09:46 0:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
root 1356 0.0 0.0 112728 968 pts/0 R+ 10:06 0:00 grep --color=auto slapd
查看服务端口:
[root@ldapserver01 ~]# netstat -lnptp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1155/master
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1104/slapd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 960/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1155/master
tcp6 0 0 :::389 :::* LISTEN 1104/slapd
tcp6 0 0 :::22 :::* LISTEN 960/sshd
ldap默认端口为389,如果加密(CA +LDAP)了用端口636,这里默认端口389已经开启了
对于ldap服务命令需要注意的:
一般以slapxxxx形式出现的命令为服务端命令,而以ldapxxxx形式出现的命令为客户端命令,比如下两个:
slappasswd 服务端命令
ldappasswd 客户端命令
2.2、LDAP服务安装好之后,我们接下来给ldap服务设置密码,在OpenLDAP server上执行如下操作:
[root@ldapserver01 ~]# slappasswd
New password:
Re-enter new password:
{
SSHA}0gs1Sfo+Ps4gsR1rktgb1nzd/Qaq5j3h
ldap服务的全局配置文件存放路径为"/etc/openldap/slapd.d/",具体如下所示:
[root@ldapserver01 ~]# cd /etc/openldap/slapd.d/
[root@ldapserver01 slapd.d]# ls
cn=config cn=config.ldif
[root@ldapserver01 slapd.d]# cd cn\=config
[root@ldapserver01 cn=config]# ls
cn=schema olcDatabase={
0}config.ldif olcDatabase={
1}monitor.ldif
cn=schema.ldif olcDatabase={
-1}frontend.ldif olcDatabase={
2}hdb.ldif
[root@ldapserver01 cn=config]# pwd
/etc/openldap/slapd.d/cn=config
[root@ldapserver01 cn=config]#
添加密码命令和内容,添加密码其实是对文件olcDatabase={0}config.ldif进行修改
执行密码添加操作:
[root@ldapserver01 cn=config]# cat << EOF |ldapadd -Y EXTERNAL -H ldapi:///
dn: olcDatabase={
0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {
SSHA}0gs1Sfo+Ps4gsR1rktgb1nzd/Qaq5j3h
EOFSASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
[root@ldapserver01 cn=config]#
添加密码之后查看:
[root@ldapserver01 cn=config]# cat olcDatabase\=\{0\}config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 9563b946
dn: olcDatabase={
0}config
objectClass: olcDatabaseConfig
olcDatabase: {
0}config
olcAccess: {
0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: ab83df26-ce3f-103a-9d56-e1ad5aadfbd0
creatorsName: cn=config
createTimestamp: 20201209075538Z
olcRootPW:: e1NTSEF9MGdzMVNmbytQczRnc1Ixcmt0Z2IxbnpkL1FhcTVqM2g=
entryCSN: 20201209082252.279180Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20201209082252Z
3、导入基本的schema文件
CentOS7默认情况下schema文件存放路径是:
[root@ldapserver01 cn=config]# pwd
/etc/openldap/slapd.d/cn=config
[root@ldapserver01 cn=config]# ls /etc/openldap/schema/
collective.ldif corba.schema cosine.ldif duaconf.schema inetorgperson.ldif java.schema nis.ldif openldap.schema ppolicy.ldif
collective.schema core.ldif cosine.schema dyngroup.ldif inetorgperson.schema misc.ldif nis.schema pmi.ldif ppolicy.schema
corba.ldif core.schema duaconf.ldif dyngroup.schema java.ldif misc.schema openldap.ldif pmi.schema
[root@ldapserver01 cn=config]#
导入基本schema文件存放路径为:/etc/openldap/slapd.d/cn=config/cn=schema
[root@ldapserver01 cn=config]# pwd
/etc/openldap/slapd.d/cn=config
[root@ldapserver01 cn=config]# ls cn\=schema
cn={
0}core.ldif
[root@ldapserver01 cn=config]#
3.1、导入第一个schema文件:
[root@ldapserver01 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@ldapserver01 cn=config]#
[root@ldapserver01 cn=config]# cd cn\=schema
[root@ldapserver01 cn=schema]# ls
cn={
0}core.ldif cn={
1}cosine.ldif
[root@ldapserver01 cn=schema]# pwd
/etc/openldap/slapd.d/cn=config/cn=schema
[root@ldapserver01 cn=schema]#
用同样的方式导入其他几个schema文件:
[root@ldapserver01 cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=ppolicy,cn=schema,cn=config"
[root@ldapserver01 cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@ldapserver01 cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=dyngroup,cn=schema,cn=config"
[root@ldapserver01 cn=schema]#
[root@ldapserver01 cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
[root@ldapserver01 cn=schema]# ls
cn={
0}core.ldif cn={
1}cosine.ldif cn={
2}ppolicy.ldif cn={
3}nis.ldif cn={
4}dyngroup.ldif cn={
5}inetorgperson.ldif
[root@ldapserver01 cn=schema]#
4、修改相关域名:修改文件为olcDatabase={2}hdb.ldif和olcDatabase={1}monitor.ldif
[root@ldapserver01 cn=schema]# cd ..
[root@ldapserver01 cn=config]# ls
cn=schema olcDatabase={
0}config.ldif olcDatabase={
1}monitor.ldif
cn=schema.ldif olcDatabase={
-1}frontend.ldif olcDatabase={
2}hdb.ldif
4.1、操作方法:
[root@ldapserver01 cn=config]# cat /tmp/domain.ldif
dn: olcDatabase={
1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {
0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=ldap,dc=com" read by * nonedn: olcDatabase={
2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ldap,dc=comdn: olcDatabase={
2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ldap,dc=comdn: olcDatabase={
2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {
SSHA}0gs1Sfo+Ps4gsR1rktgb1nzd/Qaq5j3h[root@ldapserver01 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/domain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
注意:这里的dn要回车空一行,否则容易报错
查看修改后的文件:
[root@ldapserver01 cn=config]# cat olcDatabase\=\{2\}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 736c680e
dn: olcDatabase={
2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {
2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: ab83e462-ce3f-103a-9d58-e1ad5aadfbd0
creatorsName: cn=config
createTimestamp: 20201209075538Z
olcSuffix: dc=ldap,dc=com
olcRootDN: cn=Manager,dc=ldap,dc=com
olcRootPW:: e1NTSEF9MGdzMVNmbytQczRnc1Ixcmt0Z2IxbnpkL1FhcTVqM2g=
entryCSN: 20201209090327.194756Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20201209090327Z
[root@ldapserver01 cn=config]# cat olcDatabase\=\{1\}monitor.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 d8fca28b
dn: olcDatabase={
1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {
1}monitor
structuralObjectClass: olcDatabaseConfig
entryUUID: ab83e188-ce3f-103a-9d57-e1ad5aadfbd0
creatorsName: cn=config
createTimestamp: 20201209075538Z
olcAccess: {
0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=ldap,dc=com" read by * none
entryCSN: 20201209090327.192534Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20201209090327Z
5、设置组织架构
LDAP目录以树状的层次结构来存储数据。如果你对自顶向下的DNS树或UNIX文件的目录树比较熟悉,也就很容易掌握LDAP目录树这个概念了。就象DNS的主机名那样,LDAP目录记录的标识名(Distinguished Name,简称DN)是用来读取单个记录,以及回溯到树的顶部。
5.1执行添加条目操作:
[root@ldapserver01 cn=config]# cat << EOF |ldapadd -x -D cn=Manager,dc=ldap,dc=com -W
> dn: dc=ldap,dc=com
> objectClass: dcObject
> objectClass: organization
> dc: ldap
> o: ldap.com
>
> dn: ou=People,dc=ldap,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: People
>
> dn: ou=Group,dc=ldap,dc=com
> objectClass: organizationalUnit
> ou: Group
>
> dn: cn=Manager,dc=ldap,dc=com
> objectClass: organizationalRole
> cn: Manager
>
> dn: cn=Host,ou=Group,dc=ldap,dc=com
> objectClass: posixGroup
> cn: Host
> gidNumber: 1010
> EOF
Enter LDAP Password:
adding new entry "dc=ldap,dc=com"
adding new entry "ou=People,dc=ldap,dc=com"
adding new entry "ou=Group,dc=ldap,dc=com"
adding new entry "cn=Manager,dc=ldap,dc=com"
adding new entry "cn=Host,ou=Group,dc=ldap,dc=com"
[root@ldapserver01 cn=config]#
查看添加的条目有两种方法
①命令方式查看,添加字段BASE和URI
[root@ldapserver01 cn=config]# vim /etc/openldap/ldap.conf
#
# LDAP Defaults
## See ldap.conf(5) for details
# This file should be world readable but not world writable.#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666#SIZELIMIT 12
#TIMELIMIT 15
#DEREF neverTLS_CACERTDIR /etc/openldap/certs# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
BASE dc=ldap,dc=com
URI ldap://192.168.191.131[root@ldapserver01 cn=config]# ldapsearch -x -LLL6、添加用户:
6.1 执行添加用户操作命令:
添加user01:
[root@ldapserver01 cn=config]# cat << EOF |ldapadd -x -D cn=Manager,dc=ldap,dc=com -W
> dn: uid=user01,ou=People,dc=ldap,dc=com
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> homeDirectory: /home/user01
> userPassword: {
SSHA}0gs1Sfo+Ps4gsR1rktgb1nzd/Qaq5j3h
> > loginShell: /bin/bash
> cn: user01
> uidNumber: 1000
> gidNumber: 1010
> sn: System Administrator
> mail: user01@gmail.com
> mobile: 12888888888
> EOF
Enter LDAP Password:
adding new entry "uid=user01,ou=People,dc=ldap,dc=com"
填加user02:
[root@ldapserver01 cn=config]# cat << EOF |ldapadd -x -D cn=Manager,dc=ldap,dc=com -W
> dn: uid=user02,ou=People,dc=ldap,dc=com
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> homeDirectory: /home/user02
> userPassword: {
SSHA}0gs1Sfo+Ps4gsR1rktgb1nzd/Qaq5j3h
> loginShell: /bin/bash
> cn: user02
> uidNumber: 1001
> gidNumber: 1010
> sn: System Administrator
> mail: user01@gmail.com
> mobile: 12888888888
> EOF
Enter LDAP Password:
adding new entry "uid=user02,ou=People,dc=ldap,dc=com"
删除user02:(这里user02添加删除只为了熟悉命令,并无它意)
[root@ldapserver01 cn=config]# ldapdelete -x -D "cn=Manager,dc=ldap,dc=com" -W "uid=user02,ou=People,dc=ldap,dc=com"
Enter LDAP Password:
[root@ldapserver01 cn=config]#
至此,一个简单的ldap服务端配置完成,接下来配置ldap客户端
7、操作过程:
安装配置文件和相应的工具包
[root@localhost ~]# yum install nss-pam-ldapd setuptool
备份配置文件:
[root@localhost ~]# authconfig --savebackup=openldap.bak
[root@localhost ~]# id user01
id: user01: no such user
[root@localhost ~]# getent passwd user01
[root@localhost ~]# getent shadow user01
还原当前的配置文件:
[root@localhost ~]# authconfig --restorebackup=openldap.bak
注意:authconfig命令可以很迅速的将文件恢复到初始状态,相比手动逐一修改配置文件效率要高,准确性更好
运行添加命令:
[root@localhost ~]# authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.191.131 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update
[root@localhost ~]# getent shadow user01
user01:*:::::::0
[root@localhost ~]# getent passwd user01
user01:x:1000:1010:user01:/home/user01:/bin/bash
[root@localhost ~]# id user01
uid=1000(user01) gid=1010(Host) 组=1010(Host)
进行登录测试:
[root@localhost ~]# ssh user01@192.168.191.132
user01@192.168.191.132's password:
Last login: Tue Dec 15 11:10:23 2020 from 192.168.191.132
[user01@localhost ~]$ whoami
user01
[user01@localhost ~]$ id
uid=1000(user01) gid=1010(Host) 组=1010(Host) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[user01@localhost ~]$ pwd
/home/user01
[user01@localhost ~]$ cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
到此,一个简单的统一管理用户的LDAP服务部署完成。