LDAP服务器用于统一认证账户信息,有点类似通讯录,实现集中管理用户账户的功能。系统为CentOS6.4。
安装openldap和Berkeley DB, openldap使用Berkeley DB存储数据。
1)服务端yum install openldap openldap-servers openldap-clients openldap-devel compat-openldapyum install db4 db4-utils
2)客户端yum install nss-pam-ldapd pam_ldap openldap-clients
服务端配置
1) 首先生成管理员密码:slappasswd输完两遍密码后会生成一个加密散列字符串,保存下来。如:
{SSHA}JiW3WU7jREOTOMZKT6CklgJZriLIj738
2)编辑数据库配置文件,设置域名:vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif找到:olcSuffix: dc=my-domain,dc=com修改dc:olcSuffix: dc=ldap,dc=stone,dc=com设置目录树后缀(域名),作用是定义根的名字。
找到:olcRootDN: cn=Manager,dc=my-domain,dc=com修改dc:olcRootDN: cn= Manager,dc=ldap, dc=stone,dc=com设置管理员DN。PS:LDAP管理员cn默认为Manager,可以改成自己需要的名字。
在olcDatabase={2}bdb.ldif最后添加:olcRootPW: {SSHA}JiW3WU7jREOTOMZKT6CklgJZriLIj738设置管理员密码。
3)指定监控权限:vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif找到:dn.base=”cn=manager,dc=my-domain,dc=com”修改为:dn.base=”cn= Manager,dc=ldap,dc=stone,dc=com”修改默认域名。
4)/etc/openldap/slapd.conf
include/etc/openldap/schema/corba.schema
include/etc/openldap/schema/core.schema
include/etc/openldap/schema/cosine.schema
include/etc/openldap/schema/duaconf.schema
include/etc/openldap/schema/dyngroup.schema
include/etc/openldap/schema/inetorgperson.schema
include/etc/openldap/schema/java.schema
include/etc/openldap/schema/misc.schema
include/etc/openldap/schema/nis.schema
include/etc/openldap/schema/openldap.schema
include/etc/openldap/schema/ppolicy.schema
include/etc/openldap/schema/collective.schema
include/etc/openldap/schema/sudo.schema
allow bind_v2
pidfile/var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile “\”OpenLDAP Server\”"
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage
by * none
database monitor
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.exact=”cn=Manager,dc=stone,dc=com” read
by * none
databasebdb
suffix“dc=ldap,dc=stone,dc=com”
checkpoint1024 15
rootdn“cn=Manager,dc=ldap,dc=stone,dc=com”
rootpw{SSHA}hcZ+9TR6qnqjbzCK9KlJOdqkUBmi9irL
directory/var/lib/ldap
indexsudoUsereq
index objectClasseq,pres
index ou,cn,mail,surname,givennameeq,pres,sub
index uidNumber,gidNumber,loginShelleq,pres
index uid,memberUideq,pres,sub
index nisMapName,nisMapEntryeq,pres,sub
5)设置Database Cache:cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG设置权限:chown -R ldap:ldap /var/lib/ldap/
从.schema生成.ldif配置
slaptest -v -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
测试配置文件是否有错:slaptest -u提示:
config file testing succeeded
测试通过。
创建LDAP数据库
# ldap.stone.com
dn: dc=ldap,dc=stone,dc=com
dc: ldap
objectClass: top
objectClass: domain
# people.ldap. stone.com
dn: ou=people,dc=ldap,dc=stone,dc=com
objectClass: organizationalUnit
ou: people
# group.ldap.ciwong.com
dn: ou=group,dc=ldap,dc=ciwong,dc=com
objectClass: organizationalUnit
ou: group
# sudoers.ldap. ciwong.com
dn: ou=sudoers,dc=ldap,dc=ciwong,dc=com
objectClass: top
objectClass: organizationalUnit
description: sudo configuration subtree
ou: sudoers
#用户组
dn: cn=a1,ou=group,dc=ldap,dc=ciwong,dc=com
objectClass: posixGroup
objectClass: top
cn: a1
userPassword: {crypt}x
gidNumber: 501
dn: cn=a2,ou=group,dc=ldap,dc=ciwong,dc=com
objectClass: posixGroup
objectClass: top
cn: a2
userPassword: {crypt}x
gidNumber: 502
#用户:
# a1, people, stone.com
dn: uid=a1,ou=people,dc=ldap,dc=ciwong,dc=com
uid: a1
cn: a1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDNpTEw4cFpvJGdwN1RidlBOQjRkSU1ZL0d4eWZ2THNESGtBN2R
CWkcvbWZEelRYZzhQU2FlWWNucFV6S3hSR2VBcXZnL1VRTE1Qbkt6aTR3cExDa2NJMk54M3hOZkIu
shadowLastChange: 15922
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/a1
# a2, people, stone.com
dn: uid=a2,ou=people,dc=ldap,dc=ciwong,dc=com
uid: a2
cn: a2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFRYbXNvU3RiJE9BS1JpYTZVZ0NyMHFFS28wUHJ0NUVPMnpUVmV
lTGVKZ0lZN2I2a3BWUmNIUWVFa3pOajJoQUR2dmE1US54amkua0lSY3hIWUJLdjhDUTZtejdrMGMv
shadowLastChange: 15922
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /home/a2
#具有sudo权限的用户
# role.sudoers.ldap. stone.com
dn: cn=role,ou=sudoers,dc=ldap,dc=stone,dc=com
objectClass: sudoRole
objectClass: top
cn: role
sudoUser: %a1
sudoHost: ALL
sudoRunASUSEr: root
sudoCommand: !/bin/sh
sudoCommand: ALL
客户端
1)运行setup命令,设置LDAP验证
2)/etc/nslcd.conf配置如下:
uid nslcd
gid ldap
# This comment prevents repeated auto-migration of settings.
uri ldap://192.168.131.141/
base dc=stone,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts
Sudo 配置/etc/sudo-ldap.conf
uri ldap://192.168.1.167/
base dc=ldap,dc=ciwong,dc=com
sudoers_base ou=SUDOers,dc=ldap,dc=ciwong,dc=com
3)/etc/nsswitch.conf添加一行:
sudoers:ldap files
可以查看到ldap服务器的用户,但家目录还是有问题
设定用户家目录两种方法
方法一:
家目录一样可以使用autofs来解决:
–在ldap服务端使用nfs共享家目录
[root@ldap config]# vim /etc/exports
/home *(rw)
[root@ldap config]# /etc/init.d/nfs restart
–在ldap客户端配置autofs服务
vim /etc/auto.master
/home/etc/auto.home
vim /etc/auto.home
* -rw 192.168.131.141:/home/&
/etc/init.d/autofsrestart
然后在客户端上对先前的a1,a2,a3用户及其密码进行验证,都OK
方法二:
设置第一次登陆时建立家目录vim /etc/pam.d/system-auth在最后添加:session required pam_mkhomedir.so skel=/etc/skel umask=0022
Example of an LDAP entry formerly using the NOPASSWD tag:
sudoCommand: /sbin/whatever *sudoOption: !authenticatesudoHost: ALL or hostnamesudoRunAs: rootsudoUser: user with sudo privs
Translation of /etc/sudoers tags into sudoOption
NOPASSWD: !authenticate
PASSWD: authenticate
NOEXEC: noexec
EXEC: !noexec