LDAPKeyserver
http://wiki.gnupg.org/LDAPKeyserver(中间具体部分为翻译内容)
1. 安装环境:Ubuntu15.04
2. 安装准备:
1、更改Ubuntu源:编辑器打开 /etc/apt/sources.list
搜狐源:
deb http://mirrors.sohu.com/ubuntu/ vivid main restricted universe multiverse
deb http://mirrors.sohu.com/ubuntu/ vivid-security main restricted universe multiverse
deb http://mirrors.sohu.com/ubuntu/ vivid-updates main restricted universe multiverse
deb http://mirrors.sohu.com/ubuntu/ vivid-proposed main restricted universe multiverse
deb http://mirrors.sohu.com/ubuntu/ vivid-backports main restricted universe multiverse
deb-src http://mirrors.sohu.com/ubuntu/ vivid main restricted universe multiverse
deb-src http://mirrors.sohu.com/ubuntu/ vivid-security main restricted universe multiverse
deb-src http://mirrors.sohu.com/ubuntu/ vivid-updates main restricted universe multiverse
deb-src http://mirrors.sohu.com/ubuntu/ vivid-proposed main restricted universe multiverse
deb-src http://mirrors.sohu.com/ubuntu/ vivid-backports main restricted universe multiverse
阿里云源:
deb http://mirrors.aliyun.com/ubuntu/ vivid main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ vivid-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ vivid-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ vivid-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ vivid-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ vivid main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ vivid-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ vivid-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ vivid-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ vivid-backports main restricted universe multiverse
网易源:
deb http://mirrors.163.com/ubuntu/ vivid main restricted universe multiverse
deb http://mirrors.163.com/ubuntu/ vivid-security main restricted universe multiverse
deb http://mirrors.163.com/ubuntu/ vivid-updates main restricted universe multiverse
deb http://mirrors.163.com/ubuntu/ vivid-proposed main restricted universe multiverse
deb http://mirrors.163.com/ubuntu/ vivid-backports main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ vivid main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ vivid-security main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ vivid-updates main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ vivid-proposed main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ vivid-backports main restricted universe multiverse
快速换源更新到Ubuntu 15.04的方法,执行:
sudo apt-get update
sudo apt-get dist-upgrade
3. 安装步骤
1)安装OpenLDAP
$ sudo apt-get install slapd ldap-utils
启动服务器(slapd):
$ sudo /etc/init.d/slapd start
2)安装附加的Schema
(一) 创建临时文件
$ mkdir -p /tmp/ldap-config
$ cd /tmp/ldap-config
(二) 创建旧的配置文件:
$ echo 'include pgp-keyserver.schema' > slapd.conf
增加附件 attachment:pgp-keyserver.schema 文件到临时文件 /tmp/ldap-config,运行:
$ mkdir output
$ /usr/sbin/slaptest -f slapd.conf -F output
这个操作在output目录之下创建了cn=config 层,查看output目录:
$ find output/
output/
output/cn=config
output/cn=config/cn=schema
output/cn=config/cn=schema/cn={0}pgp-keyserver.ldif
output/cn=config/olcDatabase={-1}frontend.ldif
output/cn=config/olcDatabase={0}config.ldif
output/cn=config/cn=schema.ldif
output/cn=config.ldif
在将cn={0}pgp-keyserver.ldif配置文件加载进配置树之前,需要更改此文件。
更改dn: cn={###}pgp-keyserver,cn=schema,cn=config
###是加载schema的顺序,本次安装希望最后加载pgpkeyserver的schema。因此为避免有其他冲突的次序,选择最大的数值作为次序(100)。导入OpenLDAP会将此值设置为最大值+1。删除类似以下几行的内容:
cn={0}pgp-keyserver (OpenLDAP 将自动填充cn属性.)
最后几行:
structuralObjectClass:
entryUUID:
creatorsName:
createTimestamp:
entryCSN:
modifiersName:
modifyTimestamp:
(三) 添加schema 文件:
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f/tmp/ldap-config/output/cn=config/cn=schema/cn={0}pgp-keyserver.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn={100}pgp-keyserver,cn=schema,cn=config"
(使用额外的授权机制,只需要使用根权限增加admin对slapd的访问权限,不需要使用自己的slapd管理员密码)
如果是以下错误:
ldap_add: Server is unwilling to perform (53)
additional info: operationrequires sibling renumbering
说明上述设置的数字冲突。
为了查看schema是否正常安装,使用下述命令列出已经安装的schema:
$ sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=configcn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=schema,cn=config
cn: schema
dn: cn={0}core,cn=schema,cn=config
cn: {0}core
dn: cn={1}cosine,cn=schema,cn=config
cn: {1}cosine
dn: cn={2}nis,cn=schema,cn=config
cn: {2}nis
dn: cn={3}inetorgperson,cn=schema,cn=config
cn: {3}inetorgperson
dn: cn={4}pgp-keyserver,cn=schema,cn=config
cn: {4}pgp-keyserver
(四) 设置数据结构
LDAP server提供层次化访问数据结构的功能,因此为用户和keys创建相对应的容器。
创建文件/tmp/keyserver.ldif文件内容包含下述内容,代替基dn,(dc=EXAMPLE,dc=ORG):
dn: cn=PGPServerInfo,dc=EXAMPLE,dc=ORG
cn: PGPServerInfo
objectclass: pgpserverinfo
pgpSoftware: OpenLDAP
pgpVersion: 2.2.27
pgpBaseKeyspaceDN: ou=PGP Keys,dc=EXAMPLE,dc=ORG
dn: ou=PGP Keys,dc=EXAMPLE,dc=ORG
objectclass: organizationalUnit
ou: PGP Keys
dn: ou=PGP Users,dc=EXAMPLE,dc=ORG
objectclass: organizationalUnit
ou: PGP Users
这个文件描述了LDIF格式(LDAP数据交换格式)
The first stanza creates an entrythat GPG uses to detect that this is really an OpenPGP key server. The nextstanza creates an organizational unit (ou) that all keys are added to. And thelast stanza creates an organizational unit that all key server users are addedto.
使用下述命令使这个更改生效(以dc=EXAMPLE,dc=ORG作为根据)
$ ldapadd -x -D "cn=admin,dc=EXAMPLE,dc=ORG" -W -f/tmp/keyserver.ldif
Enter LDAP Password:
adding new entry "cn=PGPServerInfo,dc=EXAMPLE,dc=ORG"
adding new entry "ou=PGP Keys,dc=EXAMPLE,dc=ORG"
adding new entry "ou=PGP Users,dc=EXAMPLE,dc=ORG"
(五) 添加用户
添加用户来管理目录中的key。
创建文件:/tmp/keyserver-user.ldif:
dn: uid=user1,ou=PGP Users,dc=EXAMPLE,dc=ORG
objectClass: inetOrgPerson
objectClass: uidObject
sn: lastname
cn: firstname lastname
userPassword: {SSHA}...
可以对其中的某些值进行更改,比如uid,sn,cn,其他例如gn,是可选的,或者说是可以忽略的。
可以使用上述格式添加多个用户, 但每个添加用户间需要有空行间隔。
添加用户:
$ ldapadd -x -D "cn=admin,dc=EXAMPLE,dc=ORG" -W -f/tmp/keyserver-user.ldif
Enter LDAP Password:
adding new entry "uid=user1,ou=PGP Users,dc=EXAMPLE,dc=ORG"
列出所有的PGP用户:
$ ldapsearch -LLL -x -D"cn=admin,dc=EXAMPLE,dc=ORG" -W -b 'ou=PGP Users,dc=EXAMPLE,dc=ORG'
Enter LDAP Password:
dn: ou=PGP Users,dc=EXAMPLE,dc=ORG
objectClass: organizationalUnit
ou: PGP Users
dn: uid=user1,ou=PGP Users,dc=EXAMPLE,dc=ORG
objectClass: inetOrgPerson
objectClass: uidObject
uid: user1
sn: lastname
cn: firstname lastname
...
注意:-b选择了基dn,由于没有添加过滤器,ldapsearch列出了所有的子节点。
(六) 访问控制
虽然创建了用户,但是仍然不能够访问目录,因此需要更改ACLs(访问控制列表)(In slapd, ACLs are applied on aper-database basis)。列出配置的数据库:
$ sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b"cn=config" | grepolcDatabase:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcDatabase: {-1}frontend
olcDatabase: {0}config
olcDatabase: {1}mdb
上述可以看出有三个数据库。
The frontend database is aspecial database that provides fallback access control: slapd uses a"first match wins" model for access control. The config database isused for slapd's own configuration and we don't want to mess with it. The lastdatabase is where our DIT lies. It is possible to have multiple databases anddifferent formats are common. Currently, mdb is the recommended format.
数据库的dn是它的名字联合bdn(基dn)在示例中,它是:
olcDatabase={1}mdb,cn=config
获取目前的ACLs,在Debian默认的设置是:
$ sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -bolcDatabase={1}mdb,cn=config olCaccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write byanonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
The first rule allows anauthenticated user to change his or her own password, an anonymous user toauthenticate against (bind to) the entry and reject any other type of access.
The second rule allows anyone toread the base dn.
The third is a catch all andallows anyone to read any node. [Note_1]
若希望插入一个规则:允许任何人从本地连接来增加或更改keys
We now want to insert a ruleallowing anyone connected from localhost to add or modify keys as well asauthenticated PGP users connecting from anywhere. Further, anyone should be ableto read the keys. Because OpenLDAP uses first match wins when resolving ACLs,we need to add the rule before the last entry: the last entry catcheseverything. Here, we add it immediately prior to the last entry. For the firstpart of this rule to work---anonymous updates from localhost---we also need toenable anonymous updates. We can do both of these at once. (Note: you caneasily disable either of these, if you prefer.)
创建文件/tmp/keyserver-acls.ldif:
# userPassword may be written only by users themselves
dn: olcDatabase={DDD}mdb,cn=config
changetype: modify
add: olcAccess
# Allow access via localhost to add or modify keys.
# Allow authenticated PGP Users to update keys.
# Allow anyone else to read the keys.
olcAccess: {XXX} to dn.subtree="ou=PGP Keys,dc=EXAMPLE,dc=ORG"
by peername.ip=127.0.0.1 write
by peername.ip=:: write
by dn.regex="^uid=([^,]+),ou=PGPUsers,dc=EXAMPLE,dc=ORG" write
by * read
# Allow any connection to localhost to update the PGP keys
# (including removing them!) Thisis only needed if the anonymous
# updates from localhost are desired.
dn: cn=config
add: olcAllows
olcAllows: update_anon
Be sure to replace DDD with yourdatabase index (and change mdb, if necessary). Also, replace XXX with the indexof the last entry in the ACL. In our example, this was 2. OpenLDAP will insertthe entry at that position and push any entry that was at that position oneforward.
To add the changes, run:
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/keyserver-acls.ldif
Now, enough machinery is in placeto actually push some keys! Let's give it a try using an anonymous write:
$ gpg --keyserver ldap://localhost --send-keys 8bafcdbd
gpg: sending key 8BAFCDBD to ldap server localhost
And as an authenticated user:
$ gpg --keyserver ldap://localhost --keyserver-options"binddn=\"uid=user1,ou=PGP Users,dc=EXAMPLE,dc=ORG\"" --keyserver-options bindpw=PASSWORD--send-keys 8BAFCDBD
gpg: sending key 8BAFCDBD to ldap server localhost
Where PASSWORD is the user'spassword.
These options can be placed into~/.gnupg/gpg.conf:
keyserver ldap://my.ldap.host
keyserver-options binddn="uid=user1,ou=PGPKeys,dc=EXAMPLE,dc=ORG"
keyserver-options bindpw=PASSWORD
keyserver-options tls=try
keyserver-options verbose
Note: We set tls to try. In thishowto, we didn't actually configure TLS. If you are going to access the hostvia an insecure network connection, it makes sense to enable this.
Note: Since your password is inthis file, be sure it is not world readable.
Debugging
If something goes wrong, then itis help to enabling logging in slapd. You can do this with the following LDIFfile:
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
Then, watch syslog for messages.Before to disable this once you are done.
If you accidentally insert a badACL, you can remove it using the following LDIF file:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {XXX}
Where XXX is the number of therule.
Apply it as follows:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/revert.ldif
If you need additional help,please ask on the gnupg-users mailing list.
[Note_1]: In Debian stable(actually, Knoppix), which uses hdb database format, the output is as follows:
$ sudo ldapsearch -LLL -YEXTERNAL -H ldapi:/// -b olcDatabase={1}hdb,cn=config olCaccess
SASL/EXTERNAL authenticationstarted
SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}toattrs=userPassword,shadowLastChange by self write by anonymous
auth bydn="cn=admin,dc=example,dc=org" write by * none
olcAccess: {1}todn.base="" by * read
olcAccess: {2}to * by self writeby dn="cn=admin,dc=example,dc=org"出现的问题(未解决):
执行ldapadd 命令时报错:ldap_bind: Invalid credentials (49)
已尝试的解决方法:
(一) 参数设置中密码空格问题
修改/etc/openldap/slapd.conf
rootpw 123456 注:行首不能有空格,属性于值间隔用tab键隔开
自己搭建过程中的slapd.conf文件在/etc/share目录下,未发现有rootpw字段
(二) ldap.conf中设置问题
http://www.linuxfly.org/post/671/
# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
dn: olcDatabase={1}bdb
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {1}bdb
olcSuffix: dc=example,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=example,dc=com
Linux入门教程:LDAP服务器的搭建:http://www.linuxdiyf.com/linux/10542.html
CentOS下Apache+SVN+LDAP的安装与配置:http://www.linuxdiyf.com/linux/10128.html
CentOS下LDAP服务配置指南:http://www.linuxdiyf.com/linux/8662.html