linux:ldap:ldap24
目錄表
LDAP
LDAP(Lightweight Directory Access Protocol)。它是一個輕量型的通訊協定,以X.500標準作修改,通常做為單一登入帳密認證(Single sign on),詳細介紹請查看LDAP。若有用過微軟的AD的就知道我在說甚麼,微軟的AD Server就是以ldap通訊協定為標準的,也算是這個領域的嬌嬌者。但本篇不是介紹AD而是各發行版Linux作業系統常用 Open LDAP
此Ldap2.4.x版本在配置設定檔時與之前版本會有些不一樣。
LDAP套件安裝
# yum install openldap-servers openldap-clients
另外,列出本實驗機安裝ldap其他相關套件
#rpm -qa|grep -i ldap openldap-clients-2.3.43-12.el5_7.10 openldap-devel-2.3.43-12.el5_7.10 nss_ldap-253-42.el5 openldap-2.3.43-12.el5_7.10 openldap-devel-2.3.43-12.el5_7.10 python-ldap-2.2.0-2.1 nss_ldap-253-42.el5 openldap-servers-2.3.43-12.el5_7.10 openldap-2.3.43-12.el5_7.10 php-ldap-5.1.6-27.el5_5.3
LDAP Server設定檔配置
假設本實驗機IP為 192.168.0.254
DNS網域名稱為 example.com
LDAP Server管理帳號為 Manager
LDAP Server管理密碼為 123456
LDAP Server架構圖
- 修改DNS尾碼(本實驗以 example.com為範例)、Rootdn及啟動
# vim /etc/openldap/slapd.conf ~略~ database bdb suffix "dc=example,dc=com" #ldap server 所管理的網域 rootdn "cn=Manager,dc=example,dc=com" #管理者的DN(Distinguished Name) # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg #Ldap管理者帳號密碼 # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap #Ldap server 所儲存資訊的目錄式資料庫 ~略~ - 新增Manager管理密碼
#slappasswd -s 123456 -h {SSHA} {SSHA}zSkIpZfaYXgsPDAkfXoXJ1Gw8kre+u2k再一次修改/etc/openldap/slapd.conf填入SSHA密碼
#vim /etc/openldap/slapd.conf ~略~ rootpw {SSHA}zSkIpZfaYXgsPDAkfXoXJ1Gw8kre+u2k #Ldap管理者帳號密碼 ~略~ - 複製LDAP資料庫類別檔 到/var/lib/ldap/
#cp -a /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
- 若變更 slapd.conf 內容, 則:
#rm -rf /etc/openldap/slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap /etc/openldap/slapd.d
/etc/init.d/slapd restart
為LDAP Server新增人員名錄
- 先製作LDAP Server基本DN架構
- 編寫BseDN架構
#cd /etc/openldap/schema/ #vim base.ldif dn: dc=example,dc=com objectClass: top objectClass: dcObject objectclass: organization o: example com dc: example dn: cn=Manager,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: Manager userPassword: {SSHA}TiNxPD5gtJxB5nfZX1yZY/PeCD/Lkx89 dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups - 匯入Base.ldif
#ldapadd -x -D "cn=Manager,dc=Qoop,dc=com" -W -f base.ldif Enter LDAP Password: #key 上LDAP管理員密碼
- 建立測試使用者帳號、密碼並製作成Ldap格式,再執行匯入ldap server 目錄式資料庫中
- 先製作10組使用者並給予密碼(guest1..guest10)
#for ((i=1 ; i<=10 ; i++));do useradd guest$i;echo "guest${i}"| passwd --stdin test$i;done - 執行ldapuser.sh會生成ldapuser.ldif,並將它匯入到ldapserver 目錄資料庫
#./ldapuser.sh
#cat ldapuser.ldif
dn: uid=utest1,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: utest1 sn: utest1 givenName: utest1 cn: utest1 displayName: utest1 uidNumber: 501 gidNumber: 501 userPassword: {crypt}$6$AXsISRoD$OmQgIc5d/tKpJ/pf9FKHusH3sJ.HdwopZnGbplItollif7ItrQXR3sI2uzUfNSNXrdvCP8aJgENxbjDykQLnF. gecos: utest1 loginShell: /bin/bash homeDirectory: /home/utest1 shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 0 shadowMax: 99999 shadowLastChange: 15453 dn: uid=utest2,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: utest2 sn: utest2 givenName: utest2 cn: utest2 displayName: utest2 uidNumber: 502 gidNumber: 502 userPassword: {crypt}$6$AXsISRoD$OmQgIc5d/tKpJ/pf9FKHusH3sJ.HdwopZnGbplItollif7ItrQXR3sI2uzUfNSNXrdvCP8aJgENxbjDykQLnF. gecos: utest2 loginShell: /bin/bash homeDirectory: /home/utest2 shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 0 shadowMax: 99999 shadowLastChange: 15453#ldapadd -x -D "cn=Manager,dc=Qoop,dc=com" -W -f ldapuser.ldif
- 同前兩個步驟,下載ldapgroup.shldapgroup.sh,執行ldapgroup.sh後,生成ldapgroup.ldif並匯入ldap server中
#./ldapgroup.sh
cat ldapgroup.ldif
dn: cn=utest1,ou=groups,dc=example,dc=com objectClass: posixGroup cn: utest1 gidNumber: 501 dn: cn=utest2,ou=groups,dc=example,dc=com objectClass: posixGroup cn: utest2 gidNumber: 502
#ldapadd -x -D "cn=Manager,dc=Qoop,dc=com" -W -f ldapgroup.ldif
- 介由這個ldapsearch指令,測試剛匯入的資料是否可以找到
#ldapsearch -x -b "ou=People,dc=Qoop,dc=com"
#ldapsearch -x -b "ou=Group,dc=Qoop,dc=com"
為Client端建置LDAP Client及加入LDAP Server網域
本實驗Client端以Centos6.0_x86_32為版本,先安裝ldap在Client所需的套件,再利用setup、system-config-authentication(GUI介面)或自行手動修改。比較推薦setup、system-config-authentication(GUI介面)等方式
- 安裝ldap(for client)
#yum install openldap nss-pam-ldapd openldap-clients pam_ldap
- 手動設定的話需要修改幾個設定檔(/etc/nslcd.conf,/etc/pam_ldap.conf,/etc/pam.d/system-auth,/etc/nsswitch.conf)
- /etc/nsswitch.conf
#vim /etc/nsswitch.conf ~略~ passwd: files ldap shadow: files ldap group: files ldap ~略~ netgroup: files ldap ~略~ automount: files ldap
- /etc/pam_ldap.conf
#vim /etc/pam_ldap.conf ~略~ base dc=Qoop,dc=com # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. uri ldap://192.168.0.53/ ~略~
- /etc/pam.d/system-auth
#vim /etc/pam.d/system-auth ~略~ auth required pam_ldap.so use_first_pass ~略~ account [default=bad success=ok user_unknown=ignore] pam_ldap.so ~略~ password sufficient pam_ldap.so use_authtok ~略~ session optional pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=077 #加入此項的功用,當/home/中沒有使用者時,會自動建立該使用者的家目錄。
- /etc/nslcd.conf
#vim /etc/nslcd.conf ~略~ uri ldap://192.168.0.53/ base dc=Qoop,dc=com
- 啟動 nslcd
#/etc/init.d/nslcd start
- 測試LDAP client 抓取 LDAP Server帳號
#getent passwd ~略~ guest1:x:500:500:guest1:/home/guest1:/bin/bash guest2:x:501:501:guest2:/home/guest2:/bin/bash guest3:x:502:502:guest3:/home/guest3:/bin/bash guest4:x:503:503:guest4:/home/guest4:/bin/bash guest5:x:504:504:guest5:/home/guest5:/bin/bash guest6:x:505:505:guest6:/home/guest6:/bin/bash guest7:x:506:506:guest7:/home/guest7:/bin/bash guest8:x:507:507:guest8:/home/guest8:/bin/bash guest9:x:508:508:guest9:/home/guest9:/bin/bash guest10:x:509:509:guest10:/home/guest10:/bin/bash ~略~
- 在LDAP client端用(guest1..guest10)等帳號登入看看
rpm32.Qoop.com login:guest1 Password: 打上guest1密碼 No directory /home/guest1! Logging in with home = "/". -bash-4.1$ #這樣就表示成功了。若出現"-bash-4.1"這樣情況,因為/home目錄中沒有guest1,要自動建立家目錄,可利用第三點的 session pam_mkhomedir.so 等參數
F&Q
Q1:雖在/etc/pam.d/system-auth內容中加入一行"session optional pam_mkhomedir.so skel=/etc/skel umask=077",使用ssh遠端登入還是會無法自動加入家目錄?
[email protected]'s password: ****** Last login: Thu Feb 9 14:00:48 2012 from 192.168.0.11 Could not chdir to home directory /home/guest3: No such file or directory -bash-4.1$
Answer1:可以修改/etc/pam.d/ssh設定檔,d加入以下兩段
auth required pam_ldap.so use_first_pass~略~ session optional pam_mkhomedir.so skel=/etc/skel umask=077
Q2:使用者自己無法變更密碼。錯誤訊息是:LDAP password information update failed: Insufficient accesspasswd: Authentication token manipulation error
Enter login(LDAP) password: New password: Retype new password: LDAP password information update failed: Insufficient access passwd: Authentication token manipulation error [utest2@server1 ~]$
Answer2:通常是Ldap Server(slapd.conf)的ACL設定及相關設定檔有問題
以下列出slapd.conf範例
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database monitor
database config
database bdb
suffix "dc=example,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /var/lib/ldaploglevel 128
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
access to dn.subtree="dc=example,dc=com" attrs=userPassword
by self write
by anonymous auth
by * none
access to dn.subtree="dc=example,dc=com"
by self write
by * read
Q3:另一種使用者自己無法變更密碼。錯誤訊息是:information update failed: Insufficient access passwd: Authentication token manipulation error
Answer3:通常是PAM(/etc/pam.d/system-auth及/etc/pam.d/password-auth)設定檔有問題
以下範例system-auth及password-auth都適用
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.sosession optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
參考資料
linux/ldap/ldap24.txt · 上一次變更: 2013/07/06 01:28 (外部編輯)
若無特別註明,本 wiki 上的內容都是採用以下授權方式: CC Attribution-Share Alike 3.0 Unported
