======LDAP======
LDAP(Lightweight Directory Access Protocol)。它是一個輕量型的通訊協定，以X.500標準作修改,通常做為單一登入帳密認證(Single sign on),詳細介紹請查看[[wp>ldap|LDAP]]。若有用過微軟的AD的就知道我在說甚麼，微軟的AD Server就是以ldap通訊協定為標準的，也算是這個領域的嬌嬌者。但本篇不是介紹AD而是各發行版Linux作業系統常用 **[[http://www.openldap.org/|Open LDAP]]**

**此Ldap2.4.x版本在配置設定檔時與之前版本會有些不一樣。**
=====LDAP套件安裝=====
<code 1># yum install openldap-servers openldap-clients</code>另外，列出本實驗機安裝ldap其他相關套件<code 1>#rpm -qa|grep -i ldap
openldap-clients-2.3.43-12.el5_7.10
openldap-devel-2.3.43-12.el5_7.10
nss_ldap-253-42.el5
openldap-2.3.43-12.el5_7.10
openldap-devel-2.3.43-12.el5_7.10
python-ldap-2.2.0-2.1
nss_ldap-253-42.el5
openldap-servers-2.3.43-12.el5_7.10
openldap-2.3.43-12.el5_7.10
php-ldap-5.1.6-27.el5_5.3</code>
=====LDAP Server設定檔配置=====
假設本實驗機IP為 **192.168.0.254**

DNS網域名稱為 **example.com**

LDAP Server管理帳號為 **Manager**

LDAP Server管理密碼為 **123456**

LDAP Server架構圖

{{:linux:ldap:myldap_lab.gif?200|}}

  - 修改DNS尾碼(本實驗以 example.com為範例)、Rootdn及啟動<code 1># vim /etc/openldap/slapd.conf
~略~
database        bdb
suffix          "dc=example,dc=com"            #ldap server 所管理的網域
rootdn          "cn=Manager,dc=example,dc=com" #管理者的DN(Distinguished Name)
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
# rootpw                {crypt}ijFYNcSNctBYg  #Ldap管理者帳號密碼

# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap               #Ldap server 所儲存資訊的目錄式資料庫
~略~
</code>
  - 新增Manager管理密碼<code 1>#slappasswd -s 123456 -h {SSHA}
{SSHA}zSkIpZfaYXgsPDAkfXoXJ1Gw8kre+u2k
</code>再一次修改/etc/openldap/slapd.conf填入SSHA密碼<code 1>#vim /etc/openldap/slapd.conf
~略~
rootpw                {SSHA}zSkIpZfaYXgsPDAkfXoXJ1Gw8kre+u2k  #Ldap管理者帳號密碼
~略~
</code>
  - 複製LDAP資料庫類別檔 到**/var/lib/ldap/**<code 1>#cp -a /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG</code>
  - 若變更 slapd.conf 內容, 則:<code 1>#rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
</code><code>/etc/init.d/slapd restart</code>

=====為LDAP Server新增人員名錄=====
  * **先製作LDAP Server基本DN架構**
  - 編寫BseDN架構<code 1>#cd /etc/openldap/schema/
#vim base.ldif

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example

dn: cn=Manager,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: Manager
userPassword: {SSHA}TiNxPD5gtJxB5nfZX1yZY/PeCD/Lkx89

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
</code>
  - 匯入Base.ldif<code 1>#ldapadd -x -D "cn=Manager,dc=Qoop,dc=com" -W -f base.ldif
Enter LDAP Password:  #key 上LDAP管理員密碼
</code>
  * **建立測試使用者帳號、密碼並製作成Ldap格式,再執行匯入ldap server 目錄式資料庫中**
  - 先製作10組使用者並給予密碼(guest1..guest10)<code bash1>#for ((i=1 ; i<=10 ; i++));do useradd guest$i;echo "guest${i}"| passwd --stdin test$i;done</code>
  - 利用[[http://www.server-world.info/en/note?os=CentOS_5&p=ldap&f=1|此網頁寫好的ldapuser.sh]]或[[http://dl.dropbox.com/u/26197124/ldapuser.sh|由此下載ldapuser]]
  - 執行ldapuser.sh會生成ldapuser.ldif,並將它匯入到ldapserver 目錄資料庫<code 1>#./ldapuser.sh</code><code>#cat ldapuser.ldif</code><code>dn: uid=utest1,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: utest1
sn: utest1
givenName: utest1
cn: utest1
displayName: utest1
uidNumber: 501
gidNumber: 501
userPassword: {crypt}$6$AXsISRoD$OmQgIc5d/tKpJ/pf9FKHusH3sJ.HdwopZnGbplItollif7ItrQXR3sI2uzUfNSNXrdvCP8aJgENxbjDykQLnF.
gecos: utest1
loginShell: /bin/bash
homeDirectory: /home/utest1
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 0
shadowMax: 99999
shadowLastChange: 15453

dn: uid=utest2,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: utest2
sn: utest2
givenName: utest2
cn: utest2
displayName: utest2
uidNumber: 502
gidNumber: 502
userPassword: {crypt}$6$AXsISRoD$OmQgIc5d/tKpJ/pf9FKHusH3sJ.HdwopZnGbplItollif7ItrQXR3sI2uzUfNSNXrdvCP8aJgENxbjDykQLnF.
gecos: utest2
loginShell: /bin/bash
homeDirectory: /home/utest2
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 0
shadowMax: 99999
shadowLastChange: 15453</code><code 1>#ldapadd -x -D "cn=Manager,dc=Qoop,dc=com" -W -f ldapuser.ldif</code>
  - 同前兩個步驟，下載ldapgroup.sh[[http://dl.dropbox.com/u/26197124/ldapgroup.sh|ldapgroup.sh]],執行ldapgroup.sh後,生成ldapgroup.ldif並匯入ldap server中<code >#./ldapgroup.sh</code><code>cat ldapgroup.ldif</code><code>dn: cn=utest1,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: utest1
gidNumber: 501

dn: cn=utest2,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: utest2
gidNumber: 502</code><code 1>
#ldapadd -x -D "cn=Manager,dc=Qoop,dc=com" -W -f ldapgroup.ldif
</code>
  * 介由這個**ldapsearch**指令,測試剛匯入的資料是否可以找到<code 1>#ldapsearch -x -b "ou=People,dc=Qoop,dc=com"</code><code 1>#ldapsearch -x -b "ou=Group,dc=Qoop,dc=com"</code>
=====為Client端建置LDAP Client及加入LDAP Server網域=====
本實驗Client端以Centos6.0_x86_32為版本，先安裝ldap在Client所需的套件,再利用setup、system-config-authentication(GUI介面)或自行手動修改。比較推薦setup、system-config-authentication(GUI介面)等方式
  * 安裝ldap(for client)<code 1>#yum install openldap nss-pam-ldapd openldap-clients pam_ldap</code>
  * 手動設定的話需要修改幾個設定檔(/etc/nslcd.conf,/etc/pam_ldap.conf,/etc/pam.d/system-auth,/etc/nsswitch.conf)
       - **/etc/nsswitch.conf**<code 1>#vim /etc/nsswitch.conf
~略~
passwd:     files ldap
shadow:     files ldap
group:      files ldap
~略~
netgroup:   files ldap
~略~
automount:  files ldap
</code>
       - **/etc/pam_ldap.conf**<code 1>#vim /etc/pam_ldap.conf
~略~
base dc=Qoop,dc=com
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://192.168.0.53/
~略~
</code>
       - **/etc/pam.d/system-auth**<code 1>#vim /etc/pam.d/system-auth
~略~
auth        required      pam_ldap.so use_first_pass
~略~
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
~略~
password    sufficient    pam_ldap.so use_authtok
~略~
session     optional      pam_ldap.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=077 #加入此項的功用，當/home/中沒有使用者時，會自動建立該使用者的家目錄。
</code>
       - **/etc/nslcd.conf**<code 1>#vim /etc/nslcd.conf
~略~
uri ldap://192.168.0.53/
base dc=Qoop,dc=com
</code>
       - 啟動 **nslcd**<code 1>#/etc/init.d/nslcd start</code>
       - 測試LDAP client 抓取 LDAP Server帳號<code 1>#getent passwd
~略~
guest1:x:500:500:guest1:/home/guest1:/bin/bash
guest2:x:501:501:guest2:/home/guest2:/bin/bash
guest3:x:502:502:guest3:/home/guest3:/bin/bash
guest4:x:503:503:guest4:/home/guest4:/bin/bash
guest5:x:504:504:guest5:/home/guest5:/bin/bash
guest6:x:505:505:guest6:/home/guest6:/bin/bash
guest7:x:506:506:guest7:/home/guest7:/bin/bash
guest8:x:507:507:guest8:/home/guest8:/bin/bash
guest9:x:508:508:guest9:/home/guest9:/bin/bash
guest10:x:509:509:guest10:/home/guest10:/bin/bash
~略~
</code>
      - 在LDAP client端用(guest1..guest10)等帳號登入看看<code 1>rpm32.Qoop.com login:guest1
Password:    打上guest1密碼

No directory /home/guest1!
Logging in with home = "/".
-bash-4.1$    #這樣就表示成功了。若出現"-bash-4.1"這樣情況，因為/home目錄中沒有guest1，要自動建立家目錄,可利用第三點的 session  pam_mkhomedir.so 等參數
</code>

======F&Q======
 ====Q1:雖在/etc/pam.d/system-auth內容中加入一行"session     optional      pam_mkhomedir.so skel=/etc/skel umask=077",使用ssh遠端登入還是會無法自動加入家目錄?====
<code 1>guest3@192.168.0.42's password: ******
Last login: Thu Feb  9 14:00:48 2012 from 192.168.0.11
Could not chdir to home directory /home/guest3: No such file or directory
-bash-4.1$</code>
===Answer1:可以修改/etc/pam.d/ssh設定檔,d加入以下兩段===
<code 1>auth      required     pam_ldap.so use_first_pass~略~
session    optional    pam_mkhomedir.so skel=/etc/skel umask=077
</code>
====Q2:使用者自己無法變更密碼。錯誤訊息是:LDAP password information update failed: Insufficient accesspasswd: Authentication token manipulation error====
<code>Enter login(LDAP) password: 
New password: 
Retype new password: 
LDAP password information update failed: Insufficient access
passwd: Authentication token manipulation error
[utest2@server1 ~]$</code>
===Answer2:通常是Ldap Server(slapd.conf)的ACL設定及相關設定檔有問題===
以下列出slapd.conf範例<code>include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
database monitor
database config
database        bdb
suffix          "dc=example,dc=com"
checkpoint      1024 15
rootdn          "cn=Manager,dc=example,dc=com"
rootpw  secret
directory       /var/lib/ldaploglevel 128
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
access to dn.subtree="dc=example,dc=com" attrs=userPassword
        by self write
        by anonymous auth
        by * none
access to dn.subtree="dc=example,dc=com"
        by self write
        by * read</code>


====Q3:另一種使用者自己無法變更密碼。錯誤訊息是:information update failed: Insufficient access passwd: Authentication token manipulation error====
===Answer3:通常是PAM(/etc/pam.d/system-auth及/etc/pam.d/password-auth)設定檔有問題===
以下範例system-auth及password-auth都適用<code>auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.sosession     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so</code>
======參考資料======
  - [[http://www.openldap.org/doc/admin24/|OpenLDAP Software 2.4 Administrator's Guide]]
  - [[http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html#s3-ldap-packages-openldap-servers|Red Hat Chapter 16. Directory Servers]]
  - [[http://benjr.tw/node/157|LDAP-帳號伺服器]]
  - [[http://www.l-penguin.idv.tw/article/ldap-1.htm|LDAP 入門]]
  - [[http://wiki.centos.org/AdrianHall/CentralizedLDAPAuth?highlight=(ldap)|Centos 6_wiki_ldap]]
  - [[http://www.server-world.info/en/note?os=CentOS_5&p=ldap&f=1|Ldap server]]
  - [[http://www.weithenn.org/cgi-bin/wiki.pl?OpenLDAP-%E8%BC%95%E9%87%8F%E7%B4%9A%E7%9B%AE%E9%8C%84%E5%AD%98%E5%8F%96%E5%8D%94%E5%AE%9A%E5%89%8D%E8%A8%80#Heading2|不自量力_OpenLDAP-輕量級目錄]]
  - [[http://jamyy.dyndns.org/blog/2012/01/3506.html|在 CentOS 6 初始化 LDAP Server]]
  - [[http://ha.shsps.kh.edu.tw/web/centos/ldap.html|朱老師的Centos筆記]]
  - [[http://smtsang.wordpress.com/2012/08/07/openldap-ldap-password-information-update-failed-insufficient-access/|openldap: LDAP password information update failed: Insufficient access]]
  - [[http://www.l-penguin.idv.tw/article/ldap-1.htm|LDAP入門]]