目錄表

LDAP
F&Q
參考資料

LDAP

LDAP(Lightweight Directory Access Protocol)。它是一個輕量型的通訊協定，以X.500標準作修改,通常做為單一登入帳密認證(Single sign on),詳細介紹請查看LDAP。若有用過微軟的AD的就知道我在說甚麼，微軟的AD Server就是以ldap通訊協定為標準的，也算是這個領域的嬌嬌者。但本篇不是介紹AD而是各發行版Linux作業系統常用 Open LDAP

此Ldap2.4.x版本在配置設定檔時與之前版本會有些不一樣。

LDAP套件安裝

# yum install openldap-servers openldap-clients

另外，列出本實驗機安裝ldap其他相關套件

#rpm -qa|grep -i ldap
openldap-clients-2.3.43-12.el5_7.10
openldap-devel-2.3.43-12.el5_7.10
nss_ldap-253-42.el5
openldap-2.3.43-12.el5_7.10
openldap-devel-2.3.43-12.el5_7.10
python-ldap-2.2.0-2.1
nss_ldap-253-42.el5
openldap-servers-2.3.43-12.el5_7.10
openldap-2.3.43-12.el5_7.10
php-ldap-5.1.6-27.el5_5.3

LDAP Server設定檔配置

假設本實驗機IP為 192.168.0.254

DNS網域名稱為 example.com

LDAP Server管理帳號為 Manager

LDAP Server管理密碼為 123456

LDAP Server架構圖

修改DNS尾碼(本實驗以 example.com為範例)、Rootdn及啟動

# vim /etc/openldap/slapd.conf
~略~
database        bdb
suffix          "dc=example,dc=com"            #ldap server 所管理的網域
rootdn          "cn=Manager,dc=example,dc=com" #管理者的DN(Distinguished Name)
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
# rootpw                {crypt}ijFYNcSNctBYg  #Ldap管理者帳號密碼
 
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap               #Ldap server 所儲存資訊的目錄式資料庫
~略~

新增Manager管理密碼

#slappasswd -s 123456 -h {SSHA}
{SSHA}zSkIpZfaYXgsPDAkfXoXJ1Gw8kre+u2k

再一次修改/etc/openldap/slapd.conf填入SSHA密碼

#vim /etc/openldap/slapd.conf
~略~
rootpw                {SSHA}zSkIpZfaYXgsPDAkfXoXJ1Gw8kre+u2k  #Ldap管理者帳號密碼
~略~

複製LDAP資料庫類別檔到/var/lib/ldap/

#cp -a /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

若變更 slapd.conf 內容, 則:

#rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d

/etc/init.d/slapd restart

為LDAP Server新增人員名錄

先製作LDAP Server基本DN架構

編寫BseDN架構

#cd /etc/openldap/schema/
#vim base.ldif
 
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example
 
dn: cn=Manager,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: Manager
userPassword: {SSHA}TiNxPD5gtJxB5nfZX1yZY/PeCD/Lkx89
 
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
 
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

匯入Base.ldif

#ldapadd -x -D "cn=Manager,dc=Qoop,dc=com" -W -f base.ldif
Enter LDAP Password:  #key 上LDAP管理員密碼

建立測試使用者帳號、密碼並製作成Ldap格式,再執行匯入ldap server 目錄式資料庫中

先製作10組使用者並給予密碼(guest1..guest10)

#for ((i=1 ; i<=10 ; i++));do useradd guest$i;echo "guest${i}"| passwd --stdin test$i;done

利用此網頁寫好的ldapuser.sh或由此下載ldapuser

執行ldapuser.sh會生成ldapuser.ldif,並將它匯入到ldapserver 目錄資料庫

#./ldapuser.sh

#cat ldapuser.ldif

dn: uid=utest1,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: utest1
sn: utest1
givenName: utest1
cn: utest1
displayName: utest1
uidNumber: 501
gidNumber: 501
userPassword: {crypt}$6$AXsISRoD$OmQgIc5d/tKpJ/pf9FKHusH3sJ.HdwopZnGbplItollif7ItrQXR3sI2uzUfNSNXrdvCP8aJgENxbjDykQLnF.
gecos: utest1
loginShell: /bin/bash
homeDirectory: /home/utest1
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 0
shadowMax: 99999
shadowLastChange: 15453

dn: uid=utest2,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: utest2
sn: utest2
givenName: utest2
cn: utest2
displayName: utest2
uidNumber: 502
gidNumber: 502
userPassword: {crypt}$6$AXsISRoD$OmQgIc5d/tKpJ/pf9FKHusH3sJ.HdwopZnGbplItollif7ItrQXR3sI2uzUfNSNXrdvCP8aJgENxbjDykQLnF.
gecos: utest2
loginShell: /bin/bash
homeDirectory: /home/utest2
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 0
shadowMax: 99999
shadowLastChange: 15453

#ldapadd -x -D "cn=Manager,dc=Qoop,dc=com" -W -f ldapuser.ldif

同前兩個步驟，下載ldapgroup.shldapgroup.sh,執行ldapgroup.sh後,生成ldapgroup.ldif並匯入ldap server中

#./ldapgroup.sh

cat ldapgroup.ldif

dn: cn=utest1,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: utest1
gidNumber: 501

dn: cn=utest2,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: utest2
gidNumber: 502

#ldapadd -x -D "cn=Manager,dc=Qoop,dc=com" -W -f ldapgroup.ldif

介由這個ldapsearch指令,測試剛匯入的資料是否可以找到

#ldapsearch -x -b "ou=People,dc=Qoop,dc=com"

#ldapsearch -x -b "ou=Group,dc=Qoop,dc=com"

為Client端建置LDAP Client及加入LDAP Server網域

本實驗Client端以Centos6.0_x86_32為版本，先安裝ldap在Client所需的套件,再利用setup、system-config-authentication(GUI介面)或自行手動修改。比較推薦setup、system-config-authentication(GUI介面)等方式

安裝ldap(for client)

#yum install openldap nss-pam-ldapd openldap-clients pam_ldap

手動設定的話需要修改幾個設定檔(/etc/nslcd.conf,/etc/pam_ldap.conf,/etc/pam.d/system-auth,/etc/nsswitch.conf)

/etc/nsswitch.conf

#vim /etc/nsswitch.conf
~略~
passwd:     files ldap
shadow:     files ldap
group:      files ldap
~略~
netgroup:   files ldap
~略~
automount:  files ldap

/etc/pam_ldap.conf

#vim /etc/pam_ldap.conf
~略~
base dc=Qoop,dc=com
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://192.168.0.53/
~略~

/etc/pam.d/system-auth

#vim /etc/pam.d/system-auth
~略~
auth        required      pam_ldap.so use_first_pass
~略~
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
~略~
password    sufficient    pam_ldap.so use_authtok
~略~
session     optional      pam_ldap.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=077 #加入此項的功用，當/home/中沒有使用者時，會自動建立該使用者的家目錄。

/etc/nslcd.conf

#vim /etc/nslcd.conf
~略~
uri ldap://192.168.0.53/
base dc=Qoop,dc=com

啟動 nslcd
```
#/etc/init.d/nslcd start
```

測試LDAP client 抓取 LDAP Server帳號

#getent passwd
~略~
guest1:x:500:500:guest1:/home/guest1:/bin/bash
guest2:x:501:501:guest2:/home/guest2:/bin/bash
guest3:x:502:502:guest3:/home/guest3:/bin/bash
guest4:x:503:503:guest4:/home/guest4:/bin/bash
guest5:x:504:504:guest5:/home/guest5:/bin/bash
guest6:x:505:505:guest6:/home/guest6:/bin/bash
guest7:x:506:506:guest7:/home/guest7:/bin/bash
guest8:x:507:507:guest8:/home/guest8:/bin/bash
guest9:x:508:508:guest9:/home/guest9:/bin/bash
guest10:x:509:509:guest10:/home/guest10:/bin/bash
~略~

在LDAP client端用(guest1..guest10)等帳號登入看看

rpm32.Qoop.com login:guest1
Password:    打上guest1密碼
 
No directory /home/guest1!
Logging in with home = "/".
-bash-4.1$    #這樣就表示成功了。若出現"-bash-4.1"這樣情況，因為/home目錄中沒有guest1，要自動建立家目錄,可利用第三點的 session  pam_mkhomedir.so 等參數

F&Q

Q1:雖在/etc/pam.d/system-auth內容中加入一行"session optional pam_mkhomedir.so skel=/etc/skel umask=077",使用ssh遠端登入還是會無法自動加入家目錄?

[email protected]'s password: ******
Last login: Thu Feb  9 14:00:48 2012 from 192.168.0.11
Could not chdir to home directory /home/guest3: No such file or directory
-bash-4.1$

Answer1:可以修改/etc/pam.d/ssh設定檔,d加入以下兩段

auth      required     pam_ldap.so use_first_pass~略~
session    optional    pam_mkhomedir.so skel=/etc/skel umask=077

Q2:使用者自己無法變更密碼。錯誤訊息是:LDAP password information update failed: Insufficient accesspasswd: Authentication token manipulation error

Enter login(LDAP) password: 
New password: 
Retype new password: 
LDAP password information update failed: Insufficient access
passwd: Authentication token manipulation error
[utest2@server1 ~]$

Answer2:通常是Ldap Server(slapd.conf)的ACL設定及相關設定檔有問題

以下列出slapd.conf範例

include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
database monitor
database config
database        bdb
suffix          "dc=example,dc=com"
checkpoint      1024 15
rootdn          "cn=Manager,dc=example,dc=com"
rootpw  secret
directory       /var/lib/ldaploglevel 128
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
access to dn.subtree="dc=example,dc=com" attrs=userPassword
        by self write
        by anonymous auth
        by * none
access to dn.subtree="dc=example,dc=com"
        by self write
        by * read

Q3:另一種使用者自己無法變更密碼。錯誤訊息是:information update failed: Insufficient access passwd: Authentication token manipulation error

Answer3:通常是PAM(/etc/pam.d/system-auth及/etc/pam.d/password-auth)設定檔有問題

以下範例system-auth及password-auth都適用

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.sosession     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

目錄表