目錄表
LDAP
LDAP(Lightweight Directory Access Protocol)。它是一個輕量型的通訊協定,以X.500標準作修改,通常做為單一登入帳密認證(Single sign on),詳細介紹請查看LDAP。若有用過微軟的AD的就知道我在說甚麼,微軟的AD Server就是以ldap通訊協定為標準的,也算是這個領域的嬌嬌者。但本篇不是介紹AD而是各發行版Linux作業系統常用 Open LDAP
安裝LDAP及配置LDAP設定檔前,需先設定DNS。DNS相關設定可以參考DNS安裝與設定
LDAP套件安裝
# yum install openldap-servers openldap-clients
另外,列出本實驗機安裝ldap其他相關套件
#rpm -qa|grep -i ldap openldap-clients-2.3.43-12.el5_7.10 openldap-devel-2.3.43-12.el5_7.10 nss_ldap-253-42.el5 openldap-2.3.43-12.el5_7.10 openldap-devel-2.3.43-12.el5_7.10 python-ldap-2.2.0-2.1 nss_ldap-253-42.el5 openldap-servers-2.3.43-12.el5_7.10 openldap-2.3.43-12.el5_7.10 php-ldap-5.1.6-27.el5_5.3
LDAP Server設定檔配置
假設本實驗機IP為 192.168.0.254
DNS網域名稱為 Qoop.com
LDAP Server管理帳號為 Manager
LDAP Server管理密碼為 123456
LDAP Server架構圖
- 修改DNS尾碼(本實驗以 Qoop.com為範例)、Rootdn及啟動
# vim /etc/openldap/slapd.conf ~略~ database bdb suffix "dc=Qoop,dc=com" #ldap server 所管理的網域 rootdn "cn=Manager,dc=Qoop,dc=com" #管理者的DN(Distinguished Name) # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg #Ldap管理者帳號密碼 # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap #Ldap server 所儲存資訊的目錄式資料庫 ~略~# service ldap start
- 新增Manager管理密碼
#slappasswd -s 123456 -h {SSHA} {SSHA}zSkIpZfaYXgsPDAkfXoXJ1Gw8kre+u2k再一次修改/etc/openldap/slapd.conf填入SSHA密碼
#vim /etc/openldap/slapd.conf ~略~ rootpw {SSHA}zSkIpZfaYXgsPDAkfXoXJ1Gw8kre+u2k #Ldap管理者帳號密碼 ~略~ - 複製LDAP資料庫類別檔 到/var/lib/ldap/
#cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
- 重新啟動
#service ldap restart
為LDAP Server新增人員名錄
- 先製作LDAP Server基本DN架構
- 編寫BseDN架構
#cd /etc/openldap/schema/ #vim base.ldif dn: dc=Qoop,dc=com dc: Qoop objectClass: top objectClass: domain dn: ou=People,dc=Qoop,dc=com ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=Qoop,dc=com ou: Group objectClass: top objectClass: organizationalUnit
- 匯入Base.ldif
#ldapadd -x -D "cn=Manager,dc=Qoop,dc=com" -W -f base.ldif Enter LDAP Password: #key 上LDAP管理員密碼
- 建立測試使用者帳號、密碼並製作成Ldap格式,再執行匯入ldap server 目錄式資料庫中
- 先製作10組使用者並給予密碼(guest1..guest10)
#for ((i=1 ; i<=10 ; i++));do useradd guest$i;echo "guest${i}"| passwd --stdin test$i;done - 執行ldapuser.sh會生成ldapuser.ldif,並將它匯入到ldapserver 目錄資料庫
#./ldapuser.sh
#ldapadd -x -D "cn=Manager,dc=Qoop,dc=com" -W -f ldapuser.ldif
- 同前兩個步驟,下載ldapgroup.shldapgroup.sh,執行ldapgroup.sh後,生成ldapgroup.ldif並匯入ldap server中
#./ldapgroup.sh
#ldapadd -x -D "cn=Manager,dc=Qoop,dc=com" -W -f ldapgroup.ldif
- 介由這個ldapsearch指令,測試剛匯入的資料是否可以找到
#ldapsearch -x -b "ou=People,dc=Qoop,dc=com"
#ldapsearch -x -b "ou=Group,dc=Qoop,dc=com"
為Client端建置LDAP Client及加入LDAP Server網域
本實驗Client端以Centos6.0_x86_32為版本,先安裝ldap在Client所需的套件,再利用setup、system-config-authentication(GUI介面)或自行手動修改。比較推薦setup、system-config-authentication(GUI介面)等方式
- 安裝ldap(for client)
#yum install openldap nss-pam-ldapd openldap-clients pam_ldap
- 手動設定的話需要修改幾個設定檔(/etc/nslcd.conf,/etc/pam_ldap.conf,/etc/pam.d/system-auth,/etc/nsswitch.conf)
- /etc/nsswitch.conf
#vim /etc/nsswitch.conf ~略~ passwd: files ldap shadow: files ldap group: files ldap ~略~ netgroup: files ldap ~略~ automount: files ldap
- /etc/pam_ldap.conf
#vim /etc/pam_ldap.conf ~略~ base dc=Qoop,dc=com # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. uri ldap://192.168.0.53/ ~略~
- /etc/pam.d/system-auth
#vim /etc/pam.d/system-auth ~略~ auth required pam_ldap.so use_first_pass ~略~ account [default=bad success=ok user_unknown=ignore] pam_ldap.so ~略~ password sufficient pam_ldap.so use_authtok ~略~ session optional pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=077 #加入此項的功用,當/home/中沒有使用者時,會自動建立該使用者的家目錄。
- /etc/nslcd.conf
#vim /etc/nslcd.conf ~略~ uri ldap://192.168.0.53/ base dc=Qoop,dc=com
- 啟動 nslcd
#/etc/init.d/nslcd start
- 測試LDAP client 抓取 LDAP Server帳號
#getent passwd ~略~ guest1:x:500:500:guest1:/home/guest1:/bin/bash guest2:x:501:501:guest2:/home/guest2:/bin/bash guest3:x:502:502:guest3:/home/guest3:/bin/bash guest4:x:503:503:guest4:/home/guest4:/bin/bash guest5:x:504:504:guest5:/home/guest5:/bin/bash guest6:x:505:505:guest6:/home/guest6:/bin/bash guest7:x:506:506:guest7:/home/guest7:/bin/bash guest8:x:507:507:guest8:/home/guest8:/bin/bash guest9:x:508:508:guest9:/home/guest9:/bin/bash guest10:x:509:509:guest10:/home/guest10:/bin/bash ~略~
- 在LDAP client端用(guest1..guest10)等帳號登入看看
rpm32.Qoop.com login:guest1 Password: 打上guest1密碼 No directory /home/guest1! Logging in with home = "/". -bash-4.1$ #這樣就表示成功了。若出現"-bash-4.1"這樣情況,因為/home目錄中沒有guest1,要自動建立家目錄,可利用第三點的 session pam_mkhomedir.so 等參數
F&Q
- 雖在/etc/pam.d/system-auth內容中加入一行“session optional pam_mkhomedir.so skel=/etc/skel umask=077”,使用ssh遠端登入還是會無法自動加入家目錄?
[email protected]'s password: ****** Last login: Thu Feb 9 14:00:48 2012 from 192.168.0.11 Could not chdir to home directory /home/guest3: No such file or directory -bash-4.1$
Q1:可以修改/etc/pam.d/ssh設定檔,d加入以下兩段
auth required pam_ldap.so use_first_pass ~略~ session optional pam_mkhomedir.so skel=/etc/skel umask=077