企业级规范部署中央认证软件Openldap
实验环境
操作系统 | Centos7 |
|---|---|
服务软件版本 | Openldap 2.4 |
初始化系统
# 更新服务器时间
ntpdate -u ntp.api.bz
# 关闭selinux
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config && setenforce 0 && systemctl disable firewalld.service && systemctl stop firewalld.service
# 重启服务器
shutdown -r now
部署与安装
使用包管理器安装openldap
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
检查安装的版本
root:~/ # slapd -VV [20:42:17]
@(#) OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45)
mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
设置openldap管理员的密码
root:slapd.d/ # slappasswd -s 123456 [20:43:35]
{SSHA}+duStt12ZYbTUbwhpEAaVMIMQH506UIt
修改管理员信息和把管理员的密码写入配置文件
root:cn=config/ # cat olcDatabase=\{2\}hdb.ldif [20:53:45]
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 a830970a
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
#修改此处的域名
olcSuffix: dc=testlab,dc=com
#修改此处的管理员账号为root,以及域名为testlab
olcRootDN: cn=root,dc=testlab,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 43a7f8d8-d134-1038-8bab-2907e6126c53
creatorsName: cn=config
createTimestamp: 20190302124137Z
entryCSN: 20190302124137.438297Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190302124137Z
#在最后加上管理员密码信息
olcRootPW: {SSHA}+duStt12ZYbTUbwhpEAaVMIMQH506UIt
修改olcDatabase={1}monitor.ldif中的管理员信息以及域名
root:cn=config/ # cat olcDatabase=\{1\}monitor.ldif [20:54:06]
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 e26d6fe9
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
#修改此处的管理员姓名和域名dc
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=root,dc=testlab,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 43a7f0ae-d134-1038-8baa-2907e6126c53
creatorsName: cn=config
createTimestamp: 20190302124137Z
entryCSN: 20190302124137.438086Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190302124137Z
验证openldap基本配置是否有问题
root:cn=config/ # slaptest -u [20:53:16]
5c7a7cd8 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5c7a7cd8 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
设置服务自启以及启动slapd服务
root:cn=config/ # systemctl enable slapd [20:57:35]
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
root:cn=config/ # systemctl start slapd [20:57:42]
root:cn=config/ # systemctl status slapd [20:57:48]
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2019-03-02 20:57:48 CST; 8s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 2448 ExecStart=/usr/sbin/slapd -u ldap -h {SLAPD_URLS} SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 2434 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Main PID: 2451 (slapd)
CGroup: /system.slice/slapd.service
└─2451 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
Mar 02 20:57:46 devops-node4 systemd[1]: Starting OpenLDAP Server Daemon...
Mar 02 20:57:46 devops-node4 runuser[2437]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Mar 02 20:57:46 devops-node4 slapd[2448]: @(#) OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45)
mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/op...s/slapd
Mar 02 20:57:46 devops-node4 slapd[2448]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1...r.ldif"
Mar 02 20:57:46 devops-node4 slapd[2448]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
Mar 02 20:57:48 devops-node4 slapd[2448]: tlsmc_get_pin: INFO: Please note the extracted key file will not be protected wit...ssions.
Mar 02 20:57:48 devops-node4 slapd[2451]: hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=testlab,dc=com".
Mar 02 20:57:48 devops-node4 slapd[2451]: slapd starting
Mar 02 20:57:48 devops-node4 systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.
检查openldap服务进程是否开启
端口默认是389
root:cn=config/# netstat -antup | grep 389 [20:57:56]tcp 000.0.0.0:3890.0.0.0:* LISTEN 2451/slapdtcp6 00:::389:::* LISTEN 2451/slapd
配置openldap数据库
root:cn=config/ # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [20:58:28]
root:cn=config/ # chown ldap:ldap -R /var/lib/ldap [20:59:32]
root:cn=config/ # chmod 700 -R /var/lib/ldap [20:59:49]
root:cn=config/ # ls -l /var/lib/ldap/ [20:59:55]
total 324
-rwx------ 1 ldap ldap 2048 Mar 2 20:57 alock
-rwx------ 1 ldap ldap 262144 Mar 2 20:57 __db.001
-rwx------ 1 ldap ldap 32768 Mar 2 20:57 __db.002
-rwx------ 1 ldap ldap 49152 Mar 2 20:57 __db.003
-rwx------ 1 ldap ldap 845 Mar 2 20:59 DB_CONFIG
-rwx------ 1 ldap ldap 8192 Mar 2 20:57 dn2id.bdb
-rwx------ 1 ldap ldap 32768 Mar 2 20:57 id2entry.bdb
-rwx------ 1 ldap ldap 10485760 Mar 2 20:57 log.0000000001
导入openldap存储信息的格式schema
root:cn=config/ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif [21:00:02]
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
root:cn=config/ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif [21:01:58]
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
root:cn=config/ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif [21:02:15]
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
修改生成ldif文件的脚本
root:cn=config/ # cat /usr/share/migrationtools/migrate_common.ph | egrep 'DEFAULT_MAIL_DOMAIN|DEFAULT_BASE|EXTENDED_SCHEMA' | head -3
$DEFAULT_MAIL_DOMAIN = "testlab.com";
$DEFAULT_BASE = "dc=testlab,dc=com";
$EXTENDED_SCHEMA = 1;
添加系统用户及用户组用于后期导入openldap
root:cn=config/ # groupadd ldapgroup1 [21:07:59]
root:cn=config/ # groupadd ldapgroup2 [21:08:01]
root:cn=config/ # useradd -g ldapgroup1 ldapuser1 [21:08:03]
root:cn=config/ # useradd -g ldapgroup2 ldapuser2 [21:08:11]
root:cn=config/ # echo "123456" | passwd --stdin ldapuser1 [21:08:16]
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
root:cn=config/ # echo "123456" | passwd --stdin ldapuser2 [21:08:42]
Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.
提取用户以及用户组属性
root:cn=config/ # grep ":10[0-9][0-9]" /etc/passwd | grep ldap > /root/users [21:10:42]
root:cn=config/ # grep ":10[0-9][0-9]" /etc/group | grep ldap > /root/groups [21:11:01]
生成openldap用户以及用户组属性
root:cn=config/ # /usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif [21:11:14]
root:cn=config/ # /usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldif [21:13:55]
root:cn=config/ # cat /root/groups.ldif [21:14:15]
dn: uid=ldapgroup1,ou=People,dc=testlab,dc=com
uid: ldapgroup1
cn: ldapgroup1
sn: ldapgroup1
mail: ldapgroup1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}x
uidNumber: 1002
gidNumber:
homeDirectory:
dn: uid=ldapgroup2,ou=People,dc=testlab,dc=com
uid: ldapgroup2
cn: ldapgroup2
sn: ldapgroup2
mail: ldapgroup2@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}x
uidNumber: 1003
gidNumber:
homeDirectory:
root:cn=config/ # cat /root/users.ldif [21:14:17]
dn: uid=ldapuser1,ou=People,dc=testlab,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}65PAZUtNU
shadowLastChange: 17957
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/ldapuser1
dn: uid=ldapuser2,ou=People,dc=testlab,dc=com
uid: ldapuser2
cn: ldapuser2
sn: ldapuser2
mail: ldapuser2@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}6HVzIvzSv
shadowLastChange: 17957
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1003
homeDirectory: /home/ldapuser2
配置openldap基础的数据库
cat > /root/base.ldif << EOF
dn: dc=testlab,dc=com
o: testlab com
dc: testlab
objectClass: top
objectClass: dcObject
objectclass: organization
dn: cn=root,dc=testlab,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager
dn: ou=People,dc=testlab,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=testlab,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
EOF
导入数据库结构到openldap
root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/base.ldif [21:22:12]
adding new entry "dc=testlab,dc=com"
adding new entry "cn=root,dc=testlab,dc=com"
adding new entry "ou=People,dc=testlab,dc=com"
adding new entry "ou=Group,dc=testlab,dc=com"root:cn=config/ # cat /root/base.ldif [21:22:13]
dn: dc=testlab,dc=com
o: testlab com
dc: testlab
objectClass: top
objectClass: dcObject
objectclass: organization
dn: cn=root,dc=testlab,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager
dn: ou=People,dc=testlab,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=testlab,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
导入用户和组信息数据到Openldap
root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/users.ldif [21:22:20]
adding new entry "uid=ldapuser1,ou=People,dc=testlab,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=testlab,dc=com"
root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/groups.ldif [21:34:47]
adding new entry "uid=ldapgroup1,ou=People,dc=testlab,dc=com"
adding new entry "uid=ldapgroup2,ou=People,dc=testlab,dc=com"
查看数据库文件
root:cn=config/ # ls -l /var/lib/ldap [21:31:17]
total 488
-rwx------ 1 ldap ldap 2048 Mar 2 20:57 alock
-rw------- 1 ldap ldap 8192 Mar 2 21:22 cn.bdb
-rwx------ 1 ldap ldap 262144 Mar 2 21:24 __db.001
-rwx------ 1 ldap ldap 32768 Mar 2 21:24 __db.002
-rwx------ 1 ldap ldap 93592 Mar 2 21:24 __db.003
-rwx------ 1 ldap ldap 845 Mar 2 20:59 DB_CONFIG
-rwx------ 1 ldap ldap 8192 Mar 2 20:57 dn2id.bdb
-rwx------ 1 ldap ldap 32768 Mar 2 20:57 id2entry.bdb
-rwx------ 1 ldap ldap 10485760 Mar 2 21:24 log.0000000001
-rw------- 1 ldap ldap 8192 Mar 2 21:24 mail.bdb
-rw------- 1 ldap ldap 8192 Mar 2 21:22 objectClass.bdb
-rw------- 1 ldap ldap 8192 Mar 2 21:22 ou.bdb
-rw------- 1 ldap ldap 8192 Mar 2 21:24 sn.bdb
查看openldap信息
root:cn=config/ # ldapsearch -x -b "dc=testlab,dc=com" -H "ldap://127.0.0.1" [21:38:17]
过滤查询信息
root:cn=config/ # ldapsearch -LLL -x -D "cn=root,dc=testlab,dc=com" -w "123456" -b "dc=testlab,dc=com" "uid=ldapuser1" [21:38:50]
dn: uid=ldapuser1,ou=People,dc=testlab,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDVQQVpVdE5VJENZL1ljU0tkMWFqaUNVYjR1M1NTTno0UUluMDR
PZzBQSm9zVi9GRFZOU0N1VUhXQzZ4RVRXaTlEeFQ1VXJNLmFjMkdNLmkxUHB5WjYvRG1KaWlRVkgx
shadowLastChange: 17957
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/ldapuser1root:cn=config/ # ldapsearch -LLL -x -D "cn=root,dc=testlab,dc=com" -w "123456" -b "dc=testlab,dc=com" "uid=ldapgroup1" [21:41:07]
dn: uid=ldapgroup1,ou=People,dc=testlab,dc=com
uid: ldapgroup1
cn: ldapgroup1
sn: ldapgroup1
mail: ldapgroup1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword:: e2NyeXB0fXg=
uidNumber: 1002
gidNumber: 1002
homeDirectory:关联openldap中的用户和组关系
cat > add_user_to_groups.ldif << "EOF"
dn: cn=ldapgroup1,ou=Group,dc=testlab,dc=com
changetype: modify
add: memberuid
memberuid: ldapuser1
EOF开启openldap日志访问功能
cat > /root/loglevel.ldif << "EOF"
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
EOF
cat >> /etc/rsyslog.conf << "EOF"
local4.* /var/log/slapd.log
EOF
重启rsyslog和slapd服务
systemctl restart rsyslog
systemctl restart slapd
tail -f /var/log/slapd.log
修改默认openldap运行端口
vim /etc/sysconfig/slapd
SLAPD_URLS=”ldapi://0.0.0.0:4567/ ldap://0.0.0.0:4567/”
查询openldap信息
ldapsearch -LLL -x -D 'cn=root,dc=testlab,dc=com' -w "123456" -H ldap://0.0.0.0:4567/ -b 'dc=testlab,dc=com'
'uid=ldapuser1'
千难万难把openldap服务给运行起来了,但这只是第一步,剩下研究一下openldap的主从架构,主主架构,以及openldap的具体使用场景。
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2020-02-28,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读