LDAP 服務部署
LDAP 服務部署
1、實驗環境:
[root@ldapserver01 ~]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
[root@ldapserver01 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.191.131 netmask 255.255.255.0 broadcast 192.168.191.255
inet6 fe80::6da6:bfa7:41da:455a prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:f7:1e:00 txqueuelen 1000 (Ethernet)
RX packets 769 bytes 70419 (68.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 312 bytes 43742 (42.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 200 bytes 16248 (15.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 200 bytes 16248 (15.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
2、部署過程
2.1、安裝部署服務端和相應程式包
[root@ldapserver01 ~]# yum install openldap-servers openldap-clients
[root@ldapserver01 ~]# systemctl start slapd
[root@ldapserver01 ~]# systemctl enable slapd
[root@ldapserver01 ~]# systemctl status slapd
[root@ldapserver01 ~]# ps xua|grep slapd
ldap 1104 0.0 3.7 532752 37472 ? Ssl 09:46 0:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
root 1356 0.0 0.0 112728 968 pts/0 R+ 10:06 0:00 grep --color=auto slapd
檢視服務埠:
[root@ldapserver01 ~]# netstat -lnptp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1155/master
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1104/slapd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 960/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1155/master
tcp6 0 0 :::389 :::* LISTEN 1104/slapd
tcp6 0 0 :::22 :::* LISTEN 960/sshd
ldap預設埠為389,如果加密(CA +LDAP)了用埠636,這裡預設埠389已經開啟了
對於ldap服務命令需要注意的:
一般以slapxxxx形式出現的命令為服務端命令,而以ldapxxxx形式出現的命令為客戶端命令,比如下兩個:
slappasswd 服務端命令
ldappasswd 客戶端命令
2.2、LDAP服務安裝好之後,我們接下來給ldap服務設定密碼,在OpenLDAP server上執行如下操作:
[root@ldapserver01 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}0gs1Sfo+Ps4gsR1rktgb1nzd/Qaq5j3h
ldap服務的全域性配置檔案存放路徑為"/etc/openldap/slapd.d/",具體如下所示:
[root@ldapserver01 ~]# cd /etc/openldap/slapd.d/
[root@ldapserver01 slapd.d]# ls
cn=config cn=config.ldif
[root@ldapserver01 slapd.d]# cd cn\=config
[root@ldapserver01 cn=config]# ls
cn=schema olcDatabase={0}config.ldif olcDatabase={1}monitor.ldif
cn=schema.ldif olcDatabase={-1}frontend.ldif olcDatabase={2}hdb.ldif
[root@ldapserver01 cn=config]# pwd
/etc/openldap/slapd.d/cn=config
[root@ldapserver01 cn=config]#
新增密碼命令和內容,新增密碼其實是對檔案olcDatabase={0}config.ldif進行修改
執行密碼新增操作:
[root@ldapserver01 cn=config]# cat << EOF |ldapadd -Y EXTERNAL -H ldapi:///
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}0gs1Sfo+Ps4gsR1rktgb1nzd/Qaq5j3h
EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
[root@ldapserver01 cn=config]#
新增密碼之後檢視:
[root@ldapserver01 cn=config]# cat olcDatabase\=\{0\}config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 9563b946
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" manage by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: ab83df26-ce3f-103a-9d56-e1ad5aadfbd0
creatorsName: cn=config
createTimestamp: 20201209075538Z
olcRootPW:: e1NTSEF9MGdzMVNmbytQczRnc1Ixcmt0Z2IxbnpkL1FhcTVqM2g=
entryCSN: 20201209082252.279180Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20201209082252Z
3、匯入基本的schema檔案
CentOS7預設情況下schema檔案存放路徑是:
[root@ldapserver01 cn=config]# pwd
/etc/openldap/slapd.d/cn=config
[root@ldapserver01 cn=config]# ls /etc/openldap/schema/
collective.ldif corba.schema cosine.ldif duaconf.schema inetorgperson.ldif java.schema nis.ldif openldap.schema ppolicy.ldif
collective.schema core.ldif cosine.schema dyngroup.ldif inetorgperson.schema misc.ldif nis.schema pmi.ldif ppolicy.schema
corba.ldif core.schema duaconf.ldif dyngroup.schema java.ldif misc.schema openldap.ldif pmi.schema
[root@ldapserver01 cn=config]#
匯入基本schema檔案存放路徑為:/etc/openldap/slapd.d/cn=config/cn=schema
[root@ldapserver01 cn=config]# pwd
/etc/openldap/slapd.d/cn=config
[root@ldapserver01 cn=config]# ls cn\=schema
cn={0}core.ldif
[root@ldapserver01 cn=config]#
3.1、匯入第一個schema檔案:
[root@ldapserver01 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@ldapserver01 cn=config]#
[root@ldapserver01 cn=config]# cd cn\=schema
[root@ldapserver01 cn=schema]# ls
cn={0}core.ldif cn={1}cosine.ldif
[root@ldapserver01 cn=schema]# pwd
/etc/openldap/slapd.d/cn=config/cn=schema
[root@ldapserver01 cn=schema]#
用同樣的方式匯入其他幾個schema檔案:
[root@ldapserver01 cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=ppolicy,cn=schema,cn=config"
[root@ldapserver01 cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@ldapserver01 cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=dyngroup,cn=schema,cn=config"
[root@ldapserver01 cn=schema]#
[root@ldapserver01 cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
[root@ldapserver01 cn=schema]# ls
cn={0}core.ldif cn={1}cosine.ldif cn={2}ppolicy.ldif cn={3}nis.ldif cn={4}dyngroup.ldif cn={5}inetorgperson.ldif
[root@ldapserver01 cn=schema]#
4、修改相關域名:修改檔案為olcDatabase={2}hdb.ldif和olcDatabase={1}monitor.ldif
[root@ldapserver01 cn=schema]# cd ..
[root@ldapserver01 cn=config]# ls
cn=schema olcDatabase={0}config.ldif olcDatabase={1}monitor.ldif
cn=schema.ldif olcDatabase={-1}frontend.ldif olcDatabase={2}hdb.ldif
4.1、操作方法:
[root@ldapserver01 cn=config]# cat /tmp/domain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=ldap,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ldap,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ldap,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}0gs1Sfo+Ps4gsR1rktgb1nzd/Qaq5j3h
[root@ldapserver01 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/domain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
注意:這裡的dn要回車空一行,否則容易報錯
檢視修改後的檔案:
[root@ldapserver01 cn=config]# cat olcDatabase\=\{2\}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 736c680e
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: ab83e462-ce3f-103a-9d58-e1ad5aadfbd0
creatorsName: cn=config
createTimestamp: 20201209075538Z
olcSuffix: dc=ldap,dc=com
olcRootDN: cn=Manager,dc=ldap,dc=com
olcRootPW:: e1NTSEF9MGdzMVNmbytQczRnc1Ixcmt0Z2IxbnpkL1FhcTVqM2g=
entryCSN: 20201209090327.194756Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20201209090327Z
[root@ldapserver01 cn=config]# cat olcDatabase\=\{1\}monitor.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 d8fca28b
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
structuralObjectClass: olcDatabaseConfig
entryUUID: ab83e188-ce3f-103a-9d57-e1ad5aadfbd0
creatorsName: cn=config
createTimestamp: 20201209075538Z
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=Manager,dc=ldap,dc=com" read by * none
entryCSN: 20201209090327.192534Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20201209090327Z
5、設定組織架構
LDAP目錄以樹狀的層次結構來儲存資料。如果你對自頂向下的DNS樹或UNIX檔案的目錄樹比較熟悉,也就很容易掌握LDAP目錄樹這個概念了。就象DNS的主機名那樣,LDAP目錄記錄的標識名(Distinguished Name,簡稱DN)是用來讀取單個記錄,以及回溯到樹的頂部。
5.1執行新增條目操作:
[root@ldapserver01 cn=config]# cat << EOF |ldapadd -x -D cn=Manager,dc=ldap,dc=com -W
> dn: dc=ldap,dc=com
> objectClass: dcObject
> objectClass: organization
> dc: ldap
> o: ldap.com
>
> dn: ou=People,dc=ldap,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: People
>
> dn: ou=Group,dc=ldap,dc=com
> objectClass: organizationalUnit
> ou: Group
>
> dn: cn=Manager,dc=ldap,dc=com
> objectClass: organizationalRole
> cn: Manager
>
> dn: cn=Host,ou=Group,dc=ldap,dc=com
> objectClass: posixGroup
> cn: Host
> gidNumber: 1010
> EOF
Enter LDAP Password:
adding new entry "dc=ldap,dc=com"
adding new entry "ou=People,dc=ldap,dc=com"
adding new entry "ou=Group,dc=ldap,dc=com"
adding new entry "cn=Manager,dc=ldap,dc=com"
adding new entry "cn=Host,ou=Group,dc=ldap,dc=com"
[root@ldapserver01 cn=config]#
檢視新增的條目有兩種方法
①命令方式檢視,新增欄位BASE和URI
[root@ldapserver01 cn=config]# vim /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/certs
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
BASE dc=ldap,dc=com
URI ldap://192.168.191.131
[root@ldapserver01 cn=config]# ldapsearch -x -LLL
6、新增使用者:
6.1 執行新增使用者操作命令:
新增user01:
[root@ldapserver01 cn=config]# cat << EOF |ldapadd -x -D cn=Manager,dc=ldap,dc=com -W
> dn: uid=user01,ou=People,dc=ldap,dc=com
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> homeDirectory: /home/user01
> userPassword: {SSHA}0gs1Sfo+Ps4gsR1rktgb1nzd/Qaq5j3h
> > loginShell: /bin/bash
> cn: user01
> uidNumber: 1000
> gidNumber: 1010
> sn: System Administrator
> mail: user01@gmail.com
> mobile: 12888888888
> EOF
Enter LDAP Password:
adding new entry "uid=user01,ou=People,dc=ldap,dc=com"
填加user02:
[root@ldapserver01 cn=config]# cat << EOF |ldapadd -x -D cn=Manager,dc=ldap,dc=com -W
> dn: uid=user02,ou=People,dc=ldap,dc=com
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> homeDirectory: /home/user02
> userPassword: {SSHA}0gs1Sfo+Ps4gsR1rktgb1nzd/Qaq5j3h
> loginShell: /bin/bash
> cn: user02
> uidNumber: 1001
> gidNumber: 1010
> sn: System Administrator
> mail: user01@gmail.com
> mobile: 12888888888
> EOF
Enter LDAP Password:
adding new entry "uid=user02,ou=People,dc=ldap,dc=com"
刪除user02:(這裡user02新增刪除只為了熟悉命令,並無它意)
[root@ldapserver01 cn=config]# ldapdelete -x -D "cn=Manager,dc=ldap,dc=com" -W "uid=user02,ou=People,dc=ldap,dc=com"
Enter LDAP Password:
[root@ldapserver01 cn=config]#
至此,一個簡單的ldap服務端配置完成,接下來配置ldap客戶端
7、操作過程:
安裝配置檔案和相應的工具包
[root@localhost ~]# yum install nss-pam-ldapd setuptool
備份配置檔案:
[root@localhost ~]# authconfig --savebackup=openldap.bak
[root@localhost ~]# id user01
id: user01: no such user
[root@localhost ~]# getent passwd user01
[root@localhost ~]# getent shadow user01
還原當前的配置檔案:
[root@localhost ~]# authconfig --restorebackup=openldap.bak
注意:authconfig命令可以很迅速的將檔案恢復到初始狀態,相比手動逐一修改配置檔案效率要高,準確性更好
執行新增命令:
[root@localhost ~]# authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.191.131 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update
[root@localhost ~]# getent shadow user01
user01:*:::::::0
[root@localhost ~]# getent passwd user01
user01:x:1000:1010:user01:/home/user01:/bin/bash
[root@localhost ~]# id user01
uid=1000(user01) gid=1010(Host) 組=1010(Host)
進行登入測試:
[root@localhost ~]# ssh user01@192.168.191.132
user01@192.168.191.132's password:
Last login: Tue Dec 15 11:10:23 2020 from 192.168.191.132
[user01@localhost ~]$ whoami
user01
[user01@localhost ~]$ id
uid=1000(user01) gid=1010(Host) 組=1010(Host) 環境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[user01@localhost ~]$ pwd
/home/user01
[user01@localhost ~]$ cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
到此,一個簡單的統一管理使用者的LDAP服務部署完成。
相關文章
- NFS服務部署NFS
- 利用Docker部署管理LDAP及其初次使用DockerLDA
- Vercel 部署 Node 服務
- FTP服務端部署FTP服務端
- Linux 部署 Nginx 服務LinuxNginx
- Linux-DHCP服務部署Linux
- 使用Dockerfile部署nodejs服務DockerNodeJS
- 單體模式部署Loki服務模式Loki
- Kubernetes部署叢集Mysql服務MySql
- NFS儲存服務及部署NFS
- 用Apache服務部署網站Apache網站
- kafka單機部署多服務Kafka
- 完整的 LDAP + phpLDAPadmin安裝部署流程 (ubuntu18.04)LDAPHPUbuntu
- LDAP落地實戰(一):OpenLDAP部署及管理維護LDA
- 微服務Consul系列之服務部署、搭建、使用微服務
- 用 Ansible 部署無服務應用!
- helm部署的服務如何修改配置
- Linu部署服務啟停指令碼指令碼
- 使用nacos原始碼部署nacos服務原始碼
- 部署一臺Zabbix Proxy代理服務
- shell——一鍵部署服務實戰
- 如何在Linux下部署Samba服務?LinuxSamba
- Debian10快速部署DHCP服務
- Node.js + Nginx 部署 HTTPS 服務Node.jsNginxHTTP
- Kubernetes 服務部署最佳實踐(二) ——如何提高服務可用性
- LDAP系列(三)LDAP + Samba 安裝配置LDASamba
- 阿里雲伺服器部署Mongodb服務阿里伺服器MongoDB
- dockerfile來快速部署一個php服務DockerPHP
- PaddleOCR 服務化部署(基於PaddleHub Serving)
- 基於Docker部署Dubbo+Nacos服務Docker
- zabbix4.0服務端 部署全流程服務端
- CentOS 7.9中部署SVN(Subversion)服務CentOS
- Win Server 2019遠端桌面服務部署Server
- Linux雲服務部署Spring boot專案LinuxSpring Boot
- linux之frp服務部署(內網穿透)LinuxFRP內網穿透
- spring cloud-之使用docker部署服務SpringCloudDocker
- 如何使用flask將模型部署為服務Flask模型
- docker-Laravel-msyql-主從服務部署DockerLaravel