ldap介绍

OpenLDAP is an open-source implementation of Lightweight Directory Access Protocol developed by OpenLDAP project. LDAP is an Internet protocol that email and other programs use to look up contact information from a server. It is released under OpenLDAP public license; it is available for all major Linux distributions, AIX, Android, HP-UX, OS X, Solaris, Windows and z/OS.

It functions like a relational database in certain ways and can be used to store any information. LDAP is not limited to store the information; it is also used as a backend database for “single sign-on” where one password for a user is shared between many services.

In this tutorial, we will configure OpenLDAP for centralized login where the users use the single account to log in on multiple servers.

测试环境

主机名 IP 操作系统 角色
elk02.lavenliu.com 192.168.6.35 CentOS 7 64位 LDAP server
elk03.lavenliu.com 192.168.6.36 CentOS 7 64位 LDAP client

两台机器的/etc/hosts文件要能够解析对方:

[root@elk02 ~]# cat /etc/hosts

127.0.0.1  localhost localhost.localdomain localhost4 localhost4.localdomain4

::1        localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.6.46 ansibile.lavenliu.com ansible

192.168.6.25  elk01.lavenliu.com elk01

192.168.6.35  elk02.lavenliu.com elk02

192.168.6.36  elk03.lavenliu.com elk03

192.168.6.165 elk04.lavenliu.com elk04

[root@elk03 ~]# cat /etc/hosts

127.0.0.1  localhost localhost.localdomain localhost4 localhost4.localdomain4

::1        localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.6.46 ansibile.lavenliu.com ansible

192.168.6.25  elk01.lavenliu.com elk01

192.168.6.35  elk02.lavenliu.com elk02

192.168.6.36  elk03.lavenliu.com elk03

192.168.6.165 elk04.lavenliu.com elk04

如果我们想使用域名而非IP地址的话,那么我们就要配置DNS服务了。本文将在配置文件中使用IP地址。

安装LDAP服务端

在服务端安装如下软件包:

yum -y install openldap compat-openldap openldap-clients \

openldap-servers openldap-servers-sql openldap-devel

安装完毕,启动LDAP服务并加入开机自启动:

[root@elk02 ~]# systemctl start slapd.service

[root@elk02 ~]# systemctl enable slapd.service

验证服务是否启动成功:

[root@elk02 ~]# netstat -antup |grep 389

tcp        0      0 0.0.0.0:389            0.0.0.0:*              LISTEN      2984/slapd

tcp6      0      0 :::389                  :::*                    LISTEN      2984/slapd

设置LDAP的root密码

Run below command to create an LDAP root password; we will use this root password throughout this article. So make a note of this and keep it aside.

[root@elk02 ~]# slappasswd

New password: 123456

Re-enter new password: 123456

{SSHA}gf3vwkGq/ykoX4qhFVuGTa3PgpzAXQsc

配置LDAP服务端

OpenLDAP servers configuration files are found in /etc/openldap/slapd.d/. To start with the configuration of LDAP, we would need to update the variables “olcSuffix” and “olcRootDN“.

  • olcSuffix: Database Suffix, it is the domain name for which the LDAP server provides the information. In simple words, it should be changed to your domain

    name.
  • olcRootDN: Root Distinguished Name (DN) entry for the user who has the unrestricted access to perform all administration activities on LDAP, like a root user.
  • olcRootPW: Password for the above RootDN.

Above entries are to be updated in /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif file. Manually edit of LDAP configuration is not recommended as you will lose changes whenever you run ldapmodify command.

[root@elk02 ~]# cd /etc/openldap/slapd.d/cn=config

[root@elk02 cn=config]# vim db.ldif

[root@elk02 cn=config]# cat  >> db.ldif <<EOF

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcSuffix

olcSuffix: dc=lavenliu,dc=com

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcRootDN

olcRootDN: cn=ldapadm,dc=lavenliu,dc=com

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcRootPW

olcRootPW: {SSHA}gf3vwkGq/ykoX4qhFVuGTa3PgpzAXQsc

EOF

[root@elk02 cn=config]# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

Make a changes to /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif (Do not edit manually) file to restrict the monitor access only to ldap root (ldapadm) user not to others.

# vi monitor.ldif

cat >> monitor.ldif <<EOF

dn: olcDatabase={1}monitor,cn=config

changetype: modify

replace: olcAccess

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=itzgeek,dc=local" read by * none

EOF

Once you have updated the file, send the configuration to the LDAP server.

[root@elk02 cn=config]# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={1}monitor,cn=config"

创建LDAP证书

Let’s create a self-signed certificate for our LDAP server, below command generates both certificate and private key in /etc/openldap/certs/ directory.

[root@elk02 cn=config]# openssl req -new -x509 -nodes -out /etc/openldap/certs/lavenliuldapcert.pem -keyout /etc/openldap/certs/lavenliuldapkey.pem -days 365

Generating a 2048 bit RSA private key

......................................+++

..........................................................................................+++

writing new private key to '/etc/openldap/certs/lavenliuldapkey.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Shanghai

Locality Name (eg, city) [Default City]:Shanghai

Organization Name (eg, company) [Default Company Ltd]:LavenLiu

Organizational Unit Name (eg, section) []:IT Dept

Common Name (eg, your name or your server's hostname) []:elk02.lavenliu.com

Email Address []:admin@lavenliu.com

Set the owner and group permissions to ldap.

[root@elk02 cn=config]# chown -R ldap:ldap /etc/openldap/certs/*.pem

Verify the created LDAP certificate under /etc/openldap/certs/.

[root@elk02 cn=config]# ll /etc/openldap/certs/*.pem

-rw-r--r-- 1 ldap ldap 1456 Sep 11 15:12 /etc/openldap/certs/lavenliuldapcert.pem

-rw-r--r-- 1 ldap ldap 1704 Sep 11 15:12 /etc/openldap/certs/lavenliuldapkey.pem

Create certs.ldif file to configure LDAP to use secure communication using a self-signed certificate.

# vi certs.ldif

cat >> certs.ldif <<EOF

dn: cn=config

changetype: modify

replace: olcTLSCertificateFile

olcTLSCertificateFile: /etc/openldap/certs/lavenliuldapcert.pem

dn: cn=config

changetype: modify

replace: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/openldap/certs/lavenliuldapkey.pem

EOF

Import the configurations to LDAP server.

[root@elk02 cn=config]# ldapmodify -Y EXTERNAL  -H ldapi:/// -f certs.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config"

modifying entry "cn=config"

Verify the configuration:

[root@elk02 cn=config]# slaptest -u

59b638fb UNKNOWN attributeDescription "CHANGETYPE" inserted.

59b638fb UNKNOWN attributeDescription "REPLACE" inserted.

59b638fb is_entry_objectclass("cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute

59b638fb is_entry_objectclass("olcDatabase={2}hdb,cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute

59b638fb is_entry_objectclass("olcDatabase={1}monitor,cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute

config file testing succeeded # 主要看这个提示

You should get the following message confirms the verification is complete.

config file testing succeeded

设置LDAP数据库

Copy the sample database configuration file to /var/lib/ldap and update the file permissions.

[root@elk02 cn=config]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@elk02 cn=config]# chown ldap:ldap /var/lib/ldap/*

Add the cosine and nis LDAP schemas.

[root@elk02 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=cosine,cn=schema,cn=config"

[root@elk02 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=nis,cn=schema,cn=config"

[root@elk02 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=inetorgperson,cn=schema,cn=config"

Generate base.ldif file for your domain.

# vi base.ldif

cat >> base.ldif <<EOF

dn: dc=lavenliu,dc=com

dc: lavenliu

objectClass: top

objectClass: domain

dn: cn=ldapadm ,dc=lavenliu,dc=com

objectClass: organizationalRole

cn: ldapadm

description: LDAP Manager

dn: ou=People,dc=lavenliu,dc=com

objectClass: organizationalUnit

ou: People

dn: ou=Group,dc=lavenliu,dc=com

objectClass: organizationalUnit

ou: Group

EOF

Build the directory structure.

[root@elk02 cn=config]# ldapadd -x -W -D "cn=ldapadm,dc=lavenliu,dc=com" -f base.ldif

Enter LDAP Password: 123456

adding new entry "dc=lavenliu,dc=com"

adding new entry "cn=ldapadm ,dc=lavenliu,dc=com"

adding new entry "ou=People,dc=lavenliu,dc=com"

adding new entry "ou=Group,dc=lavenliu,dc=com"

ldapadd command will prompt you for the password of ldapadm (LDAP root user).输出:

Enter LDAP Password:

adding new entry "dc=lavenliu,dc=com"

adding new entry "cn=ldapadm ,dc=lavenliu,dc=com"

adding new entry "ou=People,dc=lavenliu,dc=com"

adding new entry "ou=Group,dc=lavenliu,dc=com"

创建LDAP用户

Let’s create an LDIF file for a new user called taoqi.

cat >> taoqi.ldif <<EOF

dn: uid=taoqi,ou=People,dc=lavenliu,dc=com

objectClass: top

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

cn: taoqi

uid: taoqi

uidNumber: 9999

gidNumber: 100

homeDirectory: /home/taoqi

loginShell: /bin/bash

gecos: Taoqi [Admin (at) LavenLiu]

userPassword: {SSHA}WEjZ/aebhtGztTrHsjhg4Hrtp1bk5FzL

shadowLastChange: 17058

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

EOF

Use the ldapadd command with the above file to create a new user called “taoqi” in OpenLDAP directory.

[root@elk02 cn=config]# ldapadd -x -W -D "cn=ldapadm,dc=lavenliu,dc=com" -f taoqi.ldif

Enter LDAP Password: 123456

adding new entry "uid=taoqi,ou=People,dc=lavenliu,dc=com"

Assign a password to the user.

[root@elk02 cn=config]# ldappasswd -s password123 -W -D "cn=ldapadm,dc=lavenliu,dc=com" -x "uid=taoqi,ou=People,dc=lavenliu,dc=com"

Enter LDAP Password:123456

选项的含义:

  • -s specify the password for the username
  • -x username for which the password is changed
  • -D Distinguished name to authenticate to the LDAP server.

Verify LDAP entries.

[root@elk02 cn=config]# ldapsearch -x cn=taoqi -b dc=lavenliu,dc=com

# extended LDIF

#

# LDAPv3

# base <dc=lavenliu,dc=com> with scope subtree

# filter: cn=taoqi

# requesting: ALL

#

# taoqi, People, lavenliu.com

dn: uid=taoqi,ou=People,dc=lavenliu,dc=com

objectClass: top

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

cn: taoqi

uid: taoqi

uidNumber: 9999

gidNumber: 100

homeDirectory: /home/taoqi

loginShell: /bin/bash

gecos: Raj [Admin (at) LavenLiu]

shadowLastChange: 17058

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

userPassword:: e1NTSEF9VWdRK25qTEtOWEk3YUNrclMyUkVZS3F4VTRpR1FDeWc=

# search result

search: 2

result: 0 Success

# numResponses: 2

# numEntries: 1

To delete an entry from LDAP (Optional).

ldapdelete -W -D "cn=ldapadm,dc=lavenliu,dc=com" "uid=taoqi,ou=People,dc=lavenliu,dc=com"

添加防火墙规则

Add the LDAP service to the firewall (tcp 389).

firewall-cmd --permanent --add-service=ldap

firewall-cmd --reload

开启LDAP日志

Configure Rsyslog to log a LDAP events to log file /var/log/ldap.log.

vi /etc/rsyslog.conf

# Add below line to /etc/rsyslog.conf file.

echo "local4.* /var/log/ldap.log" >> /etc/rsyslog.conf

Restart the rsyslog service.

systemctl restart rsyslog

配置LDAP客户端

Install the necessary LDAP client packages on the client machine.

[root@elk03 ~]# yum install -y openldap-clients nss-pam-ldapd

Execute the below command to add the client machine to LDAP server for single sign on. Replace “192.168.6.35” with your LDAP server’s IP address or hostname.

[root@elk03 ~]# authconfig --enableldap --enableldapauth --ldapserver=192.168.6.35 --ldapbasedn="dc=lavenliu,dc=com" --enablemkhomedir --update

getsebool:  SELinux is disabled

[root@elk03 ~]# echo $?

0

Restart the LDAP client service.

[root@elk03 ~]# systemctl restart  nslcd

验证LDAP登录

Use getent command to get the LDAP entries from the LDAP server.

[root@elk03 ~]# getent passwd taoqi

taoqi:x:9999:100:Taoqi [Admin (at) LavenLiu]:/home/taoqi:/bin/bash

[root@elk03 ~]# id taoqi

uid=9999(taoqi) gid=100(users) groups=100(users)

[root@elk03 ~]# su - taoqi

Creating directory '/home/taoqi'.

[taoqi@elk03 ~]$ pwd

/home/taoqi

OpenLDAP测试搭建的更多相关文章

  1. openLDAP环境搭建

    OpenLDAP搭建   PS:本次实验是基于centos7,OpenLDAP使用2.4.44版本. 一.初始化环境 1.初始化环境 命令如下: ntpdate -u ntp.api.bz & ...

  2. Jmeter分布式测试搭建(二)

    Jmeter运行的时候十分耗内存和cpu,跑到500多个进程的时候,就卡死了.我们测试时,如果进行大数据量的并发测试时,单个电脑的CPU和内存可能无法承受,这个时候,我们需要进行一个分布式的测试,比如 ...

  3. OPENLDAP 服务搭建和后期管理

    LDAP 服务 本文首发:https://www.cnblogs.com/somata/p/OPENLDAPServerConfigAndPostManagement.html 本文主要在debian ...

  4. 【3】测试搭建成功的单机hadoop环境

    1.关闭防火墙service iptables stop,(已经设置开机关闭的忽略) 2.进入hadoop目录,修改hadoop配置文件(4个) core-site.xml(核心配置,fs.defau ...

  5. Appium移动端测试--搭建测试环境

    目录 文章目录如下 安装Android Studio及Android SDK 更改VDM默认存储路径 通过npm安装Appium Server 启动Appium GUI模式 Appium连接会话 Ap ...

  6. samba + OPENldap 搭建文件共享服务器

    samba + OPENldap 搭建文件共享服务器 这里我使用的是 samba(文件共享服务) v4.9.1 + OPENldap(后端数据库软件) v2.4.44 + smbldap-tools( ...

  7. Centos7 搭建openldap完整详细教程(真实可用)

    最近,由于公司需求,需要搭建openldap来统一用户名和密码,目前市面上几乎所有的工具都支持ldap协议,具体ldap的介绍这里就不详细说明了,这里主要记录一下如果部署openldap来实现Ldap ...

  8. linux安装openldap步骤

    目录 虚拟机环境:centos 7 一.环境准备 1.关闭 selinux firewalld 临时: setenforce 0  永久: vi /etc/sysconfig/selinux SELI ...

  9. RPC框架性能基本比较测试

    RPC框架:gRPC.Thrift.Wildfly.Dubbo 原文链接:http://www.open-open.com/lib/view/open1426302068107.html gRPC是G ...

随机推荐

  1. 服务器表单字符串转化Vue表单挂在到对应DOM节点

    今天在项目开发中,遇到从后端返回的vue文件(包含template,js,css)的文件,试过用v-html解析文件,渲染到页面,但是无法渲染,后来去查了一堆资料,自己写了一个全局方法来解析这类文件 ...

  2. 带你玩转Flink流批一体分布式实时处理引擎

    摘要:Apache Flink是为分布式.高性能的流处理应用程序打造的开源流处理框架. 本文分享自华为云社区<[云驻共创]手把手教你玩转Flink流批一体分布式实时处理引擎>,作者: 萌兔 ...

  3. Tomcat部署启动时发生错误

    Tomcat启动后项目地址显示404:源服务器未能找到目标资源的表示或者是不愿公开一个已经存在的资源表示. 严重: ContainerBase.addChild: start: org.apache. ...

  4. Cesium源码剖析---Ambient Occlusion(环境光遮蔽)

    Ambient Occlusion简称AO,中文没有太确定的叫法,一般译作环境光遮蔽.百度百科上对AO的解释是这样的:AO是来描绘物体和物体相交或靠近的时候遮挡周围漫反射光线的效果,可以解决或改善漏光 ...

  5. Servlet-通过继承HttpServlet类实现Servlet程序

    通过继承HttpServlet类实现Servlet程序(开发一般用) 一般在实际项目开发中,都是使用继承 HttpServlet类的方式实现Servlet程序 1,编写一个类去继承 HttpServl ...

  6. MySQL数据库本地事务原理

    在经典的数据库理论里,本地事务具备四大特征: 原子性 事务中的所有操作都是以原子的方式执行的,要么全部成功,要么全部失败: 一致性 事务执行前后,所有的数据都应该处于一致性状态---即要满足数据库表的 ...

  7. linux如何复制文件

    目录 一:复制文件 二:文件详细属性 一:复制文件 copy的缩写cp. 格式: cp [参数] [被复制文件的路径] [复制到的新路径] 参数: -r : 递归复制 -a : 保证某些属性不变 案列 ...

  8. Kubernetes的Resource和Dashboard(十三)

    一.Resource和Dashboard 1.1.Resource 因为K8S的最小操作单元是Pod,所以这里主要讨论的是Pod的资源 官网:https://kubernetes.io/docs/co ...

  9. 「BalkanOI 2018 Day1」Election

    「BalkanOI 2018 Day1」Election 记C为1,T为-1,\(sum[i]\)为\(i\)点的前缀和. 对于询问\([l,r]\),分两步计算答案. 要求所有点的\(sum[i]- ...

  10. Java UDP实现聊天功能代码【转】

    感谢大佬大佬!!!:https://www.cnblogs.com/woshijpf/p/3735684.html 我以前经常写的是基于TCP的网络编程,由于TCP建立连接鼻血要经过三次握手连接,服务 ...