Suzf Blog

License: Attribution-NonCommercial-ShareAlike 4.0 International

本文出自 Suzf Blog。 如未注明，均为 SUZF.NET 原创。

转载请注明：http://suzf.net/post/1333

OpenLDAP是轻型目录访问协议（Lightweight Directory Access Protocol，LDAP）的自由和开源的实现，在其OpenLDAP许可证下发行，并已经被包含在众多流行的Linux发行版中。 它主要包括下述4个部分：

• slapd - 独立LDAP守护服务
• slurpd - 独立的LDAP更新复制守护服务
• 实现LDAP协议的库
• 工具软件和示例客户端

LDAP 服务器本质上是一个为只读访问而优化的非关系型数据库。它主要用做地址簿查询（如 email 客户端）或对各种服务访问做后台认证以及用户数据权限管控。（例如，访问 Samba 时，LDAP 可以起到域控制器的作用；或者 Linux 系统认证 时代替 /etc/passwd 的作用。）

安裝 OpenLDAP Server

yum install openldap-servers openldap-clients -y

启动 LDAP 服务并设置为自启动

systemctl start slapd.service
systemctl enable slapd.service

确认  LDAP

# ss -antup | grep -i 389
tcp    LISTEN     0      128       *:389                   *:*                   users:(("slapd",pid=15223,fd=8))
tcp    LISTEN     0      128      :::389                  :::*                   users:(("slapd",pid=15223,fd=9)

创建 lDAP root 密码

# slappasswd
New password:
Re-enter new password:
{SSHA}WDAwmDxHY1CFF75NCDmCZieQztBwrSPe

配置 OpenLDAP server

OpenLDAP servers 配置文件可以在 /etc/openldap/slapd.d/ 中找到. 要开始配置LDAP，我们需要更新变量 “olcSuffix” 和 “olcRootDN“. olcSuffix –  Database Suffix, it is the domain name for which the LDAP server provides the information. In simple words, it should be changed to your domain name. olcRootDN – Root Distinguished Name (DN) entry for the user who has the unrestricted access to perform all administration activities on LDAP, like a root user. olcRootPW – Password for the above RootDN. 以上条目将在 /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif  文件中更新。 不建议手动编辑LDAP配置，因为您在运行ldapmodify命令时将丢失更改。 请创建一个 ldif 文件并添加一下条目。

# vi db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=suzf,dc=net

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=suzf,dc=net

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}WDAwmDxHY1CFF75NCDmCZieQztBwrSPe

当你编辑完 ldif 文件, 执行下面文件将更新发送到 LDAP server.

ldapmodify -Y EXTERNAL  -H ldapi:/// -f db.ldif

对 /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif 文件进行更改（不要手动编辑），以将监视器访问限制为仅限于ldap root（ldapadm）用户。

vi monitor.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=suzf,dc=net" read by * none

创建 LDAP 证书

让我们自己签发一个证书给 LDAP server, 下面的命令能够将证书和私钥生成到 /etc/openldap/certs/  目录中。

# 
[root@monkey ldap]# openssl req -new -x509 -nodes -out /etc/openldap/certs/suzf_net_ldap_cert.pem -keyout /etc/openldap/certs/suzf_net_ldap_key.pem -days 3650
Generating a 2048 bit RSA private key
.....................+++
..............................................................+++
writing new private key to '/etc/openldap/certs/suzf_net_ldap_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:suzf.net
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ldap.suzf.net
Email Address []:[email protected]

变更文件属性

# chown -R ldap:ldap /etc/openldap/certs/*.pem
# ll /etc/openldap/certs/*.pem
-rw-r--r-- 1 ldap ldap 1407 Apr 11 11:24 /etc/openldap/certs/suzf_net_ldap_cert.pem
-rw-r--r-- 1 ldap ldap 1704 Apr 11 11:24 /etc/openldap/certs/suzf_net_ldap_key.pem

创建 certs.ldif 文件以配置LDAP使用自签名证书进行安全通信。

# cat certs.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/suzf_net_ldap_cert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/suzf_net_ldap_key.pem

导入配置到 LDAP

ldapmodify -Y EXTERNAL  -H ldapi:/// -f certs.ldif

验证配置文件

# slaptest -u
config file testing succeeded

建立 LDAP 信息库

拷贝默认文件并更新文件权限

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. $_

Add the cosine and nis LDAP schemas.

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Generate base.ldif file for your domain.

# vi base.ldif

dn: dc=suzf,dc=net
dc: suzf
objectClass: dcObject
objectClass: organization
o: suzf.net

dn: cn=ldapadm ,dc=suzf,dc=net
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=Users,dc=suzf,dc=net
objectClass: organizationalUnit
ou: Users

dn: ou=Groups,dc=suzf,dc=net
objectClass: organizationalUnit
ou: Groups

创建目录结构

ldapadd command will prompt you for the password of ldapadm (LDAP root user).

# ldapadd -x -D "cn=ldapadm,dc=suzf,dc=net" -f base.ldif -W
Enter LDAP Password: 
adding new entry "dc=suzf,dc=net"

adding new entry "cn=ldapadm ,dc=suzf,dc=net"

adding new entry "ou=Users,dc=suzf,dc=net"

adding new entry "ou=Groups,dc=suzf,dc=net"

创建 LDAP 账户

让我创建一个创建账户的ldif 文件

# replace to your own domain name for "dc=***,dc=***" section
dn: uid=moon,ou=Users,dc=suzf,dc=net
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: moon
uid: moon
userPassword: {SSHA}UY81jP3FgUA9JHpLf0ObnJDXK4l8Z85e
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/moon

dn: cn=test,ou=Groups,dc=suzf,dc=net
objectClass: posixGroup
cn: Test
gidNumber: 1000
memberUid: moon

在 OpenLDAP 目录中创建用户

# ldapadd -x -W -D "cn=ldapadm,dc=suzf,dc=net" -f add_ldap_user_group.ldif 
Enter LDAP Password: 
adding new entry "uid=moon,ou=Users,dc=suzf,dc=net"

adding new entry "cn=test,ou=Groups,dc=suzf,dc=net"

修改密码

ldappasswd -s 12345 -W -D "cn=ldapadm,dc=suzf,dc=net" -x "uid=moon,ou=Users,dc=suzf,dc=net"
Enter LDAP Password: 

# 注
-s specify the password for the username
-x username for which the password is changed
-D Distinguished name to authenticate to the LDAP server.

Verify LDAP entries.

# ldapsearch -x cn=moon -b dc=suzf,dc=net
# extended LDIF
#
# LDAPv3
# base <dc=suzf,dc=net> with scope subtree
# filter: cn=moon
# requesting: ALL
#

# moon, Users, suzf.net
dn: uid=moon,ou=Users,dc=suzf,dc=net
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: moon
uid: moon
userPassword:: e1NTSEF9VVk4MWpQM0ZnVUE5SkhwTGYwT2JuSkRYSzRsOFo4NWU=
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/moon

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

删除账户[可选]

ldapdelete -W -D "cn=ldapadm,dc=suzf,dc=net" "uid=moon,ou=Users,dc=suzf,dc=net"

删除组[可选]

# ldapdelete -x -W -D 'cn=ldapadm,dc=suzf,dc=net' "cn=test,cn=Groups,dc=suzf,dc=net"
Enter LDAP Password:
# echo $?
0

Firewall

LDAP service is bind to tcp 389.

# CentOS7
firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload

# CentOS6
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT 
iptables-save > /etc/sysconfig/iptables

启用 LDAP 日志

使用 rsyslog 将 LDAP 事件记录到 /var/log/ldap.log.

cat >> /etc/rsyslog.conf << EOF

local4.* /var/log/ldap.log

EOF

# 重新启动 rsyslog
systemctl restart rsyslog

在 LDAP Client 配置 LDAP Server

首先在 Client 安装必要的软件包

yum install -y openldap-clients nss-pam-ldapd

执行以下命令将客户端计算机添加到LDAP服务器以进行单点登录。 将“ldap.suzf.net”替换为LDAP服务器的IP地址或主机名。

# Exec on Ldap client nodes
# authconfig --enableldap --enableldapauth --ldapserver=ldap.suzf.net --ldapbasedn="dc=suzf,dc=net" --enablemkhomedir --update
getsebool:  SELinux is disabled

重启 LDAP client

# systemctl restart  nslcd

LDAP 用户登录验证

# getent passwd moon
moon:x:1000:1000:moon:/home/moon:/bin/bash

[c:\~]$ ssh  [email protected]


Connecting to 172.16.9.60:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Creating directory '/home/moon'.
Last login: Fri Jul 15 15:53:28 2016

安装管理工具 phpLDAPadmin

相关软件安装

# yum install phpldapadmin httpd php -y

配置变更

# phpldapadmin
# diff -ruN /etc/phpldapadmin/config.php{.old,}
--- /etc/phpldapadmin/config.php.old	2017-04-11 16:00:56.887670973 +0800
+++ /etc/phpldapadmin/config.php	2017-04-11 16:02:00.618671036 +0800
@@ -394,8 +394,8 @@
    Leave blank or specify 'dn' to use full DN for logging in. Note also that if
    your LDAP server requires you to login to perform searches, you can enter the
    DN to use when searching in 'bind_id' and 'bind_pass' above. */
-// $servers->setValue('login','attr','dn');
-$servers->setValue('login','attr','uid');
+$servers->setValue('login','attr','dn');
+// $servers->setValue('login','attr','uid');
 
 /* Base DNs to used for logins. If this value is not set, then the LDAP server
    Base DNs are used. */


# Apache
# diff -ruN /etc/httpd/conf.d/phpldapadmin.conf{.old,}
--- /etc/httpd/conf.d/phpldapadmin.conf.old    2017-04-11 16:04:41.460671196 +0800
+++ /etc/httpd/conf.d/phpldapadmin.conf    2017-04-11 16:05:36.253671250 +0800
@@ -9,6 +9,7 @@
   <IfModule mod_authz_core.c>
     # Apache 2.4
     Require local
+    Require ip 172.16.9.0/24
   </IfModule>
   <IfModule !mod_authz_core.c>
     # Apache 2.2

重启 Apache

# systemctl restart httpd

通过浏览器访问 http://${FQDN/phpldapadmin 注: 登录时输入的是 DN; 如 cn=ldapadm,dc=suzf,dc=net Reference

[0] https://www.openldap.org/doc/

[1] https://wiki.archlinux.org/index.php/OpenLDAP_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)

[2] http://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html

[3]  http://yhz61010.iteye.com/blog/2352672