Ubuntu10.04安装配置LDAP服务
时间:2023-06-02 16:16:41 来源: 人气:
注:以Ubuntu 10.04版本为例,LDAP服务器和客户端为同一台机器,最新openldap软件服务器端无单独的配置文件,而是将配置信息保存于数据库中。, 1. LDAP服务器端安装与配置, 1.1 安装LDAP服务器相关软件 sudo apt-get install slapd ldap-utils, 1.2 配置LDAP服务器数据库 sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldifsudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif (1)创建数据库 在/var/lib/ldap/下创建create_database.ldif文件: # Load hdb backend module, dn: cn=module{0},cn=config, objectClass: olcModuleList, cn: module, olcModulepath: /usr/lib/ldap, olcModuleload: {0}back_hdb, # Create the hdb database and place the files under /var/lib/ldap, dn: olcDatabase={1}hdb,cn=config, objectClass: olcDatabaseConfig, objectClass: olcHdbConfig, olcDatabase: {1}hdb, olcDbDirectory: /var/lib/ldap, olcSuffix: dc=edu,dc=example,dc=org, olcRootDN: cn=admin,dc=edu,dc=example,dc=org, olcRootPW: {SSHA}5EdV7cSYlP44/gEWu+x3VKAKLN2HG4VX, olcDbConfig: {0}set_cachesize 0 2097152 0, olcDbConfig: {1}set_lk_max_objects 1500, olcDbConfig: {2}set_lk_max_locks 1500, olcDbConfig: {3}set_lk_max_lockers 1500, olcLastMod: TRUE, olcDbCheckpoint: 512 30, olcDbIndex: uid pres,eq, olcDbIndex: cn,sn,mail pres,eq,approx,sub, olcDbIndex: objectClass eq 导入: sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /var/lib/ldap/create_database.ldif注:create_database.ldif文件中olcRootPW参数后面的密文对应明文为"example",可用slappasswd命令获取明文对应的密文, (2)初始化数据库 在/var/lib/ldap/下创建init_database.ldif文件: dn: dc=edu,dc=example,dc=org, objectClass: top, objectClass: dcObject, objectclass: organization, o: edu.example.org, dc: edu, #description: LDAP root, dn: ou=People,dc=edu,dc=example,dc=org, objectClass: top, objectClass: organizationalUnit, ou: People, dn: ou=Groups,dc=edu,dc=example,dc=org, objectClass: top, objectClass: organizationalUnit, ou: Groups 导入: sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /var/lib/ldap/init_database.ldif, (3)modify the ACL to limit access to the database. 在/var/lib/ldap/下创建acls.ldif文件: dn:olcDatabase={1}hdb,cn=config, add: olcAccess, olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=edu,dc=example,dc=org" write by anonymous auth by self write by * none, olcAccess: {1}to dn.subtree="" by * read, olcAccess: {2}to * by dn="cn=admin,dc=edu,dc=example,dc=org" write by * read 导入: sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /var/lib/ldap/acls.ldif, (4)测试数据库 sudo ldapsearch -x -h localhost -b dc=edu,dc=example,dc=org, 1.3 使用迁移工具migrationtools (1)安装 sudo apt-get install migrationtools, (2)使用该工具迁移Linux系统中的用户和组到LDAP服务器中 cd /usr/share/migrationtools/ ./migrate_group.pl /etc/group ./group.ldif ./migrate_passwd.pl /etc/passwd ./passwd.ldif 修改group.ldif中组的父域名为ou=Groups,dc=edu,dc=example,dc=org 修改passwd.ldif中用户的父域名为ou=People,dc=edu,dc=example,dc=orgldapadd -x -W -D "cn=admin,dc=edu,dc=example,dc=org" -f ./group.ldif ldapadd -x -W -D "cn=admin,dc=edu,dc=example,dc=org" -f ./passwd.ldif, 1.4 使用ldap服务器管理工具ldapscripts (1)安装 sudo apt-get install ldapscripts, (2)修改配置文件 # LDAP Configuration, # DEBIAN: values from /etc/pam_ldap.conf are used., SERVER="ldap://localhost", BINDDN="cn=admin,dc=edu,dc=example,dc=org", # The following file contains the raw password of the binddn, # Create it with something like : echo -n secret > $BINDPWDFILE, # WARNING !!!! Be careful not to make this file world-readable, # DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used., BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd", # For older versions of OpenLDAP, it is still possible to use, # unsecure command-line passwords by defining the following option, # AND commenting the previous one (BINDPWDFILE takes precedence), #BINDPWD="secret", # DEBIAN: values from /etc/pam_ldap.conf are used., SUFFIX="dc=edu,dc=example,dc=org" # Global suffix, GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX), USUFFIX="ou=People" # Users ou (just under $SUFFIX), #MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX), # User passwords generation, # Command-line used to generate a password for added users (you may use %u for username here), # WARNING !!!! This is evaluated, everything specified here will be run !, # Special value "" will ask for a password interactively, #PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc a-zA-Z0-9 | head -c8", #PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n 2s|=*$||;2p | sed -e s|+||g -e s|/||g", #PASSWORDGEN="pwgen", #PASSWORDGEN="echo changeme", #PASSWORDGEN="echo %u", PASSWORDGEN="" 注:如红字所示,照应前面的配置,向ldapscripts.passwd写入密码的命令为:echo -n example > /etc/ldapscripts/ldapscripts.passwd, (3)使用 sudo ldapaddgroup testgroup sudo ldapadduser testuser testgroup sudo ldapsetpasswd testuser, (4)测试 getent passwd getent group, 2. LDAP客户端安装与配置 2.1 使用apt-get安装相关服务 #sudo apt-get install libnss-ldapd libpam-ldapd 安装过程中根据安装向导输入ldap服务器IP和相应base域名信息,最后,针对nss services勾选group和passwd两项即可。 注:Ubuntu系统中LDAP客户端的配置文件为/etc/nslcd.conf和/etc/nsswitch.conf,以上配置信息都可以在该配置文件中随时修改!修改后要重启服务:service nslcd restart # /etc/nslcd.conf, # nslcd configuration file. See nslcd.conf(5), # for details., # The user and group nslcd should run as., uid nslcd, gid nslcd, # The location at which the LDAP server(s) should be reachable., uri ldap://127.0.0.1/, # The search base that will be used for all queries., base dc=edu,dc=example,dc=org, # The LDAP protocol version to use., #ldap_version 3, # The DN to bind with for normal lookups., #binddn cn=annonymous,dc=example,dc=net, #bindpw secret, # SSL options, #ssl off, #tls_reqcert never, # The search scope., #scope sub # /etc/nsswitch.conf, #, # Example configuration of GNU Name Service Switch functionality., # If you have the `glibc-doc-reference and `info packages installed, try:, # `info libc "Name Service Switch" for information about this file., passwd: compat ldap, group: compat ldap, shadow: compat, hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4, networks: files, protocols: db files, services: db files, ethers: db files, rpc: db files, netgroup: nis, 2.2 安装配置完成后,使用以下命令验证访问LDAP服务器是否成功 #getent passwd#getent group 若不能正确显示LDAP服务器上的相关用户和组,则检查以下原因: ①LDAP服务器是否开启 ②LDAP服务器防火墙是否关闭 ③客户端配置的LDAP服务器IP是否正确,可否ping通 ④客户端配置的base域名是否正确 ⑤端口不对 ⑥版本不对, -----------------------------------------------, 【相关说明】 ① libnss-ldap 被用于名字解析, libpam-ldap 用 pm 通过LDAP来认证用户。, 【参考】 ① http://labs.opinsys.com/blog/2010/01/27/setting-up-openldap-on-ubuntu-10-04-alpha2/ 服务器和客户端都在Ubuntu上的参考文档 ② http://forum.ubuntu.org.cn/viewtopic.php?p=2225140 针对10.04及以后的详细安装过程(服务器和客户端) ③ http://askubuntu.com/questions/127389/how-to-configure-ubuntu-as-an-ldap-client 指出出现问题要查看日志!! ④ http://www.dasairen.com/Centos/18520711220.html 为LDAP服务手动添加日志功能,
