1.1. DỊCH VỤ LDAP
1.1.1. CẤU HÌNH LDAP SERVER
Cài đặt OpenLDAP
- Kiểm tra gói openldap đã được cài đặt hay chưa. Nếu chưa cài đặt thì có thể sử dụng trình tiện ích YUM hoặc trình cài đặt RPM để cài đặt phần mềm.
[root@dir ~]#yum -y install openldap-servers openldap-clients
[root@dir ~]#vi /etc/sysconfig/ldap
# line 16: uncomment and change
SLAPD_LDAPI=yes
[root@dir ~]#vi /etc/openldap/slapd.conf
# create new
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
[root@dir ~]#rm -rf /etc/openldap/slapd.d/*
[root@dir ~]#slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded
[root@dir ~]#vi /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif
# line 4: change
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
[root@dir ~]#vi /etc/openldap/slapd.d/cn=config/olcDatabase\={1}monitor.ldif
# create new
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
creatorsName: cn=config
modifiersName: cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
creatorsName: cn=config
modifiersName: cn=config
[root@dir ~]#chown -R ldap. /etc/openldap/slapd.d
[root@dir ~]#chmod -R 700 /etc/openldap/slapd.d
[root@dir ~]#/etc/rc.d/init.d/slapd start
Cấu hình openldap
[root@dir ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core,cn=schema,cn=config"
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core,cn=schema,cn=config"
[root@dir ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@dir ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@dir ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
[root@dir ~]#slappasswd # generate password
New password: # input any one
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@dir ~]#vi backend.ldif
# create new
# replace the section "dc=***,dc=***" to your own suffix
# replace the section "olcRootPW: ***" to your own password generated by slappasswd above
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: back_hdb
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: dc=server,dc=world
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=server,dc=world
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=server,dc=world" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=server,dc=world" write by * read
[root@dir ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
adding new entry "olcDatabase=hdb,cn=config"
[root@dir ~]#vi frontend.ldif
# create new
# replace the section "dc=***,dc=***" to your own suffix
# replace the section "userPassword: ***" to your own password generated by slappasswd above
dn: dc=server,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Server
dn: cn=admin,dc=server,dc=world
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dn: ou=people,dc=server,dc=world
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=server,dc=world
objectClass: organizationalUnit
ou: groups
[root@dir ~]#ldapadd -x -D cn=admin,dc=server,dc=world -W -f frontend.ldif
Enter LDAP Password: # password you set
adding new entry "dc=server,dc=world"
adding new entry "cn=admin,dc=server,dc=world"
adding new entry "ou=people,dc=server,dc=world"
adding new entry "ou=groups,dc=server,dc=world"
Thêm danh sách người dùng hệ thống cục bộ vào danh mục LDAP
[root@dir ~]#vi ldapuser.sh
# extract local users who have 500-999 digit UID
# replace "SUFFIX=***" to your own suffix
# this is an example
# replace "SUFFIX=***" to your own suffix
# this is an example
#!/bin/bash
SUFFIX='dc=server,dc=world'
LDIF='ldapuser.ldif'
echo -n > $LDIF
for line in `grep "x:[5-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/g"`
do
UID1=`echo $line | cut -d: -f1`
NAME=`echo $line | cut -d: -f5 | cut -d, -f1`
if [ ! "$NAME" ]
then
NAME=$UID1
else
NAME=`echo $NAME | sed -e "s/%/ /g"`
fi
SN=`echo $NAME | awk '{print $2}'`
if [ ! "$SN" ]
then
SN=$NAME
fi
GIVEN=`echo $NAME | awk '{print $1}'`
UID2=`echo $line | cut -d: -f3`
GID=`echo $line | cut -d: -f4`
PASS=`grep $UID1: /etc/shadow | cut -d: -f2`
SHELL=`echo $line | cut -d: -f7`
HOME=`echo $line | cut -d: -f6`
EXPIRE=`passwd -S $UID1 | awk '{print $7}'`
FLAG=`grep $UID1: /etc/shadow | cut -d: -f9`
if [ ! "$FLAG" ]
then
FLAG="0"
fi
WARN=`passwd -S $UID1 | awk '{print $6}'`
MIN=`passwd -S $UID1 | awk '{print $4}'`
MAX=`passwd -S $UID1 | awk '{print $5}'`
LAST=`grep $UID1: /etc/shadow | cut -d: -f3`
echo "dn: uid=$UID1,ou=people,$SUFFIX" >> $LDIF
echo "objectClass: inetOrgPerson" >> $LDIF
echo "objectClass: posixAccount" >> $LDIF
echo "objectClass: shadowAccount" >> $LDIF
echo "uid: $UID1" >> $LDIF
echo "sn: $SN" >> $LDIF
echo "givenName: $GIVEN" >> $LDIF
echo "cn: $NAME" >> $LDIF
echo "displayName: $NAME" >> $LDIF
echo "uidNumber: $UID2" >> $LDIF
echo "gidNumber: $GID" >> $LDIF
echo "userPassword: {crypt}$PASS" >> $LDIF
echo "gecos: $NAME" >> $LDIF
echo "loginShell: $SHELL" >> $LDIF
echo "homeDirectory: $HOME" >> $LDIF
echo "shadowExpire: $EXPIRE" >> $LDIF
echo "shadowFlag: $FLAG" >> $LDIF
echo "shadowWarning: $WARN" >> $LDIF
echo "shadowMin: $MIN" >> $LDIF
echo "shadowMax: $MAX" >> $LDIF
echo "shadowLastChange: $LAST" >> $LDIF
echo >> $LDIF
done
[root@dir ~]#sh ldapuser.sh
[root@dir ~]#ldapadd -x -D cn=admin,dc=server,dc=world -W -f ldapuser.ldif
Enter LDAP Password: # LDAP admin password
adding new entry "uid=cent,ou=people,dc=server,dc=world"
adding new entry "uid=fedora,ou=people,dc=server,dc=world"
adding new entry "uid=ubuntu,ou=people,dc=server,dc=world"
adding new entry "uid=debian,ou=people,dc=server,dc=world"
adding new entry "uid=fermi,ou=people,dc=server,dc=world"
Thêm nhóm danh sách người dùng vào danh mục LDAP
[root@dir ~]#vi ldapgroup.sh
# extract local groups who have 500-999 digit UID
# replace "SUFFIX=***" to your own suffix
# this is an example
# replace "SUFFIX=***" to your own suffix
# this is an example
#!/bin/bash
SUFFIX='dc=server,dc=world'
LDIF='ldapgroup.ldif'
echo -n > $LDIF
for line in `grep "x:[5-9][0-9][0-9]:" /etc/group`
do
CN=`echo $line | cut -d: -f1`
GID=`echo $line | cut -d: -f3`
echo "dn: cn=$CN,ou=groups,$SUFFIX" >> $LDIF
echo "objectClass: posixGroup" >> $LDIF
echo "cn: $CN" >> $LDIF
echo "gidNumber: $GID" >> $LDIF
users=`echo $line | cut -d: -f4 | sed "s/,/ /g"`
for user in ${users} ; do
echo "memberUid: ${user}" >> $LDIF
done
echo >> $LDIF
done
[root@dir ~]#sh ldapgroup.sh
[root@dir ~]#ldapadd -x -D cn=admin,dc=server,dc=world -W -f ldapgroup.ldif
Enter LDAP Password: # LDAP admin password
adding new entry "cn=cent,ou=groups,dc=server,dc=world"
adding new entry "cn=fedora,ou=groups,dc=server,dc=world"
adding new entry "cn=ubuntu,ou=groups,dc=server,dc=world"
adding new entry "cn=debian,ou=groups,dc=server,dc=world"
adding new entry "cn=fermi,ou=groups,dc=server,dc=world"
Nếu muốn xóa người dùng hoặc nhóm người dùng thì có thể dùng các lệnh sau
[root@dir ~]#ldapdelete -x -W -D 'cn=admin,dc=server,dc=world' "uid=cent,ou=people,dc=server,dc=world"
Enter LDAP Password:
[root@dir ~]#ldapdelete -x -W -D 'cn=admin,dc=server,dc=world' "cn=cent,ou=groups,dc=server,dc=world"
[root@dir ~]#ldapdelete -x -W -D 'cn=admin,dc=server,dc=world' "cn=cent,ou=groups,dc=server,dc=world"
Enter LDAP Password:
Test hoạt động của openldap
- Xem file /etc/openldap/slapd.conf với những option mặc định:
- Sửa những dòng sau trong file /etc/openldap/slapd.conf:
- Khởi động dịch vụ ldap
- Soạn thảo file /etc/sample.ldif có nội dung như sau:
- Dùng lệnh ldapadd để add nội dung của file sample.ldif vào ldap server
- Dùng lệnh ldapsearch tiến hành tìm kiếm những dữ liệu vừa import:
- Tìm kiếm entry có “cn=bogus”
- Xóa entry “cn=bogus,dc=example,dc=org”:
- Kiểm tra lại:
