NIS-LDAP活動目錄的遷移
個人這篇文章的目的是:實現NIS帳號到LINUX LDAP活動目錄的遷移;java
實驗環境:linux
| 服務器角色web |
系統shell |
IP數據庫 |
備註vim |
| LDAP-SERVER安全 |
RHEL 5.4bash |
192.168.0.1服務器 |
Station1.example.com網絡 |
| NIS-SERVER |
RHEL 5.4 |
192.168.0.2 |
|
| LDAP-CLIENT |
RHEL 5.4 |
192.168.0.3 |
|
| NIS-CLIENT |
RHEL 5.4 |
192.168.0.4 |
|
這篇文章按照下面步驟進行:
1. 安裝和配置NIS SERVER和CLIENT;測試CLIENT加入到NISDOMAIN正常;
2. 安裝和配置LDAP-SERVER和CLIENT;測試client端可以使用加密機制進行ldap之間的通訊;
3. NIS-SERVER帳號遷移到LDAP-SERVER;分別在兩個客戶端之間進行測試;
說明:該文章配置很是詳細,對於沒有任何NIS LDAP基礎的人都是能夠看懂的;既是對我之前NIS學習的複習,也是對如今正在進行的LDAP進行實驗和鞏固;
1.安裝和配置NIS-SERVER 和CLIENT;測試CLIENT加入NISDOMAIN以後是否正常;
NIS ( network information service )
說明:
nis主要是爲了在linux系統主機不是不少的狀況下實現統一的集中帳號認證;
雖然linux nis已經被linux的活動目錄(LDAP)所取代,可是仍是須要掌握這種比較傳統的集中認證方式;
Network information service 最先是稱爲sun yellow pages(yp),也就是sun推出的一個yellow pages服務器,NIS也是這樣的服務器,這就能夠理解爲何服務是ypserv開始了;
NIS和NFS同樣,也許要RPC服務的支持,向RPC註冊端口;
補充:紅帽關於NIS信息(RHS333)
Type: system v-managed services
Packages:ypserv
Daemons:ypserv,rpc.yppasswdd,rpc.ypxfrd
Scripts:ypserv,yppasswdd,ypxfrd
Ports: dynamically assigned by portmap
若是是NIS-SERVER中添加了用戶,直接查詢是查詢不到的,須要同步到數據,同步到數據庫的命令是
Make –C /var/yp/
提高NIS安全須要在三個方面來提高:TCP wrappers and iptables static ports /var/yp/securenets
咱們這裏的實驗就是經過靜態端口綁定,使用iptables控制實現的,固然也能夠經過文件實現
/var/yp/securenets 255.255.255.0 192.168.0.0 容許此地址的訪問
(1)NIS-SERVER的設定(這裏的配置主要參考「鳥哥」)
須要的軟件:
Yp-tools:提供NIS相關的查詢指定功能;
Ypbind:提供NIS Client端的設定;
Ypserv:提供NIS SERVER端的設定;
Rpcbind:RPC
[root@nis-server ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 nis-server localhost.localdomain localhost
#::1 localhost6.localdomain6 localhost6
192.168.0.1 station1.example.com
192.168.0.3 ldap-client
192.168.0.4 nis-client
[root@nis-server ~]#
[root@nis-server ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:17:19:21
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
能夠看到服務器端的網絡設置參數;
[root@nis-server ~]# rpm -qa | grep yp
yp-tools-2.9-0.1
ypbind-1.19-12.el5
[root@nis-server ~]#
默認yp-tools,ypbind都已經安裝了;
[root@nis-server ~]# yum -y install ypserv
須要設置的文件:
/etc/ypserv.conf
/etc/hosts 主要是爲了解析
/etc/sysconfig/network 主要爲了解析和設置NISDOMAIN
/var/yp/Makefile 創建庫文件時用到命令
主要服務
/usr/sbin/ypserv nis服務器的服務
/usr/sbin/rpc.yppasswdd 提供額外的NIS用戶端修改密碼服務,經過這個服務,NIS用戶能夠直接修改NIS服務器上的密碼;
主要命令
/usr/lib/yp/ypinit 創建庫
/usr/bin/yppasswd 與NIS用戶有關,讓用戶修改密碼
具體配置以下:
A.設定NIS domain name
[root@nis-server ~]# vim /etc/sysconfig/network
[root@nis-server ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=nis-server
NISDOMAIN=ytrbnis 設置NIS DOMAIN NAME
YPSERV_ARGS="-p 1011" 設置NIS啓動的端口爲1011,爲了便於使用iptables管理控制;
[root@nis-server ~]#
B.設置/etc/ypserv.conf
[root@nis-server ~]# vim /etc/ypserv.conf
[root@nis-server ~]# cat /etc/ypserv.conf
dns: no NIS解析是否使用DNS,由於實驗環境,而起時NIS,通常不會使用DNS,除非linux主機不少,若是主機數目龐大,也不會使用NIS
# How many map file handles should be cached ?
files: 30 記錄用戶的庫文件的數據量,30已經夠了;
# Not everybody should see the shadow passwords, not secure, since
# under MSDOG everbody is root and can access ports < 1024 !!!
127.0.0.0/255.255.255.0 : * : * : none
192.168.0.0/255.255.255.0 : * : * : none
* : * : * : deny
主機名/ip : NIS domain NAME : 可用庫文件名稱 : 安全限制:
None沒有限制;deny拒絕
[root@nis-server ~]#
C.設置HOSTS表實現主機名和IP地址對應
[root@nis-server ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 nis-server localhost.localdomain localhost
#::1 localhost6.localdomain6 localhost6
192.168.0.1 station1.example.com
192.168.0.3 ldap-client
192.168.0.4 nis-client
[root@nis-server ~]# hostname
nis-server
[root@nis-server ~]#
D.啓動相關服務:RPC(portmap),ypserv,yppasswdd
說明:爲了能使yppasswdd啓動在固定的端口,咱們須要修改/etc/sysconfig/yppasswdd
[root@nis-server ~]# vim /etc/sysconfig/yppasswdd
[root@nis-server ~]# tail -n 1 /etc/sysconfig/yppasswdd
YPPASSWDD_ARGS="--port 1012"
[root@nis-server ~]# /etc/init.d/portmap restart
中止 portmap: [肯定]
啓動 portmap: [肯定]
[root@nis-server ~]# /etc/init.d/ypserv restart
中止 YP 服務器的服務: [失敗]
設置 NIS 域名 ytrbnis: [肯定]
啓動 YP 服務器的服務: [肯定]
[root@nis-server ~]# /etc/init.d/yppasswdd restart
中止 YP 口令服務: [失敗]
啓動 YP 口令服務: [肯定]
[root@nis-server ~]# chkconfig ypserv on
[root@nis-server ~]# chkconfig yppasswdd on
服務啓動是有順序的,須要先啓動portmap,而後啓動上面兩個服務,由於ypserv須要向portmap註冊端口;
測試是否ok,若是出現下面另個界面,說明服務已經正常啓動而且已經在準備就緒狀態;
[root@nis-server ~]# rpcinfo -p localhost
程序 版本 協議 端口
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100004 2 udp 1011 ypserv
100004 1 udp 1011 ypserv
100004 2 tcp 1011 ypserv
100004 1 tcp 1011 ypserv
100009 1 udp 1012 yppasswdd
[root@nis-server ~]# rpcinfo -u localhost ypserv
程序 100004 版本 1 就緒並等待
程序 100004 版本 2 就緒並等待
[root@nis-server ~]#
E.創建庫,並建立測試帳號
[root@nis-server ~]# useradd -u 1001 nisuser1
[root@nis-server ~]# useradd -u 1002 nisuser2
[root@nis-server ~]# useradd -u 1003 nisuser3
[root@nis-server ~]# echo password | passwd --stdin nisuser1
Changing password for user nisuser1.
passwd: all authentication tokens updated successfully.
[root@nis-server ~]# echo password | passwd --stdin nisuser2
Changing password for user nisuser2.
passwd: all authentication tokens updated successfully.
[root@nis-server ~]# echo password | passwd --stdin nisuser3
Changing password for user nisuser3.
passwd: all authentication tokens updated successfully.
使用ypinit將帳號轉換成庫文件
[root@nis-server ~]# /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. nis-server is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: nis-server
next host to add:
The current list of NIS servers looks like this:
nis-server
Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/ytrbnis/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/ytrbnis'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/ytrbnis'
nis-server has been set up as a NIS master server.
Now you can run ypinit -s nis-server on all slave server.
[root@nis-server ~]# echo $?
0
[root@nis-server ~]#
能夠看到轉換成功;
F.防火牆開啓端口
[root@nis-server ~]# iptables -I RH-Firewall-1-INPUT -s 192.168.0.0/24 -p tcp -m multiport --dport 111,1011 -j ACCEPT
[root@nis-server ~]# iptables -I RH-Firewall-1-INPUT -s 192.168.0.0/24 -p udp -m multiport --dport 111,1011,1012 -j ACCEPT
到此爲止:NIS-SERVER端的設置結束;
(2)NIS-CLIENT端的設定
客戶端須要安裝的軟件:ypbind yp-tools默認系統都已經安裝了;
涉及的文件:
/etc/sysconfig/network NIS domain name
/etc/hosts 解析
/etc/yp.conf ypbind的配置文件
/etc/sysconfig/authconfig
/etc/pam.d/system-auth 在PAM中加入對NIS的支持
/etc/nsswitch.conf 帳號查詢順序
客戶端的命令
/usr/bin/yppasswd 修改密碼
/usr/bin/ypchsh 更改shell
/usr/bin/ypchfn 更改使用者信息
若是要修改上述的配置文件,對客戶端而言實在太麻煩了,系統也給咱們提供了一個工具;
輸入setup,進入
查看客戶端的配置文件裏面是否自動添加了條目:
NIS-CLIENT客戶端的檢驗:yptest,ypwhich,ypcat
能夠看到轉換生成的庫文件
能夠看到普通用戶能夠修改本身的NIS domain的密碼,只是密碼須要遵循必定的規則;
NIS-CLIENT已經配置完成,而且測試成功;
咱們接下來開始第二部分的測試:安裝和配置LDAP-SERVER和CLIENT;測試client端可以使用加密機制進行ldap之間的通訊;
1.ldap-server 服務器端的配置
A.安裝RHDS紅帽目錄服務套件,開啓防火牆對應端口;
Use rpm –q to verify the openldap-clients and openldap-servers RPM packages are installed. Required installed two packages.
Openldap-clients provides command-line management tools ; openldap-servers rpm provides a user and group, ldap, we will use for directory server.
[root@station1 ~]# rpm -qa | grep openldap
openldap-servers-2.3.43-3.el5
openldap-2.3.43-3.el5
openldap-clients-2.3.43-3.el5
openldap-devel-2.3.43-3.el5
[root@station1 ~]#
[root@station1 RHDS]# yum -y install java-1.5.0-ibm-1.5.0.5-1jpp.5.el5.i386.rpm
Running Transaction
Installing : libXp 1/2
Installing : java-1.5.0-ibm 2/2
[root@station1 RHDS]# yum -y install redhat-ds
[root@station1 RHDS]# setup-ds-admin.pl -k
==============================================================================
This program will set up the Red Hat Directory and Administration Servers.
It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
- Press "Enter" to choose the default and go to the next screen
- Type "Control-B" then "Enter" to go back to the previous screen
- Type "Control-C" to cancel the setup program
Would you like to continue with set up? [yes]: 是否繼續,是
==============================================================================
BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY
AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE
LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS
OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE.
Do you agree to the license terms? [no]: yes 是否接受lincense,接受
==============================================================================
Your system has been scanned for potential problems, missing patches,
etc. The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
Red Hat Directory Server system tuning analysis version 10-AUGUST-2007.
NOTICE : System is i686-unknown-linux2.6.18-164.el5 (2 processors).
WARNING: 503MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system.
NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes). This may cause temporary server congestion from lost
client connections.
WARNING: There are only 1024 file descriptors (hard limit) available, which
limit the number of simultaneous connections.
WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.
Would you like to continue? [no]: yes 系統須要調優,是否繼續,是
==============================================================================
Choose a setup type:
1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.
2. Typical
Allows you to specify common defaults and options.
3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
Choose a setup type [2]: 選擇安裝類型,選擇典型 typical
==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Computer name [station1.example.com]: 計算機名 默認
==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.
System User [nobody]: ldap 選擇運行ldap服務的用戶名和組
System Group [nobody]: ldap
==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers. If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server. To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).
If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.
Do you want to register this software with an existing
configuration directory server? [no]: 是否將其註冊到一個已經存在的目錄服務器中,NO
==============================================================================
Please enter the administrator ID for the configuration directory
server. This is the ID typically used to log in to the console. You
will also be prompted for the password.
Configuration directory server
administrator ID [admin]: CONSOLE控制檯的用戶名和密碼,用默認的admin 密碼redhat
Password:
Password (confirm):
==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains. If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.
If you are not using administrative domains, press Enter to select the
default. Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.
Administration Domain [example.com]: station1.example.com 給管理的域起一個名字,隨便了
==============================================================================
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]: 目錄服務用到的端口:默認就行了
==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [station1]: 默認
==============================================================================
The suffix is the root of your directory tree. The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.
Suffix [dc=example, dc=com]: dc=station1,dc=example,dc=com 目錄服務的後綴
==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user. The password must
be at least 8 characters long, and contain no spaces.
Directory Manager DN [cn=Directory Manager]: ldap權限最大用戶的密碼和用戶名,用戶名不須要修改,密碼最低8位,必定不要輸錯,不然不會提示出錯;
Password:
Password (confirm):
==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.
Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.
Administration port [9830]: 8888 console控制檯的端口
==============================================================================
The interactive phase is complete. The script will now set up your
servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]:
Creating directory server . . .
Your new DS instance 'station1' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setup5YKRgD.log'
[root@station1 RHDS]# /etc/init.d/dirsrv restart 啓動服務
Shutting down dirsrv:
station1... [肯定]
Starting dirsrv:
station1... [肯定]
[root@station1 RHDS]# /etc/init.d/dirsrv-admin restart 啓動控制檯的服務
Shutting down dirsrv-admin:
[肯定]
Starting dirsrv-admin:
[肯定]
[root@station1 RHDS]# chkconfig dirsrv on
[root@station1 RHDS]# chkconfig dirsrv-admin on
[root@station1 RHDS]# iptables -I RH-Firewall-1-INPUT -s 192.168.0.0/24 -p tcp --dport 389 -j ACCEPT
[root@station1 RHDS]# iptables -I RH-Firewall-1-INPUT -s 192.168.0.0/24 -p tcp --dport 636 -j ACCEPT
[root@station1 RHDS]# iptables -I RH-Firewall-1-INPUT -s 192.168.0.0/24 -p tcp --dport 8888 -j ACCEPT 防火牆開啓端口,636是爲之後ldap ssl加密作準備的;
[root@station1 RHDS]# service iptables save
將當前規則保存到 /etc/sysconfig/iptables: [肯定]
[root@station1 RHDS]#
[root@station1 RHDS]# redhat-idm-console
Java Accessibility Bridge for GNOME loaded.
Jun 7, 2012 10:04:04 AM java.util.prefs.FileSystemPreferences$2 run
INFO: Created user preferences directory.
[root@station1 RHDS]#
登錄測試:
登錄成功;
下面咱們來作一些基本的ldap目錄服務的操做,也是對原來的操做進行復習;
1.ldapsearch工具的使用---查詢
[root@ldap-client ~]# ldapsearch -x 'uid=chong' -s sub -b 'ou=People,dc=station1,dc=example,dc=com' -h 192.168.0.1
客戶端的查詢須要輸入的指令
-x use simple, not SASL binds 使用簡單查詢,不是加密;
-s scope: sub 遞歸查詢,one 查詢本身和本身下一級,base僅本身
-b dn :從什麼位置開始搜索
-h 指定ldap 服務器的地址
客戶端查詢每次都輸入那麼長的指令太麻煩了,因此咱們簡化指令的輸入:
[root@ldap-client ~]# vim /etc/openldap/ldap.conf
[root@ldap-client ~]# cat /etc/openldap/ldap.conf
BASE dc=station1,dc=example,dc=com
HOST station1.example.com
[root@ldap-client ~]# ldapsearch -x 'uid=chong'
加入上面兩行,這樣每次輸入時都沒必要輸入那麼長了;
[root@ldap-client ~]# ldapsearch -x -Z 'uid=chong'
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=chong
# requesting: ALL
#
# chong, People, station1.example.com
dn: uid=chong,ou=People, dc=station1,dc=example,dc=com
mail: chong@station1.example.com
uid: chong
givenName: hu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: chong
cn: hu chong
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@ldap-client ~]# ldapsearch -x -ZZ 'uid=chong'
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
[root@ldap-client ~]#
-Z 嘗試使用加密,-ZZ必須使用加密;由於沒有客戶端和服務器端的加密因此-ZZ命令執行失敗;
[root@ldap-client ~]# ldapsearch -x -LLL 'uid=chong'
dn: uid=chong,ou=People, dc=station1,dc=example,dc=com
mail: chong@station1.example.com
uid: chong
givenName: hu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: chong
cn: hu chong
[root@ldap-client ~]# ldapsearch -x -L 'uid=chong' | wc -l
25
[root@ldap-client ~]# ldapsearch -x -LLL 'uid=chong' | wc -l
11
[root@ldap-client ~]#
-L 儘可能減小輸出,-LLL最少的輸出
注意:下面的幾個命令都是服務器端要作的事情,因此沒有必要在客戶端上進行;
2.ldapdelete刪除目錄中的條目
舉例:刪除一個用戶
[root@station1 ~]# vim /etc/openldap/ldap.conf
[root@station1 ~]# tail -n 2 /etc/openldap/ldap.conf
BASE dc=station1,dc=example,dc=com
HOST station1.example.com
[root@station1 ~]# vim .ldaprc
[root@station1 ~]# cat .ldaprc
BINDDN cn=Directory Manager
[root@station1 ~]# pwd
/root
服務器的刪除以前的設置;
[root@station1 ~]# ldapsearch -x 'uid=sun' | grep dn
dn: uid=sun,ou=People, dc=station1,dc=example,dc=com
[root@station1 ~]#
[root@station1 ~]# echo 'uid=sun,ou=People, dc=station1,dc=example,dc=com' > delete.ldif
[root@station1 ~]# cat delete.ldif
uid=sun,ou=People, dc=station1,dc=example,dc=com
[root@station1 ~]# ldapdelete -x -W -f delete.ldif
Enter LDAP Password:
[root@station1 ~]# ldapsearch -x 'uid=sun'
[root@station1 ~]#
解釋下操做步驟:查找該entire的DN,而後將該dn名成導入到一個文件中,使用ldapdelete命令調用該文件;
3.另外一個工具修改RDN:ldapmodrdn
例如用戶的uid就是一個RDN,這個命令有一個實例能夠幫助咱們很快的學習該命令
EXAMPLE
Assuming that the file /tmp/entrymods exists and has the contents:
cn=Modify Me,dc=example,dc=com
cn=The New Me
the command:
ldapmodrdn -r -f /tmp/entrymods
will change the RDN of the "Modify Me" entry from "Modify Me" to "The New Me" and the old cn, "Modify Me" will be removed.
以上就是man 該命令獲得的實例;
[root@station1 ~]# vim rdn.ldif
[root@station1 ~]# cat rdn.ldif
uid=chong,ou=People, dc=station1,dc=example,dc=com
uid=xiaohu
[root@station1 ~]# ldapmodrdn -x -r -W -f rdn.ldif
Enter LDAP Password:
[root@station1 ~]# ldapsearch -x 'uid=chong'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=chong
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
4.繼續來介紹另外一個工具ldapadd:建立一個新的條目entire
[root@station1 ~]# ldapsearch -x 'uid=tclow' -LLL
dn: uid=tclow, ou=People, dc=station1,dc=example,dc=com
cn: Torrey Clow
sn: Clow
givenName: Torrey
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: tclow
mail: tclow@example.com
telephoneNumber: +1 408 555 8825
facsimileTelephoneNumber: +1 408 555 1992
roomNumber: 4376
manager: uid=trigden, ou=People, dc=station1,dc=example,dc=com
[root@station1 ~]# ldapsearch -x 'uid=tclow' -LLL > addr.ldif
[root@station1 ~]# vim addr.ldif
[root@station1 ~]# ldapadd -x -W -c -f addr.ldif
Enter LDAP Password:
adding new entry "uid=shmadmin, ou=People, dc=station1,dc=example,dc=com"
[root@station1 ~]# ldapsearch -x 'uid=shmadmin' | wc -l
28
[root@station1 ~]#
4.繼續介紹另外一個工具:ldapmodify
能夠實現多種LDAP 操做,add delete,replace等屬性
此次我詳細介紹下該工具的使用;
3種語法:
Changetype: add 添加一個條目
Changetype:delete 刪除一個條目
Changetype: modify
Add:attribute
Attribute: newvalue
Replace:attribute
Attribute:newvalue
Delete:attribute
下面我就分別進行實驗測試:
[root@station1 ~]# ldapsearch -x 'uid=xiaohu' > modify.ldif
[root@station1 ~]# vim modify.ldif
[root@station1 ~]# ldapmodify -x -W -f modify.ldif
Enter LDAP Password:
modifying entry "uid=xiaohu,ou=People, dc=station1,dc=example,dc=com"
[root@station1 ~]# cat modify.ldif
# xiaohu, People, station1.example.com
dn: uid=xiaohu,ou=People, dc=station1,dc=example,dc=com
changetype: modify
replace: mail
mail: 1109958878@qq.com
-
delete: telephoneNumber
telephoneNumber: 123456789
-
[root@station1 ~]# ldapsearch -x 'uid=xiaohu'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=xiaohu
# requesting: ALL
#
# xiaohu, People, station1.example.com
dn: uid=xiaohu,ou=People, dc=station1,dc=example,dc=com
mail: 1109958878@qq.com
givenName: hu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: chong
cn: hu chong
uid: xiaohu
mobile: 1111111
title: ddddd
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@station1 ~]#
能夠看到都已經修改過來了;
經過以上的操做,LDAP-SERVER的基本的查詢,刪除,添加,修改操做咱們都會了;下面咱們繼續作SASL 和ACI
經過加密機制實現LDAP與客戶端之間實現加密傳輸,比較安全;經過ACI設置策略,並非全部信息對每一個用戶都是開放的;好比比較有隱患的密碼電話等信息;
第一個實驗:客戶端和服務器端實現加密傳輸數據;
要實現加密首先要有證書,證書就要有證書認證機構CA中心,在此次試驗中,個人LDAP server也是CA中心;
1.建立CA中心
[root@station1 ~]# rpm -qa | grep openssl 使用openssl生成密鑰
openssl-0.9.8e-12.el5
openssl-devel-0.9.8e-12.el5
[root@station1 ~]# cd /etc/pki/
[root@station1 pki]# ls
CA nssdb rpm-gpg tls
[root@station1 pki]# cd tls/
[root@station1 tls]# ls
cert.pem certs misc openssl.cnf private
[root@station1 tls]# vim openssl.cnf
[root@station1 tls]# cd ..
[root@station1 pki]# ls
CA nssdb rpm-gpg tls
[root@station1 pki]# pwd
/etc/pki
[root@station1 pki]# cd CA/
[root@station1 CA]# ls
private
[root@station1 CA]# mkdir {certs,crl,newcerts}
[root@station1 CA]# touch index.txt
[root@station1 CA]# echo 01 > serial
[root@station1 CA]# ls
certs crl index.txt newcerts private serial
[root@station1 CA]# (umask 077; openssl genrsa -out private/my-ca.key) 建立CA中心的私鑰
Generating RSA private key, 512 bit long modulus
.............++++++++++++
.++++++++++++
e is 65537 (0x10001)
[root@station1 CA]# cd private/
[root@station1 private]# ls
my-ca.key
[root@station1 private]# cd ..
[root@station1 CA]# ls
certs crl index.txt newcerts private serial
[root@station1 CA]# openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt 利用CA中心私鑰生成公鑰
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ShanDong]:
Locality Name (eg, city) [yantai]:
Organization Name (eg, company) [chong, Inc.]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:station1.example.com
Email Address []:
[root@station1 CA]# ls
certs crl index.txt my-ca.crt newcerts private serial
[root@station1 CA]#
[root@station1 CA]# rpm -qa | grep openssl
openssl-0.9.8e-12.el5
openssl-devel-0.9.8e-12.el5
[root@station1 CA]# pwd
/etc/pki/CA
[root@station1 CA]# ls
certs crl index.txt my-ca.crt newcerts private serial
[root@station1 CA]#
通過以上步驟,CA中心建立完畢,而且生成了CA中心的私鑰和公鑰,在這裏,CA中心也充當ldap-server的角色,就是是他的公鑰和私鑰
第二步:LDAP-server生成證書請求文件station1.csr
首先輸入LDAP 私鑰的保護密碼:redhat
點擊request,到整數請求嚮導,此處顯示會生成一個csr文件,點擊next繼續
第三步:CA中心對LDAP SERVER產生的證書請求文件進行簽名,並生成LDAP-server的公鑰,發送給LDAP-server
[root@station1 ~]# openssl ca -in station1.csr -out station1.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 11 03:04:23 2012 GMT
Not After : Jun 11 03:04:23 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = ShanDong
organizationName = chong, Inc.
organizationalUnitName = IT
commonName = station1.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
42:D5:8A:6F:96:DC:1B:FD:43:2A:2B:C6:44:36:F1:D4:D8:42:C7:70
X509v3 Authority Key Identifier:
keyid:60:95:AB:5A:79:41:1E:9E:14:51:87:74:8C:1A:C6:88:C1:4B:B9:EE
Certificate is to be certified until Jun 11 03:04:23 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@station1 ~]# ls
addr.ldif delete.ldif Example.ldif install.log.syslog rdn.ldif station1.csr
anaconda-ks.cfg Desktop install.log modify.ldif station1.crt
[root@station1 ~]#
CA中心對LDAP-SERVER的證書請求文件簽名,並生成LDAP-SERVER的公鑰station1.crt
第四步:LDAP-SERVER安裝CA中心的公鑰(my-ca.crt)和簽名後的公鑰(station1.crt)
第五步:LDAP-SERVER開啓TLS加密
第六步:重啓服務
[root@station1 ~]# /etc/init.d/dirsrv restart
Shutting down dirsrv:
station1... [肯定]
Starting dirsrv:
station1...Enter PIN for Internal (Software) Token:
[肯定]
[root@station1 ~]# vim /etc/dirsrv/slapd-station1/pin.txt
[root@station1 ~]# vim /etc/dirsrv/slapd-station1/pin.txt
[root@station1 ~]# cat /etc/dirsrv/slapd-station1/pin.txt
Internal (Software) Token:redhat
[root@station1 ~]# chmod 400 /etc/dirsrv/slapd-station1/pin.txt
[root@station1 ~]# service dirsrv restart
Shutting down dirsrv:
station1... [肯定]
Starting dirsrv:
station1... [肯定]
[root@station1 ~]#
第七步:客戶端測試
[root@ldap-client ~]# scp 192.168.0.1:/etc/pki/CA/my-ca.crt /root/
[root@ldap-client ~]# cp my-ca.crt /etc/openldap/cacerts/
[root@ldap-client ~]# cd /etc/openldap/cacerts/
[root@ldap-client cacerts]# ls
my-ca.crt
[root@ldap-client cacerts]# vim /etc/openldap/ldap.conf
[root@ldap-client cacerts]# tail -n 3 /etc/openldap/ldap.conf
BASE dc=station1,dc=example,dc=com
HOST station1.example.com
TLS_CACERT /etc/openldap/cacerts/my-ca.crt
[root@ldap-client cacerts]#
測試成功,實現了加密傳輸;第二個大的實驗已經測試完畢!
咱們來作最後一個實驗:NIS-SERVER帳號遷移到LDAP-SERVER並在兩個客戶端之間進行測試;
主要操做步驟就是:將ldap-server加入到nisdomain中,而後將nis-domain中的用戶信息導出成和本機/etc/passwd group shadow格式同樣的文件,再用腳本導入就能夠了;
1.將LDAP-SERVER加入NIS domain
[root@station1 ~]# authconfig-tui
中止 portmap: [肯定]
啓動 portmap: [肯定]
關聯到 NIS 域: [肯定]
監聽 NIS 域服務器。
2.獲得用戶名和密碼,組文件
[root@station1 ~]#
[root@station1 ~]# ypcat passwd
nisuser3:$1$8xCDhab.$KzPfmanT1hRlDlRYvY8mU.:1003:1003::/home/nisuser3:/bin/bash
nisuser1:$1$LxBjkOYD$nobktqZXdTxhjJXjOiyfi1:1001:1001::/home/nisuser1:/bin/bash
nisuser2:$1$eLc7c2ti$ONm9/c2266YUn/oyep21//:1002:1002::/home/nisuser2:/bin/bash
獲得nisdomain 中的用戶名和密碼,組等信息,放到文件中,文件格式必須和本地用戶名和密碼文件同樣
[root@station1 ~]# ypcat passwd > passwd.nis 用戶文件
[root@station1 ~]# vim passwd.nis
[root@station1 ~]# ypcat group > group.nis 組文件
[root@station1 ~]# cat group.nis
nisuser3:!:1003:
nisuser1:!:1001:
nisuser2:!:1002:
[root@station1 ~]# sed -r 's/\$1\$.{8}\$.{22}/x/g' passwd.nis > passwd.nis.new
[root@station1 ~]# mv passwd.nis.new passwd.nis
mv:是否覆蓋「passwd.nis」? y
[root@station1 ~]# cat passwd.nis
nisuser3:x:1003:1003::/home/nisuser3:/bin/bash
nisuser1:x:1001:1001::/home/nisuser1:/bin/bash
nisuser2:x:1002:1002::/home/nisuser2:/bin/bash
利用passwd文件生成密碼shadow文件
[root@station1 ~]# for i in $( cut -d: -f1-2 /root/passwd.nis );do
> echo "$i:$[$(date +%s)/86400]:0:99999:7:::"
> done > /root/shadow.nis
文件生成完畢;passwd.nis,shadow.nis,group.nis
3.準備遷移
[root@station1 ~]# find / -type d -name migration
/usr/share/openldap/migration
[root@station1 ~]# cd /usr/share/openldap/migration/
[root@station1 migration]# ls
base.ldif migrate_automount.pl migrate_passwd.pl
migrate_aliases.pl migrate_base.pl migrate_profile.pl
migrate_all_netinfo_offline.sh migrate_common.ph migrate_protocols.pl
migrate_all_netinfo_online.sh migrate_fstab.pl migrate_rpc.pl
migrate_all_nis_offline.sh migrate_group.pl migrate_services.pl
migrate_all_nis_online.sh migrate_hosts.pl migrate_slapd_conf.pl
migrate_all_nisplus_offline.sh migrate_netgroup_byhost.pl migration-tools.txt
migrate_all_nisplus_online.sh migrate_netgroup_byuser.pl README
migrate_all_offline.sh migrate_netgroup.pl
migrate_all_online.sh migrate_networks.pl
[root@station1 migration]# vim migrate_common.ph
$NAMINGCONTEXT{'group'} = "ou=Groups";
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "station1.example.com";
# Default base
$DEFAULT_BASE = "dc=station1,dc=example,dc=com";
# turn this on to support more general object clases
# such as person.
$EXTENDED_SCHEMA = 1;
[root@station1 migration]# ./migrate_base.pl > /root/base.ldif
[root@station1 migration]# vim migrate_passwd.pl
open(SHADOW, "/root/shadow.nis") || return;
[root@station1 migration]# ./migrate_passwd.pl /root/passwd.nis /root/passwd.ldif
[root@station1 migration]# ./migrate_group.pl /root/group.nis /root/group.ldif
[root@station1 migration]#
導入遷移文件,執行遷移
[root@station1 migration]# ldapadd -x -W -c -f /root/base.ldif
[root@station1 migration]# ldapadd -x -W -c -f /root/passwd.ldif
[root@station1 migration]# ldapadd -x -W -c -f /root/group.ldif
[root@station1 migration]#
執行成功以後能夠看到活動目錄已經有用戶了!本地測試
用戶已經加上了,用戶家目錄,要否則沒有辦法登陸;system-configure-authentication
說明:這兒必定要是
不能寫成ip地址的格式,不然用戶是沒法登錄的;
這一點是很是重要的,也是我這一個星期的時間琢磨出來的;太搞人了!
在客戶端若是不能用ldap用戶登陸:就是一下幾個問題的緣由:
上圖使用的ip地址,第二個緣由用戶沒有home目錄,shell等信息,報錯信息以下:
Jun 27 18:46:31 localhost su: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Jun 27 18:46:35 localhost su: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Jun 27 18:46:43 localhost su: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
測試客戶端是否獲得用戶名
[root@nis-client cacerts]# ldapsearch -x -ZZ 'uid=xiama'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=xiama
# requesting: ALL
#
# search result
search: 3
result: 0 Success
# numResponses: 1
[root@nis-client cacerts]# getent passwd | grep nisuser
nisuser3:x:1003:1003:nisuser3:/home/nisuser3:/bin/bash
nisuser1:x:1001:1001:nisuser1:/home/nisuser1:/bin/bash
nisuser2:x:1002:1002:nisuser2:/home/nisuser2:/bin/bash
[root@nis-client cacerts]#
能夠看到測試成功!
咱們繼續來作實驗
若是執行getent shadow命令咱們是能夠看到shadow裏面的一些敏感信息的,爲了避免讓匿名用戶看到,咱們要配置客戶端,咱們本身使用一個單獨的用戶能夠看到敏感信息;
1.Preparing the LDAP directory server
準備配置好的ldap server建立管理員帳號;
Redhat-idm-console
Configuration passwords 選擇crypt加密方式;
添加一個新的管理員client-root
添加新的ACI,修改匿名用戶使用的ACI
修改後的結果以下:
修改爲上面的提示;
完畢;
Configuring clients for LDAP authentication
System-config-authentication
選擇LDAP用戶和認證方式;
編輯配置文件/etc/ldap.conf
Tls_checkpeer yes 使用tls加密
Tls_cacertfile /etc/openldap/cacerts/my-ca.crt tls密鑰文件地址
Pam_password crypt 加密方式crypt
[root@ldap-client cacerts]# vim /etc/ldap.conf
[root@ldap-client cacerts]# cat /etc/ldap.conf | grep rootbinddn
rootbinddn uid=client-root,dc=station1,dc=example,dc=com
[root@ldap-client cacerts]#
Chmod 600 root root組和全部者
在/etc/ldap.secret中保存了rootbinddn的明文密碼;
[root@ldap-client cacerts]# cat /etc/ldap.secret
root
[root@ldap-client cacerts]#
這裏我這是的密碼是root,就是client-root的ldap的密碼;
下面進行測試
[root@ldap-client cacerts]# getent passwd | grep nisuser
nisuser3:x:1003:1003:nisuser3:/home/nisuser3:/bin/bash
nisuser1:x:1001:1001:nisuser1:/home/nisuser1:/bin/bash
nisuser2:x:1002:1002:nisuser2:/home/nisuser2:/bin/bash
[root@ldap-client cacerts]#
[root@ldap-client cacerts]#
[root@ldap-client cacerts]# getent shadow | grep nisuser
nisuser3:x:15502::99999:7:::
nisuser1:x:15502::99999:7:::
nisuser2:x:15502::99999:7:::
[root@ldap-client cacerts]#
能夠看到兩個的不一樣之處了吧;
[root@nis-client ~]# getent shadow | grep nisuser
nisuser3:*:::::::
nisuser1:*:::::::
nisuser2:*:::::::
[root@nis-client ~]# getent passwd | grep nisuser
nisuser3:x:1003:1003:nisuser3:/home/nisuser3:/bin/bash
nisuser1:x:1001:1001:nisuser1:/home/nisuser1:/bin/bash
nisuser2:x:1002:1002:nisuser2:/home/nisuser2:/bin/bash
[root@nis-client ~]#
此部分實驗到此結束!也是對本身之前學習的複習!
因爲中間服務器出了問題,因此複習加實驗推遲了很長時間,1個星期的時間;本身感到很不舒服啊!
明天開始LECTURE 8 KERBEROS AND LDAP
- 1. 活動目錄的遷移
- 2. windows2003活動目錄向windows2008活動目錄的遷移
- 3. server 2008 中活動目錄的遷移
- 4. 活動目錄遷移(轉貼)
- 5. 08r2活動目錄遷移升級2012r2--(DHCP遷移)
- 6. O365郵箱遷移中的那些坑 -- 活動目錄同步
- 7. 活動目錄遷移須要的步驟
- 8. 遷移家目錄
- 9. 活動目錄數據庫重定向或遷移
- 10. 08r2活動目錄遷移升級2012r2——(收尾)
- 更多相關文章...
- • W3C XQuery 活動 - W3C 教程
- • W3C Soap 活動 - W3C 教程
- • 算法總結-滑動窗口
- • SpringBoot中properties文件不能自動提示解決方法
-
每一个你不满意的现在,都有一个你没有努力的曾经。