ldap統一認證架構方案及實現指南(一)

1、ldap目錄服務介紹
什麼是目錄服務?
  目錄是一類爲了瀏覽和搜索數據而設計的特殊的數據庫。例如,爲人所熟知的微軟公司的活動目錄(active directory)就是目錄數據庫的一種。目錄服務是按照樹狀形式存儲信息的,目錄包含基於屬性的描述性信息,而且支持高級的過濾功能。

什麼是LDAP?
  LDAP是輕量目錄訪問協議,英文全稱是Lightweight Directory Access Protocol,通常都簡稱爲LDAP。它是基於X.500標準的,可是簡單多了而且能夠根據須要定製。與X.500不一樣,LDAP支持TCP/IP,這對訪問Internet是必須的。LDAP的核心規範在RFC中都有定義,全部與LDAP相關的RFC均可以在LDAPman RFC網頁中找到。

一、LDAP模型和擴展框架
信息模型:肯定LDAP目錄中信息的格式和字符集,如何表示目錄信息(定義對象類、屬性、匹配規則和語法等模式)
命名空間:信息組織方式-目錄信息樹DIT,以DN和RDN爲基礎的命名方式,以及LDAP信息的Internet表示方式
功能模型:執行操做的通訊協議以及在客戶端進行這些操做的API接口
安全框架:保證目錄中信息的安全,多種認證方式,以及與TLS結合的通訊保護框架
LDAP擴展框架:基於控制和擴展操縱的LDAP擴展框架

二、LDAP的存儲方式
  LDAP以樹型結構存儲,具體信息存儲在條目的數據結構中。一個目錄信息樹由若干條目組成,一個條目一個對象,每一個條目具備惟一的標識名DN,並由多個屬性組成,每一個屬性對應一個或多個值。
  LDAP目錄服務器是經過目錄數據庫來存儲網絡信息以提供目錄服務的,目錄信息樹及其相關概念構成了LDAP協議的信息模型。
注:dc(domain component)表示域名的部分,其格式是將完整的域名分爲幾部分;uid表示用戶ID;ou(organization unit)表示組織單位;cn(common name)表示公共名稱;關鍵字sn(surname)表示姓;dn(distinguished name)表示惟一辨別名,
rdn(relative dn)表示相對辨別名;關鍵字c(country)表示國家;關鍵字o(organization)表示組織名。

2、深刻認識LDAP
一、LDAP的幾種基本模型
  LDAP的體系結構由信息模型、命名模型、功能模型以及安全模型4種基本模型組成。其中,信息模型描述LDAP的信息表示方式;命名模型描述LDAP的數據如何組織;功能模型描述LDAP的數據操做訪問方式;安全模型描述LDAP的安全機制。
(1)信息模型
  LDAP信息模型定義了可以在目錄中存儲的數據類型和基本的信息單位。LDAP中的信息是以樹狀結構組織,在樹狀信息中的基本數據單位是條目(即關於對象的信息集合),而每一個條目由屬性構成,屬性中存儲屬性值,每一個屬性類型又有對應的語法和匹配規則。一般,條目中的信息說明真實世界的對象。
(2)命名模型
  在LDAP中每一個條目均有本身的DN和RDN(Relative Distinguished Name,相對標識名),其中DN是該條目在整個樹中的惟一名稱標識,而RDN是條目在父節點下的惟一名稱標識。
    dn:每一個條目的惟一標識符,如上圖中linuxprobe的dn值是:
    cn=linuxprobe,ou=marketing,ou=people,dc=mydomain,dc=org
    rdn:通常爲dn值中最左側的部分,如上圖中linuxprobe的rdn值是:
    cn=linuxprobe
    base DN:此爲基準DN值,表示頂層的根部,上圖中的base DN值是:
    dc=mydomain,dc=org
(3)功能模型
說明了可以使用LDAP協議對目錄執行的操做,共4類10中操做。
更新類操做:添加條目、刪除條目、修改條目、修改條目名
查詢類操做:搜索、比較
認證類操做:綁定、解綁定
其餘操做:放棄和擴展操做
注:除擴展操做,其他9種是LDAP的標準操做,擴展操做是LDAP中爲了增長新的功能所提供的一種標準的擴展框架。
(4)安全模型
LDAP的安全模型主要經過身份認證、安全通道和訪問控制來實現。
身份認證:
  匿名認證:適用於沒有數據安全問題且不涉及訪問權限的徹底公開方式
  基本認證:經過用分辨名(DN)和密碼進行身份識別,密碼識別有分爲簡單密碼和摘要密碼認證
  SASL(Simple Authentication and Secure Layer)認證:在SSL和TLS安全通道基礎上進行的身份認證,包括數字證書的認證
  通訊安全在LDAP中提供了基於SSL/TLS的通訊安全保障。SSL/TLS是基於PKI信息安全技術的,是目前Internet上普遍採用的安全服務。TLS服務能夠被LDAP經過StartTLS方式啓動,該服務既能夠提供通訊中的數據保密性、完整性保護,也能夠實現客戶端身份和服務器端身份的雙向驗證。
訪問控制的標準:目前並沒有訪問控制的標準,但LDAP的訪問控制很是靈活和豐富。在LDAP中訪問控制是經過訪問控制策略語句來實現的,而RDBS和應用系統是經過訪問控制列表來實現的。

二、LDAP的應用領域
LDAP被普遍用於基礎性、關鍵性信息的管理。
信息安全類:數字證書管理、受權管理、單點登陸
網絡資源管理類:MAIL系統、DNS系統、網絡用戶管理、電話號碼簿。
科學計算類:DCE(Distributed Computing Environment,分佈式計算環境),UDDI(Universal Description,Discovery and Integration,統一描述,發現和集成協議)
電子政務資源管理:內網組織信息服務,電子政務目錄體系,人口基礎庫,法人基礎庫
LDAP之因此能普遍用於管理用戶信息、網絡資源信息等,是因爲LDAP具備高效率的查詢,樹狀的信息管理模式,分佈式的部署框架以及細緻靈活的訪問控制的特色。

3、OpenLDAP環境搭建
1.環境準備
[root@ldap ~]# cat /etc/redhat-release
CentOS release 6.8 (Final)
[root@ldap ~]# uname -r
2.6.32-642.el6.x86_64
[root@ldap ~]# hostname
ldap.serverphp


2.服務端安裝配置
[root@ldap ~]# getenforce
Enforcing
[root@ldap ~]# setenforce 0
[root@ldap ~]# service iptables stop
[root@ldap ~]# service ip6tables stop
[root@ldap ~]# chkconfig iptables off
[root@ldap ~]# chkconfig ip6tables off
[root@ldap ~]# getenforce
Permissive
[root@ldap ~]# ntpdate time.windows.com
[root@ldap ~]# date
Tue Nov  1 23:26:22 CST 2016
[root@ldap ~]# crontab -e
#time sync
*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2>&1
[root@ldap ~]# echo "192.168.0.111 etiantian.org" >>/etc/hosts
[root@ldap ~]# tail -1 /etc/hosts
192.168.0.111 etiantian.org
[root@ldap ~]# ping etiantian.org
PING etiantian.org (192.168.0.111) 56(84) bytes of data.
64 bytes from etiantian.org (192.168.0.111): icmp_seq=1 ttl=64 time=0.054 ms
64 bytes from etiantian.org (192.168.0.111): icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from etiantian.org (192.168.0.111): icmp_seq=3 ttl=64 time=0.036 ms
64 bytes from etiantian.org (192.168.0.111): icmp_seq=4 ttl=64 time=0.038 ms

--- etiantian.org ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5567ms
rtt min/avg/max/mdev = 0.036/0.040/0.054/0.006 ms
[root@ldap ~]# mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
[root@ldap ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
[root@ldap ~]# yum makecache
[root@ldap ~]# rpm -qa |grep openldap compat-openldap-2.3.43-2.el6.x86_64 openldap-2.4.40-12.el6.x86_64
[root@ldap ~]# yum -y install openldap openldap-*
[root@ldap ~]# yum -y install nscd nss-pam-ldapd nss-* pcre pcre-*
[root@ldap ~]# yum -y install nscd nss-pam-ldapd nss-* pcre pcre-* --exclude=nss-softokn-freebl --skip-broken
[root@ldap ~]# yum -y install nss-pkcs11-devel
[root@ldap ~]# cd /etc/openldap/
[root@ldap openldap]# ll
total 20
drwxr-xr-x. 2 root root 4096 Nov  1 23:46 certs
-rw-r-----. 1 root ldap  121 May 11 07:32 check_password.conf
-rw-r--r--. 1 root root  280 May 11 07:32 ldap.conf
drwxr-xr-x. 2 root root 4096 Nov  1 23:46 schema
drwx------. 3 ldap ldap 4096 Nov  1 23:46 slapd.d
[root@ldap openldap]# ll slapd.d/
total 8
drwx------. 3 ldap ldap 4096 Nov  1 23:46 cn=config
-rw-------. 1 ldap ldap 1281 Nov  1 23:46 cn=config.ldif
[root@ldap openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf  //openldap的配置文件(2.3版的),此處2.4版的配置文件在/etc/openldap/slapd.d/cn=config
[root@ldap openldap]# slappasswd --help
slappasswd: invalid option -- '-'
Usage: slappasswd [options]
  -c format     crypt(3) salt format
  -g            generate random password
  -h hash       password scheme
  -n            omit trailing newline
  -o <opt>[=val] specify an option with a(n optional) value
        module-path=<pathspec>
        module-load=<filename>
  -s secret     new password
  -u            generate RFC2307 values (default)
  -v            increase verbosity
  -T file       read file for new password
生成管理員密鑰(記下生成出的值,後面要用):
方法一:
[root@ldap openldap]# slappasswd -s 123456
{SSHA}lIMVmm0Xk6gdurluKsvVWAsPTo5lUvJo
而後把上一步生成的管理員密鑰加入到配置文件slapd.conf中,以下:
rootpw  {SSHA}lIMVmm0Xk6gdurluKsvVWAsPTo5lUvJo
方法二:
[root@ldap openldap]# slappasswd -s 123456|sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>slapd.conf
[root@ldap openldap]# tail -1 slapd.conf
rootpw  {SSHA}mDsZ2A7nq6PCQ9CQmLTZThIDqHbxvHT3
[root@ldap openldap]# cp slapd.conf slapd.conf.ori
[root@ldap openldap]# vim slapd.conf
114 #database       bdb
115 #suffix         "dc=my-domain,dc=com"
116 #checkpoint     1024 15
117 #rootdn         "cn=Manager,dc=my-domain,dc=com"
118 #add start by linuxzkq 2016/11/2
119 base       bdb
120 suffix     "dc=etiantian,dc=org"
121 rootdn     "cn=admin,dc=etiantian,dc=org"
122 #add end by linuxzkq 2016/11/2
提示:這是所有的配置內容,特別強調,參數在文件中的前後位置不能隨意移動。
空行和以「#」開頭的註釋行將被忽略。若是一行以空格開頭,它將被認爲是接着前一行的(即便前一行是註釋)。
[root@ldap openldap]# diff slapd.conf.ori slapd.conf
114,117c114,123
< database      bdb
< suffix                "dc=my-domain,dc=com"
< checkpoint    1024 15
< rootdn                "cn=Manager,dc=my-domain,dc=com"
---
> #database     bdb
> #suffix               "dc=my-domain,dc=com"
> #checkpoint   1024 15
> #rootdn               "cn=Manager,dc=my-domain,dc=com"
> #add start by linuxzkq 2016/11/2
> database       bdb  //指定使用的數據庫
> suffix     "dc=etiantian,dc=org"  //指定要搜索的後綴
> rootdn     "cn=admin,dc=etiantian,dc=org"  //指定管理員dn路徑,使用這個dn能夠登陸OpenLDAP服務器
> #add end by linuxzkq 2016/11/2
>
Ldap管理員:admin 密碼:123456
[root@ldap openldap]# egrep -v "^$|#" slapd.conf
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none
database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=Manager,dc=my-domain,dc=com" read
        by * none
base       bdb
suffix     "dc=etiantian,dc=org"
rootdn     "cn=admin,dc=etiantian,dc=org"
directory       /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
rootpw  {SSHA}mDsZ2A7nq6PCQ9CQmLTZThIDqHbxvHT3

Openldap參數配置優化:
a.日誌及緩存參數
[root@ldap openldap]# cat >>slapd.conf<<EOF
> #add start by linuxzkq 2016/11/2
> loglevel      296
> cachesize     1000
> checkpoint    2048   10
> #add end by linuxzkq 2016/11/2
> EOF
[root@ldap openldap]# tail -6 slapd.conf
rootpw  {SSHA}mDsZ2A7nq6PCQ9CQmLTZThIDqHbxvHT3
#add start by linuxzkq 2016/11/2
loglevel      296
cachesize     1000
checkpoint    2048   10
#add end by linuxzkq 2016/11/2
b.受權及安全參數配置
Table 6.3: Access Entity Specifiers Specifier     Entities
*                             All, including anonymous and authenticated users
anonymous                     Anonymous (non-authenticated) users
users                             Authenticated users
self                             User associated with target entry  //本身
dn[.<basic-style>]=<regex>     Users matching a regular expression
dn.<scope-style>=<DN>             Users within scope of a DN

Table 6.4: Access Levels Level     Privileges     Description
none =             0     no access
disclose =     d     needed for information disclosure on error
auth =             dx     needed to authenticate (bind)
compare =     cdx     needed to compare
search =     scdx     needed to apply search filters
read =             rscdx     needed to read search results
write =     wrscdx     needed to modify/rename
manage =     mwrscdx needed to manage

A simple example:
    access to * by * read
This access directive grants read access to everyone.
    access to *
        by self write
        by anonymous auth
        by * read

This directive allows the user to modify their entry, allows anonymous to authentication against these entries, and allows all others to read these entries. Note that only the first by <who> clause which matches applies. Hence, the anonymous users are granted auth, not read. The last clause could just as well have been "by users read".
[root@ldap openldap]# vi slapd.conf
刪除98行至108行內容:
98 database config
99 access to *
100       by dn.exact="gidNumber=0+uidNumber=0
        ,cn=peercred,cn=external,cn=auth" manage
101        by * none
102
103 # enable server status monitoring (cn=monitor)
104 database monitor
105 access to *
106         by dn.exact="gidNumber=0+uidNumber=0
        ,cn=peercred,cn=external,cn=auth" read
107         by dn.exact="cn=Manager,dc=my-domain
        ,dc=com" read
108         by * none
而後加入如下內容:
access to *
     by self write
     by anonymous auth
     by * readhtml

配置rsyslog記錄ldap服務日誌:
[root@ldap openldap]# cp /etc/rsyslog.conf /etc/rsyslog.conf.ori
[root@ldap openldap]# echo "record ldap.log by linuxzkq 2016/11/2" >>/etc/rsyslog.conf
[root@ldap openldap]# echo "local4.*          /var/log/ldap.log">> /etc/rsyslog.conf    
[root@ldap openldap]# tail -2 /etc/rsyslog.conf
record ldap.log by linuxzkq 2016/11/2
local4.*          /var/log/ldap.log
[root@ldap openldap]# /etc/init.d/rsyslog restart
Shutting down system logger:                       [  OK  ]
Starting system logger:                            [  OK  ]
[root@ldap openldap]# ll /var/log/ldap.log
-rw-------. 1 root root 0 Nov  2 23:13 /var/log/ldap.log
java

配置LDAP數據庫路徑:
[root@ldap openldap]# grep "directory" slapd.conf|grep -v "#"
directory       /var/lib/ldap
[root@ldap openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldap openldap]# ll /var/lib/ldap
total 4
-rw-r--r--. 1 root root 845 Nov  2 23:17 DB_CONFIG
[root@ldap openldap]# chown ldap:ldap /var/lib/ldap/DB_CONFIG
[root@ldap openldap]# chmod 700 /var/lib/ldap/DB_CONFIG
[root@ldap openldap]# ll /var/lib/ldap              total 4
-rwx------. 1 ldap ldap 845 Nov  2 23:17 DB_CONFIG
[root@ldap openldap]# egrep -v "\#|^$" /var/lib/ldap/DB_CONFIG
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
[root@ldap openldap]# slaptest -u  //測試配置文件是否配置成功
config file testing succeeded
最終LDAP完整配置文件:
[root@ldap openldap]# egrep -v "^$|^.*#" slapd.conf
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
    access to *
        by self write
        by anonymous auth
        by * read
base       bdb
suffix     "dc=etiantian,dc=org"
rootdn     "cn=admin,dc=etiantian,dc=org"
directory       /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
rootpw  {SSHA}mDsZ2A7nq6PCQ9CQmLTZThIDqHbxvHT3
loglevel      296
cachesize     1000
checkpoint    2048   10
[root@ldap openldap]# diff slapd.conf.ori slapd.conf
98,108c98,101
< database config
< access to *
<       by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
<       by * none
<
< # enable server status monitoring (cn=monitor)
< database monitor
< access to *
<       by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
<         by dn.exact="cn=Manager,dc=my-domain,dc=com" read
<         by * none
---
>     access to *
>         by self write
>         by anonymous auth
>         by * read
114,117c107,116
< database      bdb
< suffix                "dc=my-domain,dc=com"
< checkpoint    1024 15
< rootdn                "cn=Manager,dc=my-domain,dc=com"
---
> #database     bdb
> #suffix               "dc=my-domain,dc=com"
> #checkpoint   1024 15
> #rootdn               "cn=Manager,dc=my-domain,dc=com"
> #add start by linuxzkq 2016/11/2
> base       bdb
> suffix     "dc=etiantian,dc=org"
> rootdn     "cn=admin,dc=etiantian,dc=org"
> #add end by linuxzkq 2016/11/2
>
141a141,145
> #add start by linuxzkq 2016/11/2
> loglevel      296
> cachesize     1000
> checkpoint    2048   10
> #add end by linuxzkq 2016/11/2
[root@ldap openldap]# /etc/init.d/slapd start
Starting slapd:                                    [  OK  ]
[root@ldap openldap]# netstat -tunlp|grep slapd
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      3002/slapd          
tcp        0      0 :::389                      :::*                        LISTEN      3002/slapd          
[root@ldap openldap]# lsof -i:389
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
slapd   3002 ldap    7u  IPv4  22382      0t0  TCP *:ldap (LISTEN)
slapd   3002 ldap    8u  IPv6  22383      0t0  TCP *:ldap (LISTEN)
[root@ldap openldap]# ps -ef|grep ldap|grep -v grep
ldap       3002      1  0 23:31 ?        00:00:00 /usr/sbin/slapd -h  ldap:/// ldapi:/// -u ldap
[root@ldap openldap]# chkconfig slapd on
[root@ldap openldap]# chkconfig --list slapd
slapd           0:off   1:off   2:on    3:on    4:o5:on     6:off
python

查看ldap master數據庫:
[root@ldap openldap]# ldap
ldapadd      ldapmodify   ldapurl
ldapcompare  ldapmodrdn   ldapwhoami
ldapdelete   ldappasswd   
ldapexop     ldapsearch
[root@ldap openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)  //查詢ldap數據庫報錯,密碼對也鏈接不上。
出錯,解決ldap2.3和2.4配置衝突問題,解決方法以下:
[root@ldap openldap]# ll /etc/openldap/slapd.d/
total 8
drwx------. 3 ldap ldap 4096 Nov  1 23:46 cn=config
-rw-------. 1 ldap ldap 1281 Nov  1 23:46 cn=config.ldif
[root@ldap openldap]# rm -rf /etc/openldap/slapd.d/*
[root@ldap openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
581a0d14 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
[root@ldap openldap]# ll /etc/openldap/slapd.d      total 8
drwxr-x---. 3 root root 4096 Nov  2 23:59 cn=config
-rw-------. 1 root root 1301 Nov  2 23:59 cn=config.ldif
[root@ldap openldap]# /etc/init.d/slapd restart
Stopping slapd:                                    [  OK  ]
Checking configuration files for slapd:            [FAILED]
581a0daf ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif"
slaptest: bad configuration file!
[root@ldap openldap]# chown -R ldap.ldap /etc/openldap/slapd.d/
[root@ldap openldap]# ll /etc/openldap/slapd.d     
linux

total 8
drwxr-x---. 3 ldap ldap 4096 Nov  2 23:59 cn=config
-rw-------. 1 ldap ldap 1301 Nov  2 23:59 cn=config.ldif
[root@ldap openldap]# /etc/init.d/slapd restart     
Stopping slapd:                                    [FAILED]
Starting slapd:                                    [  OK  ]
[root@ldap openldap]# lsof -i:389
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
slapd   3186 ldap    7u  IPv4  23490      0t0  TCP *:ldap (LISTEN)
slapd   3186 ldap    8u  IPv6  23491      0t0  TCP *:ldap (LISTEN)
[root@ldap openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
Enter LDAP Password:
No such object (32)
至此問題解決。
查詢LDAP的目錄條目,介紹一下ldapsearch命令,具體可使用man幫助手冊查看。
    -b:指定查找的節點
    -D:指定查找的DN
    -x:使用簡單認證
    -W:查詢是輸入密碼,或者使用-w password
    -h:OpenLDAP的主機地址,可使用IP或者域名
    -H:使用LDAP服務器的URI地址進行操做

爲ldap master數據庫添加數據的方法:
爲ldap添加用戶數據,有四種方法,分別以下,咱們選擇第四種方法進行試驗。
 1)能夠直接修改slapd.d目錄下面的數據文件,好處是不用重啓服務,直接生效;
 2)安裝開源工具migrationtools來生成ldif文件,並經過ldapadd來添加;
 3)安裝ldap 客戶端,這種方法最爲簡單;
 4)直接編輯ldif文件,而後經過ldapadd添加。
  首先咱們手動編輯base.ldif文件,直接複製好像會由於格式有問題。每一個條目之間有個空格,直接複製過去會有點問題,須要你把每一個條目之間「空行」的第一個空格刪除一下。
[root@ldap openldap]# vi base.ldif
dn: dc=etiantian,dc=org
objectClass: organization
objectClass: dcObject
dc: etiantian
o: etiantian

dn: ou=People,dc=etiantian,dc=org
objectClass: organizationalUnit
ou: People

dn: ou=group,dc=etiantian,dc=org
objectClass: organizationalUnit
ou: group

開始導入數據並初始化ldap測試數據:
[root@ldap openldap]# ldapadd -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -W -f base.ldif
Enter LDAP Password:
adding new entry "dc=etiantian,dc=org"

adding new entry "ou=People,dc=etiantian,dc=org"

adding new entry "ou=group,dc=etiantian,dc=org"

查詢導入的結果:
[root@ldap openldap]# ldapsearch -LLL -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" -w 123456   
dn: dc=etiantian,dc=org
objectClass: organization
objectClass: dcObject
dc: etiantian
o: etiantian

dn: ou=People,dc=etiantian,dc=org
objectClass: organizationalUnit
ou: People

dn: ou=group,dc=etiantian,dc=org
objectClass: organizationalUnit
ou: group
web

而後咱們經過user.ldif和group.ldif增長一個用戶和一個組。
1.編輯用戶和用戶組配置文件
[root@ldap openldap]# vi user.ldif
dn: uid=test1,ou=People,dc=etiantian,dc=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
gidNumber: 0
givenName: test1
sn: test1
uid: test1
homeDirectory: /home/test1
loginShell: /bin/bash
shadowFlag: 0
shadowMin: 0
shadowMax: 99999
shadowWarning: 0
shadowInactive: 99999
shadowLastChange: 12011
shadowExpire: 99999
cn: test1
uidNumber: 24422
userPassword:: e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRR
VpOcXc9
[root@ldap openldap]# vi group.ldif
dn: cn=DBA,ou=group,dc=etiantian,dc=org
objectClass: posixGroup
objectClass: top
cn: DBA
memberUid: test1
gidNumber: 10673
2.添加用戶和組
[root@ldap openldap]# ldapadd -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -f user.ldif -w 123456   
adding new entry "uid=test1,ou=People,dc=etiantian,dc=org"
[root@ldap openldap]# ldapadd -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -f group.ldif -w 123456
adding new entry "cn=DBA,ou=group,dc=etiantian,dc=org"
3.查看是否添加成功
[root@ldap openldap]# ldapsearch -LLL -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" -w 123456
dn: dc=etiantian,dc=org
objectClass: organization
objectClass: dcObject
dc: etiantian
o: etiantian

dn: ou=People,dc=etiantian,dc=org
objectClass: organizationalUnit
ou: People

dn: ou=group,dc=etiantian,dc=org
objectClass: organizationalUnit
ou: group

dn: uid=test1,ou=People,dc=etiantian,dc=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
gidNumber: 0
givenName: test1
sn: test1
uid: test1
homeDirectory: /home/test1
loginShell: /bin/bash
shadowFlag: 0
shadowMin: 0
shadowMax: 99999
shadowWarning: 0
shadowInactive: 99999
shadowLastChange: 12011
shadowExpire: 99999
cn: test1
uidNumber: 24422
userPassword:: e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9

dn: cn=DBA,ou=group,dc=etiantian,dc=org
objectClass: posixGroup
objectClass: top
cn: DBA
memberUid: test1
gidNumber: 10673

備份當前初始化的ldap數據庫數據:
[root@ldap openldap]# ldapsearch -LLL -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" -w 123456 >/data/bak_ldap_data.ldif
[root@ldap openldap]# ll /data/bak_ldap_data.ldif
-rw-r--r--. 1 root root 834 Nov  3 23:05 /data/bak_ldap_data.ldif

爲ldap master配置web管理接口:
1.安裝LAMP服務環境
[root@ldap openldap]# yum -y install httpd php php-ldap php-gd
[root@ldap openldap]# rpm -qa httpd php php-ldap php-gd
httpd-2.2.15-54.el6.centos.x86_64
php-gd-5.3.3-48.el6_8.x86_64
php-ldap-5.3.3-48.el6_8.x86_64
php-5.3.3-48.el6_8.x86_64
2.下載解壓配置ldap客戶端軟件
[root@ldap openldap]# cd /var/www/html
[root@ldap html]# tar xf ldap-account-manager-3.9.tar.gz
[root@ldap html]# mv ldap-account-manager-3.9 ldap
[root@ldap html]# cd ldap/config
[root@ldap config]# cp config.cfg_sample config.cfg_sample.bak
[root@ldap config]# cp lam.conf_sample lam.conf_sample.bak
[root@ldap config]# mv lam.conf_sample lam.conf
[root@ldap config]# mv config.cfg_sample config.cfg
[root@ldap config]# sed -i 's#cn=Manager#cn=admin#g' lam.conf
[root@ldap config]# sed -i 's#dc=my-domain#dc=etiantian#g' lam.conf
[root@ldap config]# sed -i 's#dc=com#dc=org#g' lam.conf
[root@ldap config]# diff lam.conf_sample lam.conf   13c13
< admins: cn=Manager,dc=my-domain,dc=com
---
> admins: cn=admin,dc=etiantian,dc=org
55c55
< types: suffix_user: ou=People,dc=my-domain,dc=com
---
> types: suffix_user: ou=People,dc=etiantian,dc=org
59c59
< types: suffix_group: ou=group,dc=my-domain,dc=com
---
> types: suffix_group: ou=group,dc=etiantian,dc=org
63c63
< types: suffix_host: ou=machines,dc=my-domain,dc=com
---
> types: suffix_host: ou=machines,dc=etiantian,dc=org
67c67
< types: suffix_smbDomain: dc=my-domain,dc=com
---
> types: suffix_smbDomain: dc=etiantian,dc=org
[root@ldap config]# chown -R apache.apache /var/www/html/ldap
[root@ldap config]# /etc/init.d/httpd start
Starting httpd:                                    [  OK  ]
登陸ldap master的web管理接口:
http://192.168.0.111/ldap/templates/login.php
  出現登陸界面後,首先點擊右上角的"LAM configuration"配置選項,再點擊"Edit general settings",按提示輸入客戶端的密碼,默認爲"lam",配置修改"LAM configuration"的默認密碼,這裏設置爲123456。而後登陸,盡情的使用吧!

配置網絡服務經過LDAP服務進行身份驗證:
1.配置svn+sasl經過LDAP進行身份驗證
a.安裝配置svn服務(非apache svn)
見前一節課程:http://linuxzkq.blog.51cto.com/9379412/1867490
b.啓用svn服務器的SASL驗證機制
  SASL全稱Simple Authentication and Security Layer,是一種用來擴充C/S模式驗證能力的機制。簡單認證與安全層 (SASL) 是一個在網絡協議中用來認證和數據加密的構架。它把認證機制從程序中分離開, 理論上使用SASL的程序協議均可以使用SASL所支持的所有認證機制。認證機制可支持代理認證, 這讓一個用戶能夠承擔另外一個用戶的認證。 SASL一樣提供數據安全層,這提供了數據完整驗證和數據加密。支持SASL的應用程序一般也支持 傳輸層安全 (TLS) 做爲對SASL提供的服務的補充。
[root@ldap sadoc]# rpm -qa|grep sasl
cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-devel-2.1.23-15.el6_6.2.x86_64
系統默認安裝了4個,包不全,接着安裝相關SASL包。
[root@ldap sadoc]# yum -y install *sasl*
省略。。。。。。
Installed:
  cyrus-sasl-gssapi.x86_64 0:2.1.23-15.el6_6.2  
  cyrus-sasl-ldap.x86_64 0:2.1.23-15.el6_6.2    
  cyrus-sasl-md5.x86_64 0:2.1.23-15.el6_6.2     
  cyrus-sasl-ntlm.x86_64 0:2.1.23-15.el6_6.2    
  cyrus-sasl-sql.x86_64 0:2.1.23-15.el6_6.2     
  python-saslwrapper.x86_64 0:0.14-1.el6        
  ruby-saslwrapper.x86_64 0:0.14-1.el6          
  saslwrapper.x86_64 0:0.14-1.el6               
  saslwrapper-devel.x86_64 0:0.14-1.el6         
Dependency Installed:
  postgresql-libs.x86_64 0:8.4.20-6.el6         
  ruby.x86_64 0:1.8.7.374-4.el6_6               
  ruby-libs.x86_64 0:1.8.7.374-4.el6_6          
Complete!
[root@ldap sadoc]# rpm -qa|grep sasl    
saslwrapper-devel-0.14-1.el6.x86_64
cyrus-sasl-ntlm-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-2.1.23-15.el6_6.2.x86_64
saslwrapper-0.14-1.el6.x86_64
cyrus-sasl-sql-2.1.23-15.el6_6.2.x86_64
python-saslwrapper-0.14-1.el6.x86_64
cyrus-sasl-ldap-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-devel-2.1.23-15.el6_6.2.x86_64
ruby-saslwrapper-0.14-1.el6.x86_64
cyrus-sasl-gssapi-2.1.23-15.el6_6.2.x86_64
sql

查看密碼驗證機制列表,輸入:
[root@ldap sadoc]# sasl
sasl2-sample-client    saslauthd
sasl2-sample-server    sasldblistusers2
sasl2-shared-mechlist  saslpasswd2
[root@ldap sadoc]# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
[root@ldap sadoc]# grep -i "mech" /etc/sysconfig/saslauthd
# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=pam
# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.
[root@ldap sadoc]# sed -i 's#MECH=pam#MECH=shadow#g' /etc/sysconfig/saslauthd
[root@ldap sadoc]# grep -i "mech" /etc/sysconfig/saslauthd|grep -v "#"
MECH=shadow
[root@ldap sadoc]# /etc/init.d/saslauthd restart
Stopping saslauthd:                            [FAILED]
Starting saslauthd:                            [  OK  ]
[root@ldap sadoc]# ps -ef|grep sasl
root       3817      1  0 21:49 ?        00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow
root       3819   3817  0 21:49 ?        00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow
root       3820   3817  0 21:49 ?        00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow
root       3821   3817  0 21:49 ?        00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow
root       3822   3817  0 21:49 ?        00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow
root       3824   3717  0 21:49 pts/0    00:00:00 grep sasl
數據庫

測試saslauthd進程的認證功能:
[root@ldap sadoc]# testsaslauthd -uadmin -p123456
0: NO "authentication failed"  //失敗,由於系統用戶裏面沒有這個用戶,因此失敗,下面添加用戶。
[root@ldap sadoc]# grep "admin" /etc/passwd
[root@ldap sadoc]# id admin
id: admin: No such user
[root@ldap sadoc]# useradd admin
[root@ldap sadoc]# passwd admin
Changing password for user admin.
New password:
BAD PASSWORD: it is too simplistic/systematic
BAD PASSWORD: is too simple
Retype new password:  //設置密碼爲上面的"123456"
passwd: all authentication tokens updated successfully.
[root@ldap sadoc]# testsaslauthd -uadmin -p123456
0: OK "Success."
[root@ldap sadoc]# testsaslauthd -utest1 -p123456
0: NO "authentication failed"  //使用LDAP的用戶測試,認證失敗,說明目前還不支持LDAP的用戶。
express

測試經過LDAP進行驗證:
[root@ldap sadoc]# man saslauthd  //man配置文件,輸入"/ldap"搜索ldap相關配置。
SASLAUTHD(8)              BSD System Manager’s Manual             SASLAUTHD(8)
NAME
     saslauthd - sasl authentication server
SYNOPSIS
     saslauthd -a authmech [-Tvdchlr]
               [-O option] [-m mux_path]
               [-n threads] [-s size]
               [-t timeout]
DESCRIPTION
     saslauthd is a daemon process that
...skipping...
     ldap       (All platforms that support
                OpenLDAP 2.0 or higher)
                Authenticate against an
                ldap server.  The ldap con-
                figuration parameters are
                read from /etc/saslau-
                thd.conf.  The location of
                this file can be changed
                with the -O parameter. See
                the LDAP_SASLAUTHD file
                included with the distribu-
                tion for the list of avail-
                able parameters.
[root@ldap sadoc]# history|grep sed
    8  sed -i 's/keepcache=0/keepcache=1/g' /etc/yum.conf
  275  slappasswd -s 123456|sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>slapd.conf
  383  sed -i 's#cn=Manager#cn=amin#g' lam.conf
  384  sed -i 's#dc=my-domain#dc=etiantian#g' lam.conf
  385  sed -i 's#dc=com#dc=org#g' lam.conf
  387  sed -i 's#cn=amin#cn=admin#g' lam.conf
  411  sed -i 's#MECH=pam#MECH=shadow#g' /etc/sysconfig/saslauthd
  426  history|grep sed
[root@ldap sadoc]# sed -i 's#MECH=shadow#MECH=ldap#g' /etc/sysconfig/saslauthd
[root@ldap sadoc]# grep -i "mech" /etc/sysconfig/saslauthd|grep -v "#"        
MECH=ldap
[root@ldap sadoc]# /etc/init.d/saslauthd restart
Stopping saslauthd:                            [  OK  ]
Starting saslauthd:                            [  OK  ]
[root@ldap sadoc]# testsaslauthd -utest1 -p123456
0: NO "authentication failed"
[root@ldap sadoc]# testsaslauthd -uadmin -p123456
0: NO "authentication failed"
再次使用系統用戶admin和ldap用戶test1認證都失敗了。
apache

配置saslauthd鏈接LDAP的鏈接信息:
[root@ldap sadoc]# vi /etc/saslauthd.conf       
ldap_servers: ldap://etiantian.org/
#ldap_uri: ldap://ldap.test1.etiantian.org/
#ldap_version: 3
#ldap_start_tls: 0
ldap_bind_dn: cn=admin,dc=etiantian,dc=org
ldap_bind_pw: 123456
ldap_search_base: ou=People,dc=etiantian,dc=org
ldap_filter: uid=%U
#ldap_filter: mail=%U@etiantian.org
ldap_password_attr: userPassword
#ldap_sasl: 0
[root@ldap sadoc]# /etc/init.d/saslauthd restart
Stopping saslauthd:                            [  OK  ]
Starting saslauthd:                            [  OK  ]
[root@ldap sadoc]# testsaslauthd -u oldboy -p 123456
0: OK "Success."  //ldap用戶認證成功
[root@ldap sadoc]# testsaslauthd -u test1 -p 123456    
0: OK "Success."  //ldap用戶認證成功
[root@ldap sadoc]# testsaslauthd -u admin -p 123456
0: NO "authentication failed"  //系統用戶admin認證失敗

開發腳本一鍵安裝svn服務並測試成功:
[root@client ~]# vi auto_install_svn.sh
#!/bin/sh
#the scripts is auto_install_svn script command
#date:2016-11-04
#author:linuxzkq
#mail:1729294227@qq.com
#version:v1.0

#yum install svn
yum -y install subversion

#set "keepcache=1"
sed -i 's/keepcache=0/keepcache=1/g' /etc/yum.conf
grep "keepcache" /etc/yum.conf

#create svn svndata and svnpasswd directory
mkdir -p /application/svndata
mkdir -p /application/svnpasswd

#start svn
svnserve -d -r /application/svndata/
ps -ef| grep svn|grep -v grep
netstat -tunlp|grep 3690

#create svn Project
svnadmin create /application/svndata/sadoc

#start config svn
cd /application/svndata/sadoc/conf/
/bin/cp svnserve.conf svnserve.conf.bak
sed -i 's/# anon-access = read/anon-access = none/g' svnserve.conf
sed -i 's/# auth-access = write/auth-access = write/g' svnserve.conf
sed -i 's@# password-db = passwd@password-db = /application/svnpasswd/passwd@g' svnserve.conf
sed -i 's@# authz-db = authz@authz-db = /application/svnpasswd/authz@g' svnserve.conf

#start config svn passwd and authz
/bin/cp authz passwd /application/svnpasswd/
chmod 700 /application/svnpasswd/*
cat >>/application/svnpasswd/passwd<<EOF
linuxzkq = 123456
guest = guest
EOF
cat >>/application/svnpasswd/authz<<EOF
[groups]
linux = linuxzkq,guest
[sadoc:/]
linuxzkq = rw
guest = r
@linux = r
* =
EOF

#restart svn
pkill svnserve
sleep 3
svnserve -d -r /application/svndata/

#test local file
echo "please exec the cmd bellow:"
echo "svn checkout svn://192.168.0.110/sadoc /opt --username=linuxzkq --password=123456"
sleep 600

配置svn經過LDAP驗證而且受權:
[root@ldap ~]# ll /etc/sasl2/
total 4
-rw-r--r--. 1 root root 49 Feb 20  2014 smtpd.conf
[root@ldap ~]# vi /etc/sasl2/svn.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
[root@ldap ~]# cp /application/svndata/sadoc/conf/svnserve.conf /application/svndata/sadoc/conf/svnserve.conf.ori
[root@ldap ~]# sed -i 's@# use-sasl = true@use-sasl = true@g' /application/svndata/sadoc/conf/svnserve.conf
[root@ldap ~]# grep "sasl" /application/svndata/sadoc/conf/svnserve.conf
[sasl]
use-sasl = true
[root@ldap ~]# vi /application/svnpasswd/authz
在[groups]標籤下加入:
ldap = test1,oldboy
在[sadoc:/]標籤下加入:
@ldap = rw
特別注意:加入以上內容,給予ldap用戶訪問svn版本庫的權限。
[root@ldap ~]# pkill svnserve
[root@ldap ~]# svnserve -d -r /application/svndata
[root@ldap ~]# netstat -tunlp|grep 3690
tcp        0      0 0.0.0.0:3690                0.0.0.0:*                   LISTEN      1870/svnserve
[root@ldap ~]# svn checkout svn://192.168.0.111/sadoc /opt --username=oldboy --password=123456
A    /opt/a
A    /opt/22.txt
A    /opt/b
A    /opt/c
A    /opt/d
A    /opt/7.txt
A    /opt/8.txt
A    /opt/新建 Microsoft Access 數據庫.accdb
A    /opt/55.txt
Checked out revision 48.
[root@ldap ~]# svn ls svn://192.168.0.111/sadoc --username=test1 --password=123456        
22.txt
55.txt
7.txt
8.txt
a
b
c
d
經過以上結果,能夠看出ldap用戶oldboy訪問svn版本庫正常。

svn經過ldap驗證的總結:1.配置成功saslauthd,前提條件;2.配置/etc/sasl2/svn.conf;[root@ldap ~]# vi /etc/sasl2/svn.confpwcheck_method: saslauthdmech_list: PLAIN LOGIN3.配置好svn服務,而且開啓sasl支持,重啓svn;[root@ldap ~]# grep "sasl" /application/svndata/sadoc/conf/svnserve.conf[sasl]use-sasl = true4.配置authz受權ldap用戶訪問相關項目的權限;[root@ldap ~]# vi /application/svnpasswd/authz在[groups]標籤下加入:ldap = test1,oldboy在[sadoc:/]標籤下加入:@ldap = rw5.測試訪問linux或win32[root@ldap ~]# svn ls svn://192.168.0.111/sadoc --username=test1 --password=123456       

相關文章
相關標籤/搜索