Linux與雲計算——第二階段Linux服務器架設 第六章：目錄Directory服務器架設—OpenLDAP

Linux與雲計算——第二階段Linux服務器架設

第六章：目錄Directory服務器架設—OpenLDAP

1 OpenLDAP 配置LDAP服務器

Configure LDAP Server in order to share users' accounts in your local networks.

[1] Install OpenLDAP Server.

[root@dlp ~]# yum -y install openldap-servers openldap-clients

[root@dlp ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@dlp ~]# chown ldap. /var/lib/ldap/DB_CONFIG

[root@dlp ~]# systemctl start slapd

[root@dlp ~]# systemctl enable slapd

[2] Set OpenLDAP admin password.

# generate encrypted password

[root@dlp ~]# slappasswd

New password:

Re-enter new password:

{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[root@dlp ~]# vi chrootpw.ldif

# specify the password generated above for "olcRootPW" section

 dn: olcDatabase={0}config,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

 

[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={0}config,cn=config"

[3] Import basic Schemas.

[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=cosine,cn=schema,cn=config"

 

[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=nis,cn=schema,cn=config"

 

[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=inetorgperson,cn=schema,cn=config"

[4] Set your domain name on LDAP DB.

# generate directory manager's password

[root@dlp ~]# slappasswd

New password:

Re-enter new password:

{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[root@dlp ~]# vi chdomain.ldif

# replace to your own domain name for "dc=***,dc=***" section

# specify the password generated above for "olcRootPW" section

 dn: olcDatabase={1}monitor,cn=config

changetype: modify

replace: olcAccess

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

  read by dn.base="cn=Manager,dc=srv,dc=world" read by * none

 

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcSuffix

olcSuffix: dc=srv,dc=world

 

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcRootDN

olcRootDN: cn=Manager,dc=srv,dc=world

 

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

 

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcAccess

olcAccess: {0}to attrs=userPassword,shadowLastChange by

  dn="cn=Manager,dc=srv,dc=world" write by anonymous auth by self write by * none

olcAccess: {1}to dn.base="" by * read

olcAccess: {2}to * by dn="cn=Manager,dc=srv,dc=world" write by * read

 

[root@dlp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={1}monitor,cn=config"

 

modifying entry "olcDatabase={2}hdb,cn=config"

 

modifying entry "olcDatabase={2}hdb,cn=config"

 

modifying entry "olcDatabase={2}hdb,cn=config"

 

[root@dlp ~]# vi basedomain.ldif

# replace to your own domain name for "dc=***,dc=***" section

 dn: dc=srv,dc=world

objectClass: top

objectClass: dcObject

objectclass: organization

o: Server World

dc: Server

 

dn: cn=Manager,dc=srv,dc=world

objectClass: organizationalRole

cn: Manager

description: Directory Manager

 

dn: ou=People,dc=srv,dc=world

objectClass: organizationalUnit

ou: People

 

dn: ou=Group,dc=srv,dc=world

objectClass: organizationalUnit

ou: Group

 

[root@dlp ~]# ldapadd -x -D cn=Manager,dc=srv,dc=world -W -f basedomain.ldif

Enter LDAP Password: # directory manager's password

adding new entry "dc=srv,dc=world"

 

adding new entry "cn=Manager,dc=srv,dc=world"

 

adding new entry "ou=People,dc=srv,dc=world"

 

adding new entry "ou=Group,dc=srv,dc=world"

[5] If Firewalld is running, allow LDAP service. LDAP uses 389/TCP.

[root@dlp ~]# firewall-cmd --add-service=ldap --permanent

success

[root@dlp ~]# firewall-cmd --reload

Success

2 增長用戶帳戶

Add LDAP User Accounts in the OpenLDAP Server.

[1] Add a user.

# generate encrypted password

[root@dlp ~]# slappasswd

New password:

Re-enter new password:

{SSHA}xxxxxxxxxxxxxxxxx

[root@dlp ~]# vi ldapuser.ldif

# create new

# replace to your own domain name for "dc=***,dc=***" section

 dn: uid=cent,ou=People,dc=srv,dc=world

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

cn: Cent

sn: Linux

userPassword: {SSHA}xxxxxxxxxxxxxxxxx

loginShell: /bin/bash

uidNumber: 1000

gidNumber: 1000

homeDirectory: /home/cent

 

dn: cn=cent,ou=Group,dc=srv,dc=world

objectClass: posixGroup

cn: Cent

gidNumber: 1000

memberUid: cent

 

[root@dlp ~]# ldapadd -x -D cn=Manager,dc=srv,dc=world -W -f ldapuser.ldif

Enter LDAP Password:

adding new entry "uid=cent,ou=People,dc=srv,dc=world"

 

adding new entry "cn=cent,ou=Group,dc=srv,dc=world"

[2] Add users and groups in local passwd/group to LDAP directory.

[root@dlp ~]# vi ldapuser.sh

# extract local users and groups who have 1000-9999 digit UID

# replace "SUFFIX=***" to your own domain name

# this is an example

 #!/bin/bash

 

SUFFIX='dc=srv,dc=world'

LDIF='ldapuser.ldif'

 

echo -n > $LDIF

GROUP_IDS=()

grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER

do

    USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)"

 

    USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)"

    [ ! "$USER_NAME" ] && USER_NAME="$USER_ID"

 

    LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)"

    [ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME"

 

    LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)"

    [ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0"

 

    SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)"

    [ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0"

 

    GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)"

    [ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID")

 

    echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF

    echo "objectClass: inetOrgPerson" >> $LDIF

    echo "objectClass: posixAccount" >> $LDIF

    echo "objectClass: shadowAccount" >> $LDIF

    echo "sn: $LDAP_SN" >> $LDIF

    echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF

    echo "cn: $USER_NAME" >> $LDIF

    echo "displayName: $USER_NAME" >> $LDIF

    echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF

    echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF

    echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF

    echo "gecos: $USER_NAME" >> $LDIF

    echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF

    echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF

    echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF

    echo "shadowFlag: $SHADOW_FLAG" >> $LDIF

    echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF

    echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF

    echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF

    echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF

    echo >> $LDIF

done

 

for TARGET_GROUP_ID in "${GROUP_IDS[@]}"

do

    LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)"

 

    echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF

    echo "objectClass: posixGroup" >> $LDIF

    echo "cn: $LDAP_CN" >> $LDIF

    echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF

 

    for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3)

    do

        UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2)

        [ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF

    done

    echo >> $LDIF

done

)

 

[root@dlp ~]# sh ldapuser.sh

[root@dlp ~]# ldapadd -x -D cn=Manager,dc=srv,dc=world -W -f ldapuser.ldif

Enter LDAP Password:

adding new entry "uid=cent,ou=People,dc=srv,dc=world"

adding new entry "uid=redhat,ou=People,dc=srv,dc=world"

adding new entry "uid=ubuntu,ou=People,dc=srv,dc=world"

adding new entry "uid=debian,ou=People,dc=srv,dc=world"

adding new entry "cn=cent,ou=Group,dc=srv,dc=world"

adding new entry "cn=redhat,ou=Group,dc=srv,dc=world"

adding new entry "cn=ubuntu,ou=Group,dc=srv,dc=world"

adding new entry "cn=debian,ou=Group,dc=srv,dc=world"

[3] If you'd like to delete LDAP User or Group, Do as below.

[root@dlp ~]# ldapdelete -x -W -D 'cn=Manager,dc=srv,dc=world' "uid=cent,ou=People,dc=srv,dc=world"

Enter LDAP Password:

[root@dlp ~]# ldapdelete -x -W -D 'cn=Manager,dc=srv,dc=world' "cn=cent,ou=Group,dc=srv,dc=world"

Enter LDAP Password:

3 配置LDAP客戶端

Configure LDAP Client in order to share users' accounts in your local networks.

[1] Install OpenLDAP Client.

[root@www ~]# yum -y install openldap-clients nss-pam-ldapd

# ldapserver=(LDAP server's hostname or IP address)

# ldapbasedn="dc=(your own domain name)"

[root@www ~]# authconfig --enableldap \

--enableldapauth \

--ldapserver=dlp.srv.world \

--ldapbasedn="dc=srv,dc=world" \

--enablemkhomedir \

--update

[root@www ~]# exit

logout

CentOS Linux 7 (Core)

Kernel 3.10.0-123.20.1.el7.x86_64 on an x86_64

www login: redhat # LDAP user

Password:# password

Creating directory '/home/redhat'.

[redhat@www ~]$ # logined normally

[redhat@www ~]$ passwd# try to change the LDAP password

Changing password for user redhat.

Enter login(LDAP) password: # current password

New password: # new password

Retype new password:

LDAP password information changed for redhat

passwd: all authentication tokens updated successfully.

[2] If SELinux is enabled, it needs to add a rule to allow creating home directories automatically by mkhomedir.

[root@www ~]# vi mkhomedir.te

# create new

module mkhomedir 1.0;

 

require {

        type unconfined_t;

        type oddjob_mkhomedir_exec_t;

        class file entrypoint;

}

 

#============= unconfined_t ==============

allow unconfined_t oddjob_mkhomedir_exec_t:file entrypoint;

 

[root@www ~]# checkmodule -m -M -o mkhomedir.mod mkhomedir.te

checkmodule: loading policy configuration from mkhomedir.te

checkmodule: policy configuration loaded

checkmodule: writing binary representation (version 17) to mkhomedir.mod

[root@www ~]# semodule_package --outfile mkhomedir.pp --module mkhomedir.mod

[root@www ~]# semodule -i mkhomedir.pp

4 LDAP over TLS

Configure LDAP over TLS to make connection be secure.

[1] Create SSL certificate first. See here.

[2] Configure LDAP Server.

[root@dlp ~]# cp /etc/pki/tls/certs/server.key \

/etc/pki/tls/certs/server.crt \

/etc/pki/tls/certs/ca-bundle.crt \

/etc/openldap/certs/

[root@dlp ~]# chown ldap. /etc/openldap/certs/server.key \

/etc/openldap/certs/server.crt \

/etc/openldap/certs/ca-bundle.crt

[root@dlp ~]# vi mod_ssl.ldif

# create new

 dn: cn=config

changetype: modify

add: olcTLSCACertificateFile

olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt

-

replace: olcTLSCertificateFile

olcTLSCertificateFile: /etc/openldap/certs/server.crt

-

replace: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/openldap/certs/server.key

 

[root@dlp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config"

 

[root@dlp ~]# vi /etc/sysconfig/slapd

# line 9: add

SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

[root@dlp ~]# systemctl restart slapd

[3] Configure LDAP Client for TLS connection.

[root@www ~]# echo "TLS_REQCERT allow" >> /etc/openldap/ldap.conf

[root@www ~]# echo "tls_reqcert allow" >> /etc/nslcd.conf

[root@www ~]# authconfig --enableldaptls --update

getsebool: SELinux is disabled

[root@www ~]# exit

logout

CentOS Linux 7 (Core)

Kernel 3.10.0-123.20.1.el7.x86_64 on an x86_64

www login: redhat

Password:

Last login: Tue Aug 19 19:55:52 on ttyS0

[redhat@www ~]$ # logined normally

5 LDAP Replication

Configure OpenLDAP Replication to continue Directory service if OpenLDAP master server would be down. OpenLDAP master server is called "Provider" and OpenLDAP Slave server is called "Consumer" on OpenLDAP.

[1] Configure Basic LDAP Server settings on both Provider and Consumer, refer to here.

[2] Configure LDAP Provider. Add syncprov module.

[root@dlp ~]# vi mod_syncprov.ldif

# create new

 dn: cn=module,cn=config

objectClass: olcModuleList

cn: module

olcModulePath: /usr/lib64/openldap

olcModuleLoad: syncprov.la

 

[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=module,cn=config"

 

[root@dlp ~]# vi syncprov.ldif

# create new

 dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config

objectClass: olcOverlayConfig

objectClass: olcSyncProvConfig

olcOverlay: syncprov

olcSpSessionLog: 100

 

[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

[3] Configure LDAP Consumer.

[root@slave ~]# vi syncrepl.ldif

# create new

 dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcSyncRepl

olcSyncRepl: rid=001

  # LDAP server's URI

  provider=ldap://10.0.0.30:389/

  bindmethod=simple

  # own domain name

  binddn="cn=Manager,dc=srv,dc=world"

  # directory manager's password

  credentials=password

  searchbase="dc=srv,dc=world"

  # includes subtree

  scope=sub

  schemachecking=on

  type=refreshAndPersist

  # [retry interval] [retry times] [interval of re-retry] [re-retry times]

  retry="30 5 300 3"

  # replication interval

  interval=00:00:05:00

 

[root@slave ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={2}hdb,cn=config"

 

# confirm settings to search datas

[root@slave ~]# ldapsearch -x -b 'ou=People,dc=srv,dc=world'

# People, srv.world

dn: ou=People,dc=srv,dc=world

objectClass: organizationalUnit

ou: People

...

...

[4] Configure LDAP Client to bind LDAP Consumer, too.

[root@www ~]# authconfig --ldapserver=dlp.srv.world,slave.srv.world –update

6 Multi-Master Replication

Configure OpenLDAP Multi-Master Replication.

For the Settings of Provider/Consumer, it's impossible to add datas on Consumer server, but if configure this Multi-Master Settings, it's possbile to add on any Master server.

[1] Configure Basic LDAP Server settings on all server, refer to here.

[2] Configure like follows on all servers. Add syncprov module.

[root@slapd01 ~]# vi mod_syncprov.ldif

# create new

 dn: cn=module,cn=config

objectClass: olcModuleList

cn: module

olcModulePath: /usr/lib64/openldap

olcModuleLoad: syncprov.la

 

[root@slapd01 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=module,cn=config"

 

[root@slapd01 ~]# vi syncprov.ldif

# create new

 dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config

objectClass: olcOverlayConfig

objectClass: olcSyncProvConfig

olcOverlay: syncprov

olcSpSessionLog: 100

 

[root@slapd01 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

[3] Configure like follows on all servers. But only the parameters "olcServerID" and "provider=***", set different value on each server.

[root@slapd01 ~]# vi master01.ldif

# create new

 dn: cn=config

changetype: modify

replace: olcServerID

# specify uniq ID number on each server

olcServerID: 0

 

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcSyncRepl

olcSyncRepl: rid=001

  # specify another LDAP server's URI

  provider=ldap://10.0.0.50:389/

  bindmethod=simple

  

  # own domain name

  binddn="cn=Manager,dc=srv,dc=world"

  # directory manager's password

  credentials=password

  searchbase="dc=srv,dc=world"

  # includes subtree

  scope=sub

  schemachecking=on

  type=refreshAndPersist

  # [retry interval] [retry times] [interval of re-retry] [re-retry times]

  retry="30 5 300 3"

  # replication interval

  interval=00:00:05:00

-

add: olcMirrorMode

olcMirrorMode: TRUE

 

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config

changetype: add

objectClass: olcOverlayConfig

objectClass: olcSyncProvConfig

olcOverlay: syncprov

 

[root@slapd01 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config"

 

modifying entry "olcDatabase={2}hdb,cn=config"

 

adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

[4] Configure LDAP Client to bind all LDAP server.

[root@www ~]# authconfig --ldapserver=slapd01.srv.world,slapd02.srv.world –update

7 安裝phpLDAPadmin

Install phpLDAPadmin to operate LDAP server via Web browser.

[1] Install and start Apache httpd, refer to here.

[2] Install PHP, refer to here.

[3] Install phpLDAPadmin.

# install from EPEL

[root@dlp ~]# yum --enablerepo=epel -y install phpldapadmin

[root@dlp ~]# vi /etc/phpldapadmin/config.php

# line 397: uncomment, line 398: comment out

$servers->setValue('login','attr','dn');

// $servers->setValue('login','attr','uid');

[root@dlp ~]# vi /etc/httpd/conf.d/phpldapadmin.conf

Alias /phpldapadmin /usr/share/phpldapadmin/htdocs

Alias /ldapadmin /usr/share/phpldapadmin/htdocs

<Directory /usr/share/phpldapadmin/htdocs>

  <IfModule mod_authz_core.c>

    # Apache 2.4

    # line 12: add access permission

    Require local

    Require ip 10.0.0.0/24

[root@dlp ~]# systemctl restart httpd

[4] Access to the "http://(server's hostname or IP address)/ldapadmin/" from a client which is in the network allowed by http server and then Click "login".

[5] Authenticate with Directory Manager account. Specify uname name like follows. By the way, it's possible to login with a common user, too.

[6] Just logined. It's possible to manage LDAP server on here.