LDAP服務部署

時間  2019-12-14
標籤 ldap 服務 部署 简体版
原文   原文鏈接

1.安裝基本環境

# yum -y install openldap openldap-devel openldap-servers openldap-clientsshell

2.配置LDAP服務端

(1)拷貝LDAP配置文件至配置目錄

# cp /usr/share/openldap-servers/slapd.conf.obsolete.slapd.conf /etc/openldap/slapd.confvim

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIGsession

# rm -rf /etc/openldap/slapd.d/*app

(2)生成root加密字符串

# slappasswd -s liwanliangdom

# {SSHA}2PaTvmQgslWrvfW+1w5lZhGl53ZAciVJoop

(3)編輯配置文件

# vim /etc/openldap/sladp.conf測試

# enable server status monitoring (cn=monitor)
database monitor
access to *
     by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
         by dn.exact="cn=admin,dc=test,dc=com" read
         by * none
database    bdb
suffix      "dc=test,dc=com"
checkpoint  1024 15
rootdn      "cn=admin,dc=test,dc=com"
rootpw  {SSHA}2PaTvmQgslWrvfW+1w5lZhGl53ZAciVJ

(4)測試配置文件

# chown -R ldap:ldap /etc/openldap/slapd.dui

service slapd start加密

# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.dunix

(5)安裝和配置migrationtools

# yum -y install migrationtools

# cd /usr/share/migrationtools

# vim migrate_common.h

# Default DNS domain
#$DEFAULT_MAIL_DOMAIN = "padl.com";
$DEFAULT_MAIL_DOMAIN = "test.com";
# Default base
$DEFAULT_BASE = "dc=test,dc=com";

(6)建立測試用戶

建立一個用戶,家目錄在本地

# useradd liwanliang01

# password liwanliwang01

或建立一個塊存儲,用戶存放用戶家目錄,經過NFS共享家目錄

# dd if=/dev/zero of=/root/HOME bs=500M count=1

# mkfs.ext4 HOME

# mount -o loop /root/HOME /home

# useradd -d /home/liwl liwl

# yum -y install nfs-utils

# service rpcbind start && service nfs start

# vim /etc/export

/root/HOME  192.168.10.0/24(rw,no_root_squash,no_all_squash)

(7)生成ldif文件

# ./migrate_base.pl >/tmp/base.ldif

#./migrate_passwd.pl /etc/passwd > /tmp/passwd.ldif

#./migrate_group.pl /etc/group > /tmp/group.ldif

# service slapd restart

(8)導入文件

# ldapadd -x -D "cn=admin,dc=test,dc=com" -W -f /tmp/base.ldif
# ldapadd -x -D "cn=admin,dc=test,dc=com" -W -f /tmp/passwd.ldif
# ldapadd -x -D "cn=admin,dc=test,dc=com" -W -f /tmp/group.ldif

配置LDAP客戶端

(1)環境部署

#yum -y install nss-pam-ldapd pam_ldap

(2)配置文件

1.配置/etc/sysconfig/authconfig

IPADOMAINJOINED=no
USEMKHOMEDIR=yes
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USEDB=no
PASSWDALGORITHM=yes
FORCELEGACY=yes
USEFPRINTD=yes
FORCESMARTCARD=no
USELDAPAUTH=yes
IPAV2NONTP=no
USEPASSWDQC=no
USELOCAUTHORIZE=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELDAP=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=yes
USESSSD=no
USEHESIOD=no

2.配置/etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ladp.so user_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ladp.so
#account        required      pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

3.配置/etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus

4.配置/etc/pam_ldap.conf

uri ldap://192.168.80.51/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

5.配置/etc/nslsc.conf

uid nslcd
gid ldap
# This comment prevents repeated auto-migration of settings.
uri ldap://192.168.80.51/
base dc=test,dc=com
#ssl start_tls
#tls_cacertdir /etc/openldap/cacerts

6.啓動服務

# service nslcd start

# service nscd start

7.驗證

# su - liwl

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程