Linux環境下經過OpenLDAP實現用戶的統一認證和管理

測試環境:bash

OpenLDAP Server <-------------------------------------------->OpenLDAP Clientsession

ip:192.168.4.178                                                                 ip:192.168.4.177app

Centos 6.4                                                                             Centos 6.4dom

hostname:open***                                                              hostname:open***-clientide

1、OpenLDAP Server的安裝和配置工具

[root@open*** ~]# yum install -y openldap openldap-servers openldap-clients                                
[root@open*** ~]# cd /etc/openldap/
[root@open*** openldap]# mv slapd.d slapd.d-bak
[root@open*** openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
建立slappasswd密碼:
測試

[root@open*** ~]# slappasswd
New password:
Re-enter new password:
{SSHA}CoOOJ5NZCzKuWktw6t4lD76FsDgX9ItX
ui

[root@open*** openldap]# vi /etc/openldap/slapd.confspa

suffix          "dc=test,dc=com"
rootpw          {SSHA}CoOOJ5NZCzKuWktw6t4lD76FsDgX9ItX    /將md5值粘貼到此
unix

directory       /var/lib/ldap

[root@open*** openldap]# slaptest -u -f /etc/openldap/slapd.conf
config file testing succeeded

[root@open*** openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@open*** openldap]#cd /var/lib/ldap

[root@open*** ldap]# chown ldap.ldap DB_CONFIG*

[root@open*** ldap]#cd

[root@open*** ~]# service slapd start
[root@open*** ~]#chkconfig slapd on

[root@open*** ldap]# ldapsearch -x -b "dc=test,dc=com"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


解決方法:
[root@open*** ldap]# vi /etc/sysconfig/ldap
SLAPD_LDAPI=no

[root@open*** ldap]# vi /etc/openldap/ldap.conf
base    dc=test,dc=com
uri     ldap://192.168.4.178

[root@open*** ldap]# service slapd restart
Stopping slapd: [  OK  ]
Starting slapd: [  OK  ]

[root@open*** ldap]# ldapsearch -x -b "dc=test.com"
# extended LDIF
#
# LDAPv3
# base <dc=test.com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

 

建立用戶ldapuser1,ldapuser2其密碼分別爲123456

[root@open*** ldap]# useradd ldapuser1
[root@open*** ldap]# echo "123456" | passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
[root@open*** ldap]# useradd ldapuser2
[root@open*** ldap]# echo "123456" | passwd --stdin ldapuser2
Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.

 

安裝migrationtools遷移本地用戶到LDAP的工具包

[root@open*** ldap]# yum install -y migrationtools

[root@open*** ldap]# cd /usr/share/migrationtools/
[root@open*** migrationtools]# vi migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "test.com";

# Default base
$DEFAULT_BASE = "dc=test,dc=com";

[root@open*** migrationtools]# ./migrate_base.pl > base.ldif

[root@open*** migrationtools]# vi base.ldif
dn: dc=test,dc=com
dc: test
objectClass: top
objectClass: domain

dn: ou=People,dc=test,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=test,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

[root@open*** migrationtools]# ./migrate_passwd.pl /etc/passwd ./user.ldif   /遷移用戶
[root@open*** migrationtools]# vi user.ldif
dn: uid=ldapuser1,ou=People,dc=test,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$fiweB1Cv$UrLDDL9yWi8W7djPJQosXGEb3v5VbSmyhzRdunpWHJso0hysXeus9i0c87vY2CVQSb0ySU.Uv6moqzZBB1nF//
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 502
homeDirectory: /home/ldapuser1

dn: uid=ldapuser2,ou=People,dc=test,dc=com
uid: ldapuser2
cn: ldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$RK3zu0Np$2FssBfu3XJIeKOmJzyOmZgWoXk9npkpZquGvac0HoWbeB6A1aNjX.a2mxQhPIi6mhScV.PNTdE2AIs1l758GC1
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 503
homeDirectory: /home/ldapuser2

[root@open*** migrationtools]# ./migrate_group.pl /etc/group ./group.ldif    /遷移組
[root@open*** migrationtools]# vi group.ldif

n: cn=ldapuser1,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword: {crypt}x
gidNumber: 502

dn: cn=ldapuser2,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword: {crypt}x
gidNumber: 503

[root@open*** ~]# ldapadd -D "cn=open***,dc=test.com" -W -x -f /usr/share/migrationtools/base.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

解決方法:
[root@open*** ~]# ldapadd -D "cn=open***,dc=test,dc=com" -W -x -f /usr/share/migrationtools/base.ldif
Enter LDAP Password:
adding new entry "dc=test,dc=com"

adding new entry "ou=People,dc=test,dc=com"

adding new entry "ou=Group,dc=test,dc=com"

[root@open*** ~]# ldapadd -D "cn=open***,dc=test,dc=com" -W -x -f /usr/share/migrationtools/user.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=test,dc=com"

adding new entry "uid=ldapuser2,ou=People,dc=test,dc=com"

[root@open*** ~]# ldapadd -D "cn=open***,dc=test,dc=com" -W -x -f /usr/share/migrationtools/group.ldif
Enter LDAP Password:
adding new entry "cn=ldapuser1,ou=Group,dc=test,dc=com"

adding new entry "cn=ldapuser2,ou=Group,dc=test,dc=com"

[root@open*** ~]# ldapsearch -x -b "dc=test.com"    /報錯
# extended LDIF
#
# LDAPv3
# base <dc=test.com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

解決方法:
[root@open*** ~]# ldapsearch -x -b "dc=test,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# test.com
dn: dc=test,dc=com
dc: test
objectClass: top
objectClass: domain

# People, test.com
dn: ou=People,dc=test,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# Group, test.com
dn: ou=Group,dc=test,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

# ldapuser1, People, test.com
dn: uid=ldapuser1,ou=People,dc=test,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JGZpd2VCMUN2JFVyTERETDl5V2k4VzdkalBKUW9zWEdFYjN2NVZ
 iU215aHpSZHVucFdISnNvMGh5c1hldXM5aTBjODd2WTJDVlFTYjB5U1UuVXY2bW9xelpCQjFuRi8v
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 502
homeDirectory: /home/ldapuser1

# ldapuser2, People, test.com
dn: uid=ldapuser2,ou=People,dc=test,dc=com
uid: ldapuser2
cn: ldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFJLM3p1ME5wJDJGc3NCZnUzWEpJZUtPbUp6eU9tWmdXb1hrOW5
 wa3BacXVHdmFjMEhvV2JlQjZBMWFOalguYTJteFFoUElpNm1oU2NWLlBOVGRFMkFJczFsNzU4R0Mx
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 503
homeDirectory: /home/ldapuser2

# ldapuser1, Group, test.com
dn: cn=ldapuser1,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 502

# ldapuser2, Group, test.com
dn: cn=ldapuser2,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword:: e2NyeXB0fXg=
gidNumber: 503

# search result
search: 2
result: 0 Success

# numResponses: 8
# numEntries: 7

 

2、OpenLDAP Client安裝和配置

[root@open***-client ~]# yum install openldap openldap-clients -y

[root@open***-client ~]# yum install -y nss-pam-ldapd pam_ldap

 

[root@open***-client ~]# vi /etc/openldap/ldap.conf

BASE dc=test,dc=com
URI ldap://192.168.4.178

[root@open***-client ~]# vi /etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:         files ldap

 

[root@open***-client ~]# vi /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

 

[root@open***-client ~]# vi /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required     pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so
auth        required      pam_deny.so

account     required     pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required     pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

 

[root@open***-client ~]# service nslcd restart

[root@open***-client ~]#chkconfig nslcd on

 

3、經過NFS實現LDAP用戶/home的自動掛載

 

 

4、經過Phpldapadmin實現LDAP用戶的WEB建立和管理

相關文章
相關標籤/搜索