安装OpenLDAP和客户端

简介: 安装OpenLDAP和客户端

生产环境中CDH集群需要启用安全认证,在CDH7以后,Ranger被替换成了Ranger,因此启用安全认证的步骤包括:集群安装并启用Kerberos,安装OpenLDAP和客户端,集成sssd和SSH,Hive、impala、hue集成LDAPRanger集成LDAP,这几个步骤我们分成几篇文章都有详细的操作。

本篇文章主要讲解如何安装OpenLDAP和客户端,需要注意的是,CDP中的Hue要求OpenLDAP启用TLS,否则集成Ldap无法同步用户。

OpenLDAP安装及配置

1.执行如下命令安装OpenLDAP服务

[root@cdh1 ~]# yum -y install openldap-clients openldap openldap-servers migrationtools openldap-devel nss-pam-ldapd bind-dyndb-ldap compat-openldap perl-LDAP krb5-server-ldap php-ldap openssl


查看安装的RPM包

[root@cdh1 ~]# rpm -qa |grep openldap
openldap-devel-2.4.40-8.el7.x86_64
compat-openldap-2.3.43-5.el7.x86_64
openldap-2.4.40-8.el7.x86_64
openldap-servers-2.4.40-8.el7.x86_64
openldap-clients-2.4.40-8.el7.x86_64


2 使用openssl生成TLS加密文件

使用如下命令生成服务器的RSA私钥


[root@cdh1 ~]# openssl genrsa -out ldap.key 1024
Generating RSA private key, 1024 bit long modulus
..................................++++++
.++++++
e is 65537 (0x10001)

使用如下命令生成签名文件


[root@cdh1 ~]# openssl req -new -key ldap.key -out ldap.csr

只需要在Common Name处填写当前服务器的hostname,其他处留空。

使用如下命令生成公钥文件


[root@cdh1 ~]# openssl x509 -req -days 3653 -in ldap.csr -signkey ldap.key -out ldap.crt

将生成的公钥文件和私钥拷贝至/etc/openldap/certs目录下

[root@cdh1 ~]# cp ldap.crt ldap.key /etc/openldap/certs/
[root@cdh1 certs]# ll
total 92
-rw-r--r--. 1 root root 65536 Dec 18  2019 cert8.db
-rw-r--r--. 1 root root 16384 Dec 18  2019 key3.db
-rw-r--r--  1 root root   814 Dec 18  2019 ldap.crt
-rw-r--r--  1 root root   887 Dec 18  2019 ldap.key
-r--r-----. 1 root ldap    45 Apr 19  2018 password
-rw-r--r--. 1 root root 16384 Apr 19  2018 secmod.db


3 修改OpenLDAP的slapd.ldif配置文件

安装OpenLDAP服务后默认的配置文件及数据库文件在/usr/share/openldap-servers目录下,将slapd.ldif拷贝至/root目录下


cd /usr/share/openldap-servers
cp slapd.ldif /root/


修改slapd.ldif文件,配置TLS密钥路径,增加include的文件及配置管理员账号和OpenLDAP的根域信息,完整文件如下:

[root@cdh1 ~]# cat slapd.ldif 
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
#
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: /etc/openldap/certs/ldap.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la
#
# Schema settings
#
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/collective.ldif
#
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
#
# Configuration database
#
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" manage by * none
#
# Server status monitoring
#
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" read by dn.base="cn=Manager,dc=macro,dc=com" read by * none
#
# Backend database definitions
#
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=macro,dc=com
olcRootDN: cn=Manager,dc=macro,dc=com
olcRootPW: 123456
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
olcDbIndex: uid,memberUid eq,pres,sub
olcDbIndex: nisMapName,nisMapEntry eq,pres,sub


4.删除掉原来的配置,重新生成OpenLDAP的配置

[root@cdh1 slapd.d]# rm -rf /etc/openldap/slapd.d/*
[root@cdh1 slapd.d]# slapadd -F /etc/openldap/slapd.d -n 0 -l /root/slapd.ldif

测试配置文件是否正确,返回“config file testing succeeded”则表示配置文件正确

[root@cdh1 ~]# slaptest -u -F /etc/openldap/slapd.d
config file testing succeeded
[root@cdh1 ~]# chown -R ldap. /etc/openldap/slapd.d/
[root@cdh1 ~]# ll /etc/openldap/slapd.d/
total 8
drwxr-x--- 3 ldap ldap 4096 Dec 19  2019 cn=config
-rw------- 1 ldap ldap  600 Dec 19  2019 cn=config.ldif

5.安装OpenLDAP的数据库文件

将/usr/share/openldap-servers/目录下的DB_CONFIG.example文件拷贝至/var/lib/ldap目录下并重命名为DB_CONFIG,操作如下:


[root@cdh1 lib]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

修改数据库文件属主


[root@cdh01 lib]# chown -R ldap. /var/lib/ldap
[root@cdh01 lib]# ll /var/lib/ldap/
total 4
-rw-r--r-- 1 ldap ldap   845 Feb  9  2020 DB_CONFIG


6.完成上述操作后,执行如下命令将slapd服务添加到系统自启动服务并启动slapd服务,查看服务启动状态

[root@cdh1 lib]# systemctl enable slapd
[root@cdh1 lib]# systemctl start slapd
[root@cdh1 lib]# systemctl status slapd

到此OpenLDAP服务安装成功。

导入根域和管理员账户

1.创建root.ldif文件,内容如下

[root@cdh1 ~]# vim root.ldif
dn: dc=macro,dc=com
dc: macro
objectClass: top
objectClass: domain
dn: cn=Manager,dc=macro,dc=com
objectClass: organizationalRole
cn: Manager


2.导入根域及管理员信息到OpenLDAP服务中

[root@cdh1 ~]# ldapadd -D "cn=Manager,dc=macro,dc=com" -W -x -f root.ldif 
Enter LDAP Password: 
adding new entry "dc=macro,dc=com"
adding new entry "cn=Manager,dc=macro,dc=com"


3.查看导入是否成功


[root@cdh1 ~]# ldapsearch -h cdh1.macro.com -b "dc=macro,dc=com" -D "cn=Manager,dc=macro,dc=com" -W

导入基础文件、用户和用户组

前面安装了migrationtools服务,这里可以通过该服务生成OpenLDAP的基础文件、用户和用户组的ldif文件。1.进入/usr/share/migrationtools/目录修改migrate_common.ph文件,将文件中的$DEFAULT_MAIL_DOMAIN和$DEFAULT_BASE修改为自己OpenLDAP的域

[root@cdh1 ~]# vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "macro.com";
# Default base 
$DEFAULT_BASE = "dc=macro,dc=com";


2.使用如下命令导出OpenLdap的base.ldif文件


[root@cdh1 ~]# /usr/share/migrationtools/migrate_base.pl >base.ldif

3.执行如下命令导出操作系统的group.ldif文件


[root@cdh1 ~]# /usr/share/migrationtools/migrate_group.pl /etc/group >group.ldif

4.使用如下命令导出操作系统用户的ldif文件


[root@cdh1 ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd > user.ldif

使用ldapadd命令将基础文件和用户和组导入OpenLDAP


[root@cdh1 ldap]# ldapadd -D "cn=Manager,dc=macro,dc=com" -W -x -f base.ldif

4.查看是否导入成功


[root@cdh1 ldap]# ldapsearch -h cdh1.macro.com -b "dc=macro,dc=com" -D "cn=Manager,dc=macro,dc=com" -W | grep dn

OpenLDAP客户端配置

1.在所有客户端节点安装OpenLDAP的客户端软件包


yum install -y openldap-clients

2.修改/etc/openldap/ldap.conf文件,内容如下

[root@cdh2 ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE    dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT    12
#TIMELIMIT    15
#DEREF        never
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://cdh1.macro.com
BASE dc=macro,dc=com
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on


3.测试客户端是否配置成功

[root@cdh2 ~]# ldapsearch -D "cn=Manager,dc=macro,dc=com" -W |grep dn
Enter LDAP Password: 
dn: dc=macro,dc=com
dn: cn=Manager,dc=macro,dc=com
dn: ou=People,dc=macro,dc=com
dn: ou=Group,dc=macro,dc=com
dn: cn=root,ou=Group,dc=macro,dc=com
dn: cn=bin,ou=Group,dc=macro,dc=com
dn: cn=daemon,ou=Group,dc=macro,dc=com
dn: cn=sys,ou=Group,dc=macro,dc=com
相关文章
|
域名解析 Linux 网络安全
CentOS-7.2部署OpenLDAP服务器以及客户端
CentOS-7.2部署OpenLDAP服务器以及客户端
600 0
CentOS-7.2部署OpenLDAP服务器以及客户端
|
7月前
openLdap相关配置、命令以及遇到的问题
openLdap相关配置、命令以及遇到的问题
119 0
|
Linux Apache PHP
LDAP的安装与使用
openldap的安装与使用
689 1
|
监控 PHP
【LDAP安装】在已编译安装的PHP环境下安装LDAP模块
在已编译安装的PHP环境下安装LDAP模块 (其他模块也能以这个方式安装) 1、在PHP源码包内找到ldap模块文件 cd php-5.6.37 cd ext/ldap/ 2、phpize命令是用来准备 PHP 扩展库的编译环境 phpize .
2331 0
|
数据安全/隐私保护