OpenLdap配置与管理

本文涉及的产品
运维安全中心(堡垒机),企业双擎版|50资产|一周时长
运维安全中心(堡垒机),免费版 6个月
简介:

服务器端配置

yum install openldap-servers


slapd配置


[root@public-puppet01-P-Z ~]# slappasswd -h {MD5}

New password: 

Re-enter new password: 

{MD5}sBICuL/nbqxH63QBPkxqrw==


1、/etc/openldap/slapd.conf

include         /etc/openldap/schema/corba.schema

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/duaconf.schema

include         /etc/openldap/schema/dyngroup.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/java.schema

include         /etc/openldap/schema/misc.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/openldap.schema

include         /etc/openldap/schema/ppolicy.schema

include         /etc/openldap/schema/collective.schema


allow bind_v2


pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args


database        bdb

suffix          "dc=chanjetoms,dc=com"

rootdn          "cn=Manager,dc=chanjetoms,dc=com"

rootpw          {MD5}sBICuL/nbqxH63QBPkxqrw==


directory       /var/lib/ldap


index objectClass                       eq,pres

index ou,cn,mail,surname,givenname      eq,pres,sub

index uidNumber,gidNumber,loginShell    eq,pres

index uid,memberUid                     eq,pres,sub

index nisMapName,nisMapEntry            eq,pres,sub


database monitor


access to attrs=shadowLastChange,userPassword

        by self write

        by * auth


access to *

        by * read

2、/etc/openldap/ldap.conf

BASE dc=chanjetoms,dc=com

URI ldap://10.10.10.10

TLS_CACERTDIR /etc/openldap/cacerts


[root@dns1 openldap]# cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@dns1 openldap]# chown ldap.ldap /var/lib/ldap/DB_CONFIG

[root@dns1 openldap]# 



# enable monitoring

database monitor


启动:

[root@common0 ~]# service slapd start

正在启动 slapd:                                           [确定]


报错:

ldapadd ldap_bind: Invalid credentials (49)

解决方法:

rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d


chown -R ldap.ldap /etc/openldap/slapd.d/

chmod -R 000 /etc/openldap/slapd.d/

chmod -R u+rwX /etc/openldap/slapd.d/


同步复制配置

Master:

#Replicas of this database

replogfile /var/lib/ldap/replog

replica host=ldap.ops.com:389

        binddn="cn=Manager,dc=oms,dc=com"

        credentials=secret

        bindmethod=simple


Slave:

updatedn "cn=Manager,dc=oms,dc=com"

updateref ldap://ldap.ops.com:389/


master上日志(/usr/sbin/slapd -d 256)

2012-10-08 18:50:24 common0.ops.com slapd[13583]:  conn=1000 fd=13 ACCEPT from IP=192.168.52.145:58109 (IP=0.0.0.0:389)

2012-10-08 18:50:24 common0.ops.com slapd[13583]:  conn=1000 op=0 BIND dn="" method=128

2012-10-08 18:50:24 common0.ops.com slapd[13583]:  conn=1000 op=0 RESULT tag=97 err=0 text=

2012-10-08 18:50:24 common0.ops.com slapd[13583]:  conn=1000 op=1 SRCH base="dc=oms,dc=com" scope=2 deref=0 filter="(objectClass=*)"

2012-10-08 18:50:24 common0.ops.com slapd[13583]:  conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=4 text=

2012-10-08 18:50:24 common0.ops.com slapd[13583]:  conn=1000 op=2 UNBIND

2012-10-08 18:50:24 common0.ops.com slapd[13583]:  conn=1000 fd=13 closed


******************************

客户端配置

setup

没有找到 /lib64/libnss_ldap.so.2 文件。

LDAP支持需要这个文件方可正常工作。

安装提供该文件的 nss-pam-ldapd 软件包。


# yum install nss-pam-ldapd


# vim /etc/nsswitch.conf

#

# /etc/nsswitch.conf

#

# An example Name Service Switch config file. This file should be

# sorted with the most-used services at the beginning.

#

# The entry '[NOTFOUND=return]' means that the search for an

# entry should stop if the search in the previous entry turned

# up nothing. Note that if the search failed due to some other reason

# (like no NIS server responding) then the search continues with the

# next entry.

#

# Valid entries include:

#

#       nisplus                 Use NIS+ (NIS version 3)

#       nis                     Use NIS (NIS version 2), also called YP

#       dns                     Use DNS (Domain Name Service)

#       files                   Use the local files

#       db                      Use the local database (.db) files

#       compat                  Use NIS on compat mode

#       hesiod                  Use Hesiod for user lookups

#       [NOTFOUND=return]       Stop searching if not found so far

#


# To use db, put the "db" in front of "files" for entries you want to be

# looked up first in the databases

#

# Example:

#passwd:    db files nisplus nis

#shadow:    db files nisplus nis

#group:     db files nisplus nis


passwd:     files ldap

shadow:     files ldap

group:      files ldap


#hosts:     db files nisplus nis dns

hosts:      files dns


# Example - obey only what nisplus tells us...

#services:   nisplus [NOTFOUND=return] files

#networks:   nisplus [NOTFOUND=return] files

#protocols:  nisplus [NOTFOUND=return] files

#rpc:        nisplus [NOTFOUND=return] files

#ethers:     nisplus [NOTFOUND=return] files

#netmasks:   nisplus [NOTFOUND=return] files     


bootparams: nisplus [NOTFOUND=return] files


ethers:     files

netmasks:   files

networks:   files

protocols:  files

rpc:        files

services:   files


netgroup:   nisplus


publickey:  nisplus


automount:  files nisplus

aliases:    files nisplus


# vim /etc/sysconfig/authconfig

USEMKHOMEDIR=yes

USEPAMACCESS=no

CACHECREDENTIALS=yes

USESSSDAUTH=no

USESHADOW=yes

USEWINBIND=no

USESSSD=no

PASSWDALGORITHM=md5

FORCELEGACY=no

USEFPRINTD=no

USEHESIOD=no

FORCESMARTCARD=no

USELDAPAUTH=yes

USELDAP=yes

USECRACKLIB=yes

USEWINBINDAUTH=no

USESMARTCARD=no

USELOCAUTHORIZE=yes

USENIS=no

USEKERBEROS=no

USESYSNETAUTH=no

USESMBAUTH=no

USEDB=no

USEPASSWDQC=no


# vim /etc/openldap/ldap.conf

BASE dc=oms,dc=com

URI ldap://ldap-master.ops.com, ldap://ldap-slave.ops.com


# vim /etc/pam_ldap.conf

BASE dc=oms,dc=com

URI ldap://ldap-master.ops.com, ldap://ldap-slave.ops.com

pam_check_host_attr yes


# vim /etc/pam.d/system-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        sufficient    pam_ldap.so use_first_pass

auth        required      pam_deny.so


account     required      pam_unix.so broken_shadow

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

account     required      pam_permit.so


password    requisite     pam_cracklib.so try_first_pass retry=3 type=

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

password    sufficient    pam_ldap.so use_authtok

password    required      pam_deny.so


session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0022

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session     optional      pam_ldap.so


#nslcd.conf不用配置,缓存服务由nscd提供,而不是nslcd。

# vim /etc/nslcd.conf

uid nslcd

gid ldap

uri ldap://ldap-master.ops.com ldap://ldap-slave.ops.com

base dc=oms,dc=com

ssl no

tls_cacertdir /etc/openldap/cacerts


/etc/pam.d/system-auth-ac #设置setup中的“使用MD5密码”

/etc/pam.d/password-auth #配置后才能使用LDAP登录


--------------------

错误信息:

[root@wade28 openldap]# service slapd restart

Stopping slapd:                                            [  OK  ]

Checking configuration files for slapd:                    [WARNING]

bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).

Expect poor performance for suffix "dc=my-domain,dc=com".

config file testing succeeded

Starting slapd:                                            [  OK  ]


解决方法:

该错误不影响ldap验证服务;若一定要解决,执行以下命令即可

[root@wade28 openldap]# cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown -R ldap /var/lib/ldap

OR:

/usr/share/openldap-servers/DB_CONFIG.example


*********************

安装包依赖:

[root@h1 ~]# rpm -ivh openldap-servers-2.3.43-12.el5.i386.rpm 

error: Failed dependencies:

        libltdl.so.3 is needed by openldap-servers-2.3.43-12.el5.i386

        openldap = 2.3.43-12.el5 is needed by openldap-servers-2.3.43-12.el5.i386


解决方法:

[root@h1 ~]# rpm -ivh libtool-ltdl-devel-1.5.22-7.el5_4.i386.rpm libtool-ltdl-1.5.22-7.el5_4.i386.rpm 

Preparing...                ########################################### [100%]

   1:libtool-ltdl           ########################################### [ 50%]

   2:libtool-ltdl-devel     ########################################### [100%]

   


***********************************

[root@xiangjingdev40_v_o openldap]# slaptest -f slapd.conf -F slapd.d/

bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).

Expect poor performance for suffix "dc=chanjetoms,dc=com".

bdb_db_open: database "dc=chanjetoms,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).

backend_startup_one (type=bdb, suffix="dc=chanjetoms,dc=com"): bi_db_open failed! (2)

slap_startup failed (test would succeed using the -u switch)



解决方法:

chown ldap.ldap /var/lib/ldap

/etc/init.d/sldapd start

ls -lh /var/lib/ldap/        // 查看db文件是否生成

[root@www ldap]# slaptest -f /etc/openldap/slapd.conf 

config file testing succeeded






本文转自 baiying 51CTO博客,原文链接:http://blog.51cto.com/baiying/1428731,如需转载请自行联系原作者
目录
相关文章
|
3月前
|
Shell 应用服务中间件 开发工具
LDAP学习笔记之八:openLDAP sudo权限
LDAP学习笔记之八:openLDAP sudo权限
|
6月前
openLdap相关配置、命令以及遇到的问题
openLdap相关配置、命令以及遇到的问题
113 0
|
SQL 安全 网络安全
安装OpenLDAP和客户端
安装OpenLDAP和客户端
385 1
|
数据库 数据安全/隐私保护 网络协议