OpenLDAP+freeradius+samba+802.1x实现无线和有线网络认证+动态vlan下发——openLDAP篇(二)

本文涉及的产品
.cn 域名,1个 12个月
简介: OpenLDAP+freeradius+samba+802.1x实现无线和有线网络认证+动态vlan下发——openLDAP篇

四、LDAP的ACL


这个是注释一下添加的ACL意思,可能会多出空格,如果想要直接复制文本,请使用下面的文件。


可复制的slapd.ldif


## See slapd-config(5) for details on configuration options.# This file should NOT be world readable.#dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcLogLevel: stats
olcDisallows: bind_anon            ##关闭匿名访问## TLS settings#olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem
olcTLSCertificateFile: /etc/openldap/certs/openldapcert130.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/openldapkey130.pem
olcTLSVerifyClient: never## Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.##olcReferral: ldap://root.openldap.org## Sample security restrictions#    Require integrity protection (prevent hijacking)#    Require 112-bit (3DES or better) encryption for updates#    Require 64-bit encryption for simple bind##olcSecurity: ssf=1 update_ssf=112 simple_bind=64## Load dynamic backend modules:# - modulepath is architecture dependent value (32/64-bit system)# - back_sql.la backend requires openldap-servers-sql package# - dyngroup.la and dynlist.la cannot be used at the same time##dn: cn=module,cn=config#objectClass: olcModuleList#cn: module#olcModulepath:    /usr/lib/openldap#olcModulepath:    /usr/lib64/openldap#olcModuleload: accesslog.la#olcModuleload: auditlog.la#olcModuleload: back_dnssrv.la#olcModuleload: back_ldap.la#olcModuleload: back_mdb.la#olcModuleload: back_meta.la#olcModuleload: back_null.la#olcModuleload: back_passwd.la#olcModuleload: back_relay.la#olcModuleload: back_shell.la#olcModuleload: back_sock.la#olcModuleload: collect.la#olcModuleload: constraint.la#olcModuleload: dds.la#olcModuleload: deref.la#olcModuleload: dyngroup.la#olcModuleload: dynlist.la#olcModuleload: memberof.la#olcModuleload: pcache.la#olcModuleload: ppolicy.la#olcModuleload: refint.la#olcModuleload: retcode.la#olcModuleload: rwm.la#olcModuleload: seqmod.la#olcModuleload: smbk5pwd.la#olcModuleload: sssvlv.la#olcModuleload: syncprov.la#olcModuleload: translucent.la#olcModuleload: unique.la#olcModuleload: valsort.la## Schema settings#dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/collective.ldif
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/pmi.ldif
include: file:///etc/openldap/schema/samba.ldif
include: file:///etc/openldap/schema/freeradius.ldif## Frontend settings#dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to attrs=userPassword.shadowLastChange        ##开启用户可以修改密码
      by dn.children="ou=Admin,dc=test,dc=net,dc=cn" write
      by anonymous auth
      by * none
olcAccess: to dn.subtree="dc=test,dc=net,dc=cn"        ##设置同步用户、搜索用户、可读,设置ldapadmin管理组
      by dn="cn=syncuser1,ou=Admin,dc=test,dc=net,dc=cn" read
      by dn="cn=clientsearch,ou=Admin,dc=test,dc=net,dc=cn" read
      by group.exact="cn=ldapadmin,ou=Admin,dc=test,dc=net,dc=cn" write
      by users readolcAccess: to dn.subtree=""     #设置可以读取schema
      by * read## Sample global access control policy:#    Root DSE: allow anyone to read it#    Subschema (sub)entry DSE: allow anyone to read it#    Other DSEs:#        Allow self write access#        Allow authenticated users read access#        Allow anonymous users to authenticate##olcAccess: to dn.base="" by * read#olcAccess: to dn.base="cn=Subschema" by * read#olcAccess: to *#    by self write#    by users read#    by anonymous auth## if no access controls are present, the default policy# allows anyone and everyone to read anything but restricts# updates to rootdn.  (e.g., "access to * by * read")## rootdn can always read and write EVERYTHING!### Configuration database#dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to *
      by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
      by group.exact="cn=configadmin,ou=Admin,dc=test,dc=net,dc=cn" write        #设置一个配置管理员
      by * none## Server status monitoring#dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" read by dn.base="cn=acadmin,dc=test,dc=net,dc=cn" read by * none## Backend database definitions#dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=test,dc=net,dc=cn
olcRootDN: cn=acadmin,dc=test,dc=net,dc=cn
olcRootPW: {SSHA}hnxiKpbSXyzF1sazYma5FBlkdD39dpU6
olcDbDirectory:    /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub


验证ACL

先创建一个基本域


vim /usr/share/migrationtools/migrate_common.ph
......$DEFAULT_MAIL_DOMAIN = "test.net.cn";                #改为我们的域名# Default base $DEFAULT_BASE = "dc=test,dc=net,dc=cn";                #改为我们的域名......$EXTENDED_SCHEMA = 1;                    #改为1


生成基本域


[root@ldap-master (15:24:08)/etc/openldap]# /usr/share/migrationtools/migrate_base.pl > /etc/openldap/basedomin.ldif


然后我们简化一下这个基本域里的内容


dn: dc=test,dc=net,dc=cn
dc: test
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: test.net.cn
dn: ou=Admin,dc=test,dc=net,dc=cn
objectClass: top
objectClass: organizationalUnit
ou: Admin
dn: ou=People,dc=test,dc=net,dc=cn
ou: People
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: test.net.cn
dn: ou=Group,dc=test,dc=net,dc=cn
ou: Group
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: test.net.cn


再生成几个基本账户


[root@ldap-master (15:53:06)/etc/openldap]# useradd test1[root@ldap-master (15:53:31)/etc/openldap]# useradd test2[root@ldap-master (15:53:34)/etc/openldap]# tail -2 /etc/passwdtest1:x:1000:1000::/home/test1:/bin/bash
test2:x:1001:1001::/home/test2:/bin/bash
[root@ldap-master (15:53:42)/etc/openldap]# tail -2 /etc/passwd > testuser[root@ldap-master (15:53:54)/etc/openldap]# tail -2 /etc/grouptest1:x:1000:
test2:x:1001:
[root@ldap-master (15:54:04)/etc/openldap]# tail -2 /etc/group > testgroup[root@ldap-master (15:54:12)/etc/openldap]# /usr/share/migrationtools/migrate_passwd.pl  testuser > testuser.ldif[root@ldap-master (15:55:49)/etc/openldap]# cat testuser.ldif dn: uid=test1,ou=People,dc=test,dc=net,dc=cn
uid: test1
cn: test1
sn: test1
mail: test1@test.net.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: 123456shadowLastChange: 18232shadowMin: 0shadowMax: 99999shadowWarning: 7loginShell: /bin/bash
uidNumber: 1000gidNumber: 1000homeDirectory: /home/test1
dn: uid=test2,ou=People,dc=test,dc=net,dc=cn
uid: test2
cn: test2
sn: test2
mail: test2@test.net.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: 123456shadowLastChange: 18232shadowMin: 0shadowMax: 99999shadowWarning: 7loginShell: /bin/bash
uidNumber: 1001gidNumber: 1001homeDirectory: /home/test2
[root@ldap-master (15:55:55)/etc/openldap]# /usr/share/migrationtools/migrate_group.pl testgroup > testgroup.ldif[root@ldap-master (15:56:22)/etc/openldap]# cat testgroup.ldif dn: cn=test1,ou=Group,dc=test,dc=net,dc=cn
objectClass: posixGroup
objectClass: top
cn: test1
userPassword: {crypt}x
gidNumber: 1000dn: cn=test2,ou=Group,dc=test,dc=net,dc=cn
objectClass: posixGroup
objectClass: top
cn: test2
userPassword: {crypt}x
gidNumber: 1001[root@ldap-master (15:56:29)/etc/openldap]#


然后将导入基本域的ldif配置添加到初始化脚本中。


#!/bin/bashrm -rf slapd.d/*
slapadd -n 0 -F slapd.d -l slapd.ldif
chown -R ldap:ldap slapd.d
systemctl restart slapd
ldapadd -x -D "cn=acadmin,dc=test,dc=net,dc=cn" -w 123456 -f basedomin.ldif
ldapadd -x -D "cn=acadmin,dc=test,dc=net,dc=cn" -w 123456 -f testuser.ldif
ldapadd -x -D "cn=acadmin,dc=test,dc=net,dc=cn" -w 123456 -f testgroup.ldif


然后执行初始化脚本


[root@ldap-master (16:15:52)/etc/openldap]# sh config_init.sh _#################### 100.00% eta   none elapsed            none fast!         Closing DB...
adding new entry "dc=test,dc=net,dc=cn"adding new entry "ou=Admin,dc=test,dc=net,dc=cn"adding new entry "ou=People,dc=test,dc=net,dc=cn"adding new entry "ou=Group,dc=test,dc=net,dc=cn"adding new entry "uid=test1,ou=People,dc=test,dc=net,dc=cn"adding new entry "uid=test2,ou=People,dc=test,dc=net,dc=cn"adding new entry "cn=test1,ou=Group,dc=test,dc=net,dc=cn"adding new entry "cn=test2,ou=Group,dc=test,dc=net,dc=cn"


然后登陆ldapadmin软件,就能看见我们的基本用户了。


640.png


然后使用ldif文件,创建出configadmin,ldapadmin,syncuser1,clientsearch几个用户和属性。


[root@ldap-master (16:44:26)/etc/openldap]# cat ldapadmin.ldifdn: cn=ldapadmin,ou=Admin,dc=test,dc=net,dc=cn
cn: ldapadmin
objectClass: groupOfNames
member: uid=test1,ou=People,dc=test,dc=net,dc=cn
dn: cn=configadmin,ou=Admin,dc=test,dc=net,dc=cn
cn: configadmin
objectClass: groupOfNames
member: uid=test2,ou=People,dc=test,dc=net,dc=cn
dn: cn=syncuser1,ou=Admin,dc=test,dc=net,dc=cn
uid: syncuser1
cn: syncuser1
sn: syncuser1
mail: syncuser1@test.net.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: 123456loginShell: /bin/bash
uidNumber: 6666gidNumber: 0homeDirectory: /home/syncuser1
dn: cn=clientsearch,ou=Admin,dc=test,dc=net,dc=cn
uid: clientsearch
cn: clientsearch
sn: clientsearch
mail: clientsearch@test.net.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: 123456loginShell: /bin/bash
uidNumber: 7777gidNumber: 0homeDirectory: /home/clientsearch


执行脚本,导入这些用户


[root@ldap-master (16:42:25)/etc/openldap]# ldapadd -x -D "cn=acadmin,dc=test,dc=net,dc=cn" -w 123456 -f ldapadmin.ldif adding new entry "cn=ldapadmin,ou=Admin,dc=test,dc=net,dc=cn"adding new entry "cn=configadmin,ou=Admin,dc=test,dc=net,dc=cn"adding new entry "uid=syncuser1,ou=Admin,dc=test,dc=net,dc=cn"adding new entry "uid=clientsearch,ou=Admin,dc=test,dc=net,dc=cn"


创建一个普通用户并导入


[root@ldap-master (16:50:00)/etc/openldap]# ldapadd -x -D "cn=acadmin,dc=test,dc=net,dc=cn" -w 123456 -f ljuser.ldif adding new entry "cn=lj2,ou=People,dc=test,dc=net,dc=cn"[root@ldap-master (16:50:21)/etc/openldap]# cat ljuser.ldif dn: cn=lj2,ou=People,dc=test,dc=net,dc=cn
uid: lj2
cn: lj2
sn: lj2
mail: lj2@test.net.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: 123456shadowLastChange: 18232shadowMin: 0shadowMax: 99999shadowWarning: 7loginShell: /bin/bash
uidNumber: 1006gidNumber: 0homeDirectory: /home/lj2


创建一个测试用的ldif


[root@ldap-master (16:53:14)/etc/openldap]# cat testgroup2.ldif dn: cn=testgroup2,ou=Group,dc=test,dc=net,dc=cn
objectClass: top
objectClass: posixGroup
gidNumber: 10086cn: testgroup2


开始测试:


| 用户 | 权限 |

|—|—|

|lj2  | 普通用户 |

|test1 | ldap管理员 |

|test2 | ldap配置管理员 |

1.使用普通用户测试


提示无写权限。


[root@ldap-master (16:54:58)/etc/openldap]# ldapadd -x -D "cn=lj2,ou=People,dc=test,dc=net,dc=cn" -w 123456 -f testgroup2.ldif adding new entry "cn=testgroup2,ou=Group,dc=test,dc=net,dc=cn"ldap_add: Insufficient access (50)
    additional info: no write access to parent


2.使用ldap管理员进行导入


成功导入。


[root@ldap-master (17:02:32)/etc/openldap]# ldapadd -x -D "uid=test1,ou=People,dc=test,dc=net,dc=cn" -w 123456 -f testgroup2.ldif adding new entry "cn=testgroup2,ou=Group,dc=test,dc=net,dc=cn"


3.测试匿名访问


640.jpg


4.使用普通用户修改配置


提示无权限修改。


[root@ldap-master (17:14:56)/etc/openldap]# ldapadd -x -D "cn=lj2,ou=people,dc=test,dc=net,dc=cn" -w 123456 -f testlog.ldif modifying entry "cn=config"ldap_modify: Insufficient access (50)


5.使用配置管理员修改配置


没有错误提示。


[root@ldap-master (17:15:09)/etc/openldap]# ldapadd -x -D "uid=test2,ou=people,dc=test,dc=net,dc=cn" -w 123456 -f testlog.ldif modifying entry "cn=config"


查看配置文件可以看到,日志级别已经修改为any。


[root@ldap-master (17:16:56)/etc/openldap]# cat slapd.d/cn\=config.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.# CRC32 8bf1493ddn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcDisallows: bind_anon
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem
olcTLSCertificateFile: /etc/openldap/certs/openldapcert130.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/openldapkey130.pem
olcTLSVerifyClient: never
structuralObjectClass: olcGlobal
entryUUID: b45d4cce-a927-1039-9d2e-4dc306d98512
creatorsName: cn=config
createTimestamp: 20191202081554Z
olcLogLevel: any
entryCSN: 20191202091656.412168Z#000000#000#000000modifiersName: uid=test2,ou=People,dc=test,dc=net,dc=cn
modifyTimestamp: 20191202091656Z


五、ldap的高可用


1.环境准备


在ldap-slave上,配置和ldap-mstar一样的配置。这里使用了CA服务器的http服务当配置文件的中转站。


#1.初始化系统环境
#2.安装软件
yum -y install openldap openldap-servers openldap-clients compat-openldap openldap-devel migrationtools samba* freeradius*
#3.初始化配置文件
cd /etc/openldap
mv slapd.d{,.bak}
mkdir slapd.d
#密码:
ldap_passwd="{SSHA}hnxiKpbSXyzF1sazYma5FBlkdD39dpU6"
#默认为123456,可使用slappasswd来生成新的密码。#下载主配置文件
wget -c http://192.168.2.148/init/slapd.ldif
wget -c http://192.168.2.148/init/config_init.sh
chmod u+x config_init
#4.拷贝schema文件
cp /usr/share/doc/freeradius-3.0.13/schemas/ldap/openldap/freeradius.ldif /etc/openldap/schema/
cp /usr/share/doc/freeradius-3.0.13/schemas/ldap/openldap/freeradius.schema /etc/openldap/schema/
cp /usr/share/doc/samba-4.9.1/LDAP/samba.schema /etc/openldap/schema/
cp /usr/share/doc/samba-4.9.1/LDAP/samba.ldif /etc/openldap/schema/
#5.拷贝数据库文件
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap
#6.配置日志模块
mkdir /var/log/slapd
touch /var/log/slapd/slapd.log
chown -R ldap:ldap /var/log/slapd
rm -f /etc/rsyslog.conf
wget http://192.168.2.148:/init/rsyslog.conf .
mv rsyslog.conf /etc/
cd /etc/logrotate.d/
wget http://192.168.2.148:/init/slapd
#7.安装phpldapadmin
yum -y install epel-release
yum -y install phpldapadmin
cd /etc/httpd/conf.d/
rm -f phpldapadmin.conf 
wget http://192.168.2.148:/init/phpldapadmin.conf
cd /etc/phpldapadmin/
rm -f config.php 
wget http://192.168.2.148:/init/config.php
#http的证书
cd /etc/httpd/
mkdir certs
wget http://192.168.2.148:/init/http_ca/openldapadmin.key
wget http://192.168.2.148:/init/http_ca/openldapadmin.csr
wget http://192.168.2.148:/init/http_ca/openldapadmin.crt
chmod 0400 openldapadmin.*
chown -R apache:apache /etc/httpd/certs
yum -y install mod_ssl
#openldap的证书
cd /etc/openldap/certs/
(umask 077;openssl genrsa -out openldapkey150.pem 2048)
openssl req -new -key openldapkey150.pem -out openldap150.csr -days 3650 -subj "/C=CN/ST=BeiJing/L=BeiJing/O=test.net.cn/OU=internet/CN=192.168.2.150"
scp openldap150.csr root@192.168.2.148:/root
#CA服务器的操作
cd /etc/pki/CA/
openssl ca -in /root/openldap150.csr -out /etc/pki/CA/certs/openldapcert150.crt -days 3650
scp cacert.pem certs/openldapcert150.crt root@192.168.2.150:/root
#ldap-slave的操作
cd /root
cp openldapcert150.crt cacert.pem /etc/openldap/certs/
chown -R ldap.ldap /etc/openldap/certs
chmod -R 0400 /etc/openldap/certs/openldap*
chmod -R 0400 /etc/openldap/certs/cacert.pem 
#修改slapd.ldif的文件
olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem
olcTLSCertificateFile: /etc/openldap/certs/openldapcert150.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/openldapkey150.pem
#重新生成配置文件
cd /etc/openldap/
sh config_init.sh
vim /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
#修改ldap.conf文件
###############
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE    dc=test,dc=net,dc=cn
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
URI     ldaps://192.168.2.150
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
TLS_REQCERT hard
#TLS_CACERTDIR  /etc/openldap/certs
TLS_CACERT      /etc/openldap/certs/cacert.pem
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on
################
#开启服务自启
systemctl enable httpd
systemctl enable slapd


2.验证环境


640.jpg


由此可见,我们的环境基本配置相同了,只有条目方面还没有配置。


3.开始配置主从同步


1.更新时间


这一步在初始化中就已经做完了


2.主机名互相解析


将ip地址和主机名添加到/etc/hosts文件中(两台机器都要操作)


192.168.2.147 ldap-master.test.net.cn192.168.2.150 ldap-slave.test.net.cn


3.使两个节点的数据一致。


主节点导出用户


[root@ldap-master (20:06:24)~]# ldapsearch -x -D "cn=acadmin,dc=test,dc=net,dc=cn" -W -b "dc=test,dc=net,dc=cn" -LLL -H ldaps://192.168.2.147 > ldapdata.ldifEnter LDAP Password: 123456[root@ldap-master (20:06:53)~]# scp ldapdata.ldif root@192.168.2.150:/rootThe authenticity of host '192.168.2.150 (192.168.2.150)' can't be established.
ECDSA key fingerprint is SHA256:mM1dhjEqAsS+/GK7cnG1C6v72+gp/APGUCgnDopZWws.
ECDSA key fingerprint is MD5:bd:fc:1d:7d:ef:bc:1d:09:ba:0f:9b:88:f1:41:89:f9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.150' (ECDSA) to the list of known hosts.
root@192.168.2.150's password: 
ldapdata.ldif                                        100% 3346     2.1MB/s   00:00    [root@ldap-master (20:07:13)~]#


LDAP-slave导入用户


[root@ldap-slave (20:08:27)~]# ldapadd -x -W -D "cn=acadmin,dc=test,dc=net,dc=cn" -f ldapdata.ldif Enter LDAP Password: 
adding new entry "dc=test,dc=net,dc=cn"adding new entry "ou=Admin,dc=test,dc=net,dc=cn"adding new entry "ou=People,dc=test,dc=net,dc=cn"adding new entry "ou=Group,dc=test,dc=net,dc=cn"adding new entry "uid=test1,ou=People,dc=test,dc=net,dc=cn"adding new entry "uid=test2,ou=People,dc=test,dc=net,dc=cn"adding new entry "cn=test1,ou=Group,dc=test,dc=net,dc=cn"adding new entry "cn=test2,ou=Group,dc=test,dc=net,dc=cn"adding new entry "cn=ldapadmin,ou=Admin,dc=test,dc=net,dc=cn"adding new entry "cn=configadmin,ou=Admin,dc=test,dc=net,dc=cn"adding new entry "uid=syncuser1,ou=Admin,dc=test,dc=net,dc=cn"adding new entry "uid=clientsearch,ou=Admin,dc=test,dc=net,dc=cn"adding new entry "cn=lj2,ou=People,dc=test,dc=net,dc=cn"adding new entry "cn=testgroup2,ou=Group,dc=test,dc=net,dc=cn"


640.jpg

640.jpg

4.打开同步模块


编辑/etc/openldap/slapd.ldif文件取消41、42、43、45、72行的注释


41 dn: cn=module,cn=config 42 objectClass: olcModuleList 43 cn: module 44 #olcModulepath: /usr/lib/openldap
 45 olcModulepath:  /usr/lib64/openldap 46 #olcModuleload: accesslog.la...... 72 olcModuleload: syncprov.la


5.配置一个开启主机节点设置的ldif文件。


[root@ldap-master (22:29:17)~]# cat sync_master.ldif # config syncprovdn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 10olcSpSessionLog: 100# add indexdn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN,entryUUID eq


6.使用sync_master.ldif开启主节点设置


[root@ldap-master (22:28:30)~]# ldapadd -Y EXTERNAL -H ldapi:/// -f sync_master.ldif SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"modifying entry "olcDatabase={2}hdb,cn=config"


7.从节点设置


同样创建一个sync_slave.ldif


[root@ldap-slave (22:43:12)~]# cat sync_slave.ldif # config syncprovdn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov# add indexdn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN,entryUUID eq
-
add: olcSyncRepl
olcSyncRepl: rid=002    #复制ID,每一个节点需要保持唯一ID
  provider=ldaps://192.168.2.147:636/  #主节点地址
  bindmethod=simple #简单认证模式
  binddn="uid=syncuser1,ou=Admin,dc=test,dc=net,dc=cn" #同步使用的账户,如果面不同步,请看这里,可能是uid和cn的问题。
  credentials=123456  #同步账户的密码
  searchbase="dc=test,dc=net,dc=cn"  #搜索的基本路径
  scope=sub #=subtree,包含自身及子子孙孙的条目
  schemachecking=on #校验schema
  type=refreshAndPersist # 持续同步,如果同步出现问题,下次同步不会重新同步,会接着上次的任务同步
  retry="5 5 300 +" #尝试时间,5分钟尝试一次,尝试5次后,每隔300秒重试一次
  attrs="*,+" #同步所有属性
  interval=00:00:00:10 #每隔10s同步一次


可复制文本


# config syncprovdn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov# add indexdn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN,entryUUID eq
-
add: olcSyncRepl
olcSyncRepl: rid=002
  provider=ldaps://192.168.2.147:636/
  bindmethod=simple
  binddn="uid=syncuser1,ou=Admin,dc=test,dc=net,dc=cn"
  credentials=123456
  searchbase="dc=test,dc=net,dc=cn"
  scope=sub
  schemachecking=on  type=refreshAndPersist
  retry="5 5 300 +"
  attrs="*,+"
  interval=00:00:00:10


使用sync_slave.ldif去开启从节点的同步


[root@ldap-slave (22:43:06)~]# ldapadd -Y EXTERNAL -H ldapi:/// -f sync_slave.ldif SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"modifying entry "olcDatabase={2}hdb,cn=config"


8.创建sync_group来测试主从同步

640.jpg

640.jpg


(可选)8.1.配置镜像模式


master:


在slapd.ldif文件最下面追加


olcDbIndex: entryCSN,entryUUID eq
olcMirrorMode: on
olcSyncRepl: rid=001
  provider=ldaps://192.168.2.150:636/  #有条件的可以设置为域名
  bindmethod=simple
  binddn="uid=syncuser1,ou=Admin,dc=test,dc=net,dc=cn"
  credentials="123456"
  searchbase="dc=test,dc=net,dc=cn"
  scope=sub
  schemachecking=on  type=refreshAndPersist
  retry="5 5 300 +"
  attrs="*,+"
  interval=00:00:00:10dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 10olcSpSessionLog: 100


slave


olcDbIndex: entryCSN,entryUUID eq
olcMirrorMode: on
olcSyncRepl: rid=002
  provider=ldaps://192.168.2.147:636/
  bindmethod=simple
  binddn="uid=syncuser1,ou=Admin,dc=test,dc=net,dc=cn"
  credentials="123456"
  searchbase="dc=test,dc=net,dc=cn"
  scope=sub
  schemachecking=on  type=refreshAndPersist
  retry="5 5 300 +"
  attrs="*,+"
  interval=00:00:00:10dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 10olcSpSessionLog: 100


(可选)8.2.配置双主模式


这里需要设置为域名访问,上面签发证书时使用的是ip地址,可以重新生成域名的证书,或更改ldap.conf里面的客户端验证模式为never


[root@ldap-slave (01:01:18)/etc/openldap]# cat ldap.conf ## LDAP Defaults## See ldap.conf(5) for details# This file should be world readable but not world writable.BASE    dc=test,dc=net,dc=cn#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666URI    ldaps://192.168.2.150#SIZELIMIT    12#TIMELIMIT    15#DEREF        neverTLS_REQCERT never
TLS_CACERT    /etc/openldap/certs/cacert.pem# Turning this off breaks GSSAPI used with krb5 when rdns = falseSASL_NOCANON    on


master-1


## See slapd-config(5) for details on configuration options.# This file should NOT be world readable.#dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcLogLevel: stats
olcDisallows: bind_anon## TLS settings#olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem
olcTLSCertificateFile: /etc/openldap/certs/openldapcert147.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/openldapkey147.pem
olcTLSVerifyClient: never
olcServerID: 1 ldaps://ldap-master.test.net.cn
olcServerID: 2 ldaps://ldap-slave.test.net.cn## Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.##olcReferral: ldap://root.openldap.org## Sample security restrictions#    Require integrity protection (prevent hijacking)#    Require 112-bit (3DES or better) encryption for updates#    Require 64-bit encryption for simple bind##olcSecurity: ssf=1 update_ssf=112 simple_bind=64## Load dynamic backend modules:# - modulepath is architecture dependent value (32/64-bit system)# - back_sql.la backend requires openldap-servers-sql package# - dyngroup.la and dynlist.la cannot be used at the same time#dn: cn=module,cn=config
objectClass: olcModuleList
cn: module#olcModulepath:    /usr/lib/openldapolcModulepath:    /usr/lib64/openldap#olcModuleload: accesslog.la#olcModuleload: auditlog.la#olcModuleload: back_dnssrv.la#olcModuleload: back_ldap.la#olcModuleload: back_mdb.la#olcModuleload: back_meta.la#olcModuleload: back_null.la#olcModuleload: back_passwd.la#olcModuleload: back_relay.la#olcModuleload: back_shell.la#olcModuleload: back_sock.la#olcModuleload: collect.la#olcModuleload: constraint.la#olcModuleload: dds.la#olcModuleload: deref.la#olcModuleload: dyngroup.la#olcModuleload: dynlist.la#olcModuleload: memberof.la#olcModuleload: pcache.la#olcModuleload: ppolicy.la#olcModuleload: refint.la#olcModuleload: retcode.la#olcModuleload: rwm.la#olcModuleload: seqmod.la#olcModuleload: smbk5pwd.la#olcModuleload: sssvlv.laolcModuleload: syncprov.la#olcModuleload: translucent.la#olcModuleload: unique.la#olcModuleload: valsort.la## Schema settings#dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/collective.ldif
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/pmi.ldif
include: file:///etc/openldap/schema/samba.ldif
include: file:///etc/openldap/schema/freeradius.ldif## Frontend settings#dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to attrs=userPassword,shadowLastChange
      by dn.children="ou=Admin,dc=test,dc=net,dc=cn" write
      by anonymous auth
      by self write
      by * none
olcAccess: to dn.subtree="dc=test,dc=net,dc=cn"
      by dn="cn=syncuser1,ou=Admin,dc=test,dc=net,dc=cn" read
      by dn="cn=clientsearch,ou=Admin,dc=test,dc=net,dc=cn" read
      by group.exact="cn=ldapadmin,ou=Admin,dc=test,dc=net,dc=cn" write
      by users readolcAccess: to dn.subtree=""
      by * read## Sample global access control policy:#    Root DSE: allow anyone to read it#    Subschema (sub)entry DSE: allow anyone to read it#    Other DSEs:#        Allow self write access#        Allow authenticated users read access#        Allow anonymous users to authenticate##olcAccess: to dn.base="" by * read#olcAccess: to dn.base="cn=Subschema" by * read#olcAccess: to *#    by self write#    by users read#    by anonymous auth## if no access controls are present, the default policy# allows anyone and everyone to read anything but restricts# updates to rootdn.  (e.g., "access to * by * read")## rootdn can always read and write EVERYTHING!### Configuration database#dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to *
      by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
      by group.exact="cn=configadmin,ou=Admin,dc=test,dc=net,dc=cn" write
      by * none## Server status monitoring#dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" read by dn.base="cn=acadmin,dc=test,dc=net,dc=cn" read by * none## Backend database definitions#dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=test,dc=net,dc=cn
olcRootDN: cn=acadmin,dc=test,dc=net,dc=cn
olcRootPW: {SSHA}hnxiKpbSXyzF1sazYma5FBlkdD39dpU6
olcDbDirectory:    /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: entryCSN,entryUUID eq
olcMirrorMode: on
olcSyncRepl: rid=001
  provider=ldaps://192.168.2.147:636/
  bindmethod=simple
  binddn="uid=syncuser1,ou=Admin,dc=test,dc=net,dc=cn"
  credentials="123456"
  searchbase="dc=test,dc=net,dc=cn"
  scope=sub
  schemachecking=on  type=refreshAndPersist
  retry="5 5 300 +"
  attrs="*,+"
  interval=00:00:00:10olcSyncRepl: rid=002
  provider=ldaps://192.168.2.150:636/
  bindmethod=simple
  binddn="uid=syncuser1,ou=Admin,dc=test,dc=net,dc=cn"
  credentials="123456"
  searchbase="dc=test,dc=net,dc=cn"
  scope=sub
  schemachecking=on  type=refreshAndPersist
  retry="5 5 300 +"
  attrs="*,+"
  interval=00:00:00:10dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 10olcSpSessionLog: 100


master-2


## See slapd-config(5) for details on configuration options.# This file should NOT be world readable.#dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcLogLevel: stats
olcDisallows: bind_anon## TLS settings#olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem
olcTLSCertificateFile: /etc/openldap/certs/openldapcert150.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/openldapkey150.pem
olcTLSVerifyClient: never
olcServerID: 1 ldaps://ldap-master.test.net.cn
olcServerID: 2 ldaps://ldap-slave.test.net.cn## Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.##olcReferral: ldap://root.openldap.org## Sample security restrictions#    Require integrity protection (prevent hijacking)#    Require 112-bit (3DES or better) encryption for updates#    Require 64-bit encryption for simple bind##olcSecurity: ssf=1 update_ssf=112 simple_bind=64## Load dynamic backend modules:# - modulepath is architecture dependent value (32/64-bit system)# - back_sql.la backend requires openldap-servers-sql package# - dyngroup.la and dynlist.la cannot be used at the same time#dn: cn=module,cn=config
objectClass: olcModuleList
cn: module#olcModulepath:    /usr/lib/openldapolcModulepath:    /usr/lib64/openldap#olcModuleload: accesslog.la#olcModuleload: auditlog.la#olcModuleload: back_dnssrv.la#olcModuleload: back_ldap.la#olcModuleload: back_mdb.la#olcModuleload: back_meta.la#olcModuleload: back_null.la#olcModuleload: back_passwd.la#olcModuleload: back_relay.la#olcModuleload: back_shell.la#olcModuleload: back_sock.la#olcModuleload: collect.la#olcModuleload: constraint.la#olcModuleload: dds.la#olcModuleload: deref.la#olcModuleload: dyngroup.la#olcModuleload: dynlist.la#olcModuleload: memberof.la#olcModuleload: pcache.la#olcModuleload: ppolicy.la#olcModuleload: refint.la#olcModuleload: retcode.la#olcModuleload: rwm.la#olcModuleload: seqmod.la#olcModuleload: smbk5pwd.la#olcModuleload: sssvlv.laolcModuleload: syncprov.la#olcModuleload: translucent.la#olcModuleload: unique.la#olcModuleload: valsort.la## Schema settings#dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/collective.ldif
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/pmi.ldif
include: file:///etc/openldap/schema/samba.ldif
include: file:///etc/openldap/schema/freeradius.ldif## Frontend settings#dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to attrs=userPassword,shadowLastChange
      by dn.children="ou=Admin,dc=test,dc=net,dc=cn" write
      by anonymous auth
      by self write
      by * none
olcAccess: to dn.subtree="dc=test,dc=net,dc=cn"
      by dn="cn=syncuser1,ou=Admin,dc=test,dc=net,dc=cn" read
      by dn="cn=clientsearch,ou=Admin,dc=test,dc=net,dc=cn" read
      by group.exact="cn=ldapadmin,ou=Admin,dc=test,dc=net,dc=cn" write
      by users readolcAccess: to dn.subtree=""
      by * read## Sample global access control policy:#    Root DSE: allow anyone to read it#    Subschema (sub)entry DSE: allow anyone to read it#    Other DSEs:#        Allow self write access#        Allow authenticated users read access#        Allow anonymous users to authenticate##olcAccess: to dn.base="" by * read#olcAccess: to dn.base="cn=Subschema" by * read#olcAccess: to *#    by self write#    by users read#    by anonymous auth## if no access controls are present, the default policy# allows anyone and everyone to read anything but restricts# updates to rootdn.  (e.g., "access to * by * read")## rootdn can always read and write EVERYTHING!### Configuration database#dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to *
      by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
      by group.exact="cn=configadmin,ou=Admin,dc=test,dc=net,dc=cn" write
      by * none## Server status monitoring#dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" read by dn.base="cn=acadmin,dc=test,dc=net,dc=cn" read by * none## Backend database definitions#dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=test,dc=net,dc=cn
olcRootDN: cn=acadmin,dc=test,dc=net,dc=cn
olcRootPW: {SSHA}hnxiKpbSXyzF1sazYma5FBlkdD39dpU6
olcDbDirectory:    /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: entryCSN,entryUUID eq
olcMirrorMode: on
olcSyncRepl: rid=001
  provider=ldaps://ldap-master.test.net.cn:636/
  bindmethod=simple
  binddn="uid=syncuser1,ou=Admin,dc=test,dc=net,dc=cn"
  credentials="123456"
  searchbase="dc=test,dc=net,dc=cn"
  scope=sub
  schemachecking=on  type=refreshAndPersist
  retry="5 5 300 +"
  attrs="*,+"
  interval=00:00:00:10olcSyncRepl: rid=002
  provider=ldaps://ldap-slave.test.net.cn:636/
  bindmethod=simple
  binddn="uid=syncuser1,ou=Admin,dc=test,dc=net,dc=cn"
  credentials="123456"
  searchbase="dc=test,dc=net,dc=cn"
  scope=sub
  schemachecking=on  type=refreshAndPersist
  retry="5 5 300 +"
  attrs="*,+"
  interval=00:00:00:10dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 10olcSpSessionLog: 100
相关文章
|
2月前
|
Ubuntu 网络安全 图形学
Ubuntu学习笔记(二):ubuntu20.04解决右上角网络图标激活失败或者消失,无法连接有线问题。
在Ubuntu 20.04系统中解决网络图标消失和无法连接有线网络问题的方法,其中第三种方法通过检查并确保Windows防火墙中相关服务开启后成功恢复了网络连接。
806 0
Ubuntu学习笔记(二):ubuntu20.04解决右上角网络图标激活失败或者消失,无法连接有线问题。
|
2月前
|
传感器 算法 C语言
基于无线传感器网络的节点分簇算法matlab仿真
该程序对传感器网络进行分簇,考虑节点能量状态、拓扑位置及孤立节点等因素。相较于LEACH算法,本程序评估网络持续时间、节点死亡趋势及能量消耗。使用MATLAB 2022a版本运行,展示了节点能量管理优化及网络生命周期延长的效果。通过簇头管理和数据融合,实现了能量高效和网络可扩展性。
100 10
|
3月前
|
传感器 监控 物联网
无线传感器网络的基本架构及其广泛应用
无线传感器网络的基本架构及其广泛应用
343 0
|
4月前
|
安全 网络安全 数据安全/隐私保护
网络安全之双因素认证
【8月更文挑战第12天】
350 2
|
5月前
|
传感器 算法
基于无线传感器网络的MCKP-MMF算法matlab仿真
MCKP-MMF算法是一种启发式流量估计方法,用于寻找无线传感器网络的局部最优解。它从最小配置开始,逐步优化部分解,调整访问点的状态。算法处理访问点的动态影响半径,根据带宽需求调整,以避免拥塞。在MATLAB 2022a中进行了仿真,显示了访问点半径请求变化和代价函数随时间的演变。算法分两阶段:慢启动阶段识别瓶颈并重设半径,随后进入周期性调整阶段,追求最大最小公平性。
基于无线传感器网络的MCKP-MMF算法matlab仿真
|
5月前
|
监控 安全 网络协议
|
4月前
|
安全 网络安全 数据安全/隐私保护
|
5月前
|
传感器 算法
基于无线传感器网络的LC-DANSE波束形成算法matlab仿真
摘要: 此MATLAB程序对比了LC-DANSE与LCMV波束形成算法在无线传感器网络中的性能,基于SNR和MSE指标。测试在MATLAB 2022a环境下进行。核心代码涉及权重更新迭代,用于调整传感器节点权重以增强目标信号。LC-DANSE是分布式自适应算法,关注多约束条件下的噪声抑制;LCMV则是经典集中式算法,侧重单个期望信号方向。两者在不同场景下各有优势。程序结果显示SNR和MSE随迭代变化趋势,并保存结果数据。
|
10天前
|
SQL 安全 网络安全
网络安全与信息安全:知识分享####
【10月更文挑战第21天】 随着数字化时代的快速发展,网络安全和信息安全已成为个人和企业不可忽视的关键问题。本文将探讨网络安全漏洞、加密技术以及安全意识的重要性,并提供一些实用的建议,帮助读者提高自身的网络安全防护能力。 ####
47 17
|
20天前
|
存储 SQL 安全
网络安全与信息安全:关于网络安全漏洞、加密技术、安全意识等方面的知识分享
随着互联网的普及,网络安全问题日益突出。本文将介绍网络安全的重要性,分析常见的网络安全漏洞及其危害,探讨加密技术在保障网络安全中的作用,并强调提高安全意识的必要性。通过本文的学习,读者将了解网络安全的基本概念和应对策略,提升个人和组织的网络安全防护能力。

热门文章

最新文章