统一用户登录管理认证LDAP 服务端部署

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了统一用户登录管理认证LDAP 服务端部署相关的知识,希望对你有一定的参考价值。

   网上找了好多关于LDAP统一账户管理的文件,好多都是粘贴复制,能用得上的少之又少,正好最近又用到这个,于是着手看了郭老师的视频,顺便把自己学习的过程记录下来,供大家学习参考。


1、实验环境:

[[email protected] ~]# cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core)
[[email protected] ~]# ifconfig 
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.31.153  netmask 255.255.255.0  broadcast 192.168.31.255
        inet6 fe80::20c:29ff:fefe:6478  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:fe:64:78  txqueuelen 1000  (Ethernet)
        RX packets 37181  bytes 9238204 (8.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5520  bytes 701406 (684.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 111  bytes 9451 (9.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 111  bytes 9451 (9.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
[[email protected] ~]#


2、部署过程:

yum install openldap-servers openldap-clients

dn:

changetype: modify

add/delete/replace

olcRootPW: 

objectClass:


2.1、安装部署服务端和相应程序包

[[email protected] ~]# yum install openldap-servers openldap-clients
[[email protected] ~]# systemctl start slapd.service
[[email protected] ~]# systemctl status slapd.service
[[email protected] ~]# ps xua|grep slapd
ldap      2440  0.0  0.9  78592  4924 ?        Ssl  02:33   0:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
root      2444  0.0  0.1 112644   952 pts/0    S+   02:33   0:00 grep --color=auto slapd
[[email protected] ~]#

  查看服务端口:

[[email protected] ~]# netstat -lnptp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1116/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2215/master         
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      2440/slapd          
tcp6       0      0 :::22                   :::*                    LISTEN      1116/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      2215/master         
tcp6       0      0 :::389                  :::*                    LISTEN      2440/slapd          
[[email protected] ~]#

  ldap默认端口为389,如果加密(CA +LDAP)了用端口636,这里默认端口636已经开启了

对于ldap服务命令需要注意的:

一般以slapxxxx形式出现的命令为服务端命令,而以ldapxxxx形式出现的命令为客户端命令,比如下两个:

slappasswd  服务端命令

ldappasswd  客户端命令


2.2、LDAP服务安装好之后,我们接下来给ldap服务设置密码,在OpenLDAP server上执行如下操作:

[[email protected] ~]# slappasswd 
New password: 
Re-enter new password: 
{SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr
[[email protected] ~]#

 ldap服务的全局配置文件存放路径为"/etc/openldap/slapd.d/",具体如下所示:

[[email protected] ~]# cd /etc/openldap/slapd.d/
[[email protected] slapd.d]# ls
cn=config  cn=config.ldif
[[email protected] slapd.d]# cd cn\=config
[[email protected] cn=config]# ls
cn=schema  cn=schema.ldif  olcDatabase={0}config.ldif  olcDatabase={-1}frontend.ldif  olcDatabase={1}monitor.ldif  olcDatabase={2}hdb.ldif
[[email protected] cn=config]# pwd
/etc/openldap/slapd.d/cn=config
[[email protected] cn=config]#

 添加密码命令和内容,添加密码其实是对文件olcDatabase={0}config.ldif进行修改

cat << EOF |ldapadd -Y EXTERNAL -H ldapi:///
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr
EOF

添加密码前:

[[email protected] cn=config]# cat olcDatabase\=\{0\}config.ldif 
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 11f68910
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" manage by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: a9da3e02-4cd0-1037-930d-f5a0198f7b5b
creatorsName: cn=config
createTimestamp: 20171024063108Z
entryCSN: 20171024063108.064679Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20171024063108Z
[[email protected] cn=config]#

执行密码添加操作:

[[email protected] cn=config]# cat << EOF |ldapadd -Y EXTERNAL -H ldapi:///
dn: olcDatabase={0}config,cn=config     
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr
EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
[[email protected] cn=config]#

添加密码之后查看:

[[email protected] cn=config]# cat olcDatabase\=\{0\}config.ldif 
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 ea900b11
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" manage by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: a9da3e02-4cd0-1037-930d-f5a0198f7b5b
creatorsName: cn=config
createTimestamp: 20171024063108Z
olcRootPW:: e1NTSEF9YktHdnN2QThHb2hkSldYU0Z5ZHR3STZpckk1N2JJcHI=
entryCSN: 20171024064249.681208Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20171024064249Z
[[email protected] cn=config]#

或者将修改的内容保存到一个文件中,然后通过命令ldapadd -Y EXTERANL -H ldapi:///  -f /tmp/slappasswd.ldif

[[email protected] cn=config]# vim  /tmp/slappasswd.ldif
dn: olcDatabase={0}config,cn=config     
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr
[[email protected] cn=config]# 
[[email protected] cn=config]# ldapadd -Y EXTERANL -H ldapi:/// -f /tmp/slappasswd.ldif



3、导入基本的schema文件

CentOS7默认情况下schema文件存放路径是:

[[email protected] cn=config]# ls /etc/openldap/schema/
collective.ldif    corba.schema  cosine.ldif    duaconf.schema   inetorgperson.ldif    java.schema  nis.ldif       openldap.schema  ppolicy.ldif
collective.schema  core.ldif     cosine.schema  dyngroup.ldif    inetorgperson.schema  misc.ldif    nis.schema     pmi.ldif         ppolicy.schema
corba.ldif         core.schema   duaconf.ldif   dyngroup.schema  java.ldif             misc.schema  openldap.ldif  pmi.schema
[[email protected] cn=config]#

 

3.1、导入第一个schema文件:

[[email protected] cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[[email protected] cn=config]#
[[email protected] cn=config]# cd cn\=schema
[[email protected] cn=schema]# ls
cn={0}core.ldif  cn={1}cosine.ldif
[[email protected] cn=schema]# pwd
/etc/openldap/slapd.d/cn=config/cn=schema
[[email protected] cn=schema]#


用同样的方式导入其他几个schema文件:


[[email protected] cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=ppolicy,cn=schema,cn=config"
[[email protected] cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[[email protected] cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=dyngroup,cn=schema,cn=config"
[[email protected] cn=schema]#
[[email protected] cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
[[email protected] cn=schema]# ls
cn={0}core.ldif  cn={1}cosine.ldif  cn={2}ppolicy.ldif  cn={3}nis.ldif  cn={4}dyngroup.ldif  cn={5}inetorgperson.ldif
[[email protected] cn=schema]#

4、修改相关域名:修改文件为olcDatabase\=\{2\}hdb.ldif和olcDatabase\=\{1\}monitor.ldif

[[email protected] cn=schema]# cd ..
[[email protected] cn=config]# ls
cn=schema  cn=schema.ldif  olcDatabase={0}config.ldif  olcDatabase={-1}frontend.ldif  olcDatabase={1}monitor.ldif  olcDatabase={2}hdb.ldif
[[email protected] cn=config]# cat olcDatabase\=\{2\}hdb.ldif 
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 41f0f60e
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: a9da5450-4cd0-1037-930f-f5a0198f7b5b
creatorsName: cn=config
createTimestamp: 20171024063108Z
entryCSN: 20171024063108.065249Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20171024063108Z
[[email protected] cn=config]#


[[email protected] cn=config]# cat olcDatabase\=\{1\}monitor.ldif 
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 80b9bea4
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: a9da455a-4cd0-1037-930e-f5a0198f7b5b
creatorsName: cn=config
createTimestamp: 20171024063108Z
entryCSN: 20171024063108.064868Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20171024063108Z
[[email protected] cn=config]#

具体操作命令及内容:

cat << EOF |ldapadd -Y EXTERNAL -H ldapi:///
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" read by dn.base="cn=Manager,dc=ldap,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ldap,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ldap,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr
EOF


4.1、操作方法:

[[email protected] cn=config]# cat  /tmp/domain.ldif                                
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" read by dn.base="cn=Manager,dc=ldap,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ldap,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ldap,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr
[[email protected] cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/domain.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
[[email protected] cn=config]#

查看修改后的文件:

[[email protected] cn=config]# cat olcDatabase\=\{2\}hdb.ldif 
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 7160b48b
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: a9da5450-4cd0-1037-930f-f5a0198f7b5b
creatorsName: cn=config
createTimestamp: 20171024063108Z
olcSuffix: dc=ldap,dc=com
olcRootDN: cn=Manager,dc=ldap,dc=com
olcRootPW:: e1NTSEF9YktHdnN2QThHb2hkSldYU0Z5ZHR3STZpckk1N2JJcHI=
entryCSN: 20171024071035.422517Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20171024071035Z
[[email protected] cn=config]# cat olcDatabase\=\{1\}monitor.ldif 
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 bc7ee631
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
structuralObjectClass: olcDatabaseConfig
entryUUID: a9da455a-4cd0-1037-930e-f5a0198f7b5b
creatorsName: cn=config
createTimestamp: 20171024063108Z
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" read by dn.base="cn=Manager,dc=ldap,dc=com" read by * none
entryCSN: 20171024071035.418045Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20171024071035Z
[[email protected] cn=config]#


5、设置组织架构

  LDAP目录以树状的层次结构来存储数据。如果你对自顶向下的DNS树或UNIX文件的目录树比较熟悉,也就很容易掌握LDAP目录树这个概念了。就象DNS的主机名那样,LDAP目录记录的标识名(Distinguished Name,简称DN)是用来读取单个记录,以及回溯到树的顶部。

cat << EOF |ldapadd -x -D cn=Manager,dc=ldap,dc=com -W
dn: dc=ldap,dc=com
objectClass: dcObject
objectClass: organization
dc: ldap
o: ldap.com
dn: ou=People,dc=ldap,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People
dn: ou=Group,dc=ldap,dc=com
objectClass: organizationalUnit
ou: Group
dn: cn=Manager,dc=ldap,dc=com
objectClass: organizationalRole
cn: Manager
dn: cn=Host,ou=Group,dc=ldap,dc=com
objectClass: posixGroup
cn: Host
gidNumber: 1010
EOF


5.1执行添加条目操作:

[[email protected] cn=config]# cat << EOF |ldapadd -x -D cn=Manager,dc=ldap,dc=com -W
> dn: dc=ldap,dc=com
> objectClass: dcObject
> objectClass: organization
> dc: ldap
> o: ldap.com
> 
> dn: ou=People,dc=ldap,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: People
> 
> dn: ou=Group,dc=ldap,dc=com
> objectClass: organizationalUnit
> ou: Group
> 
> dn: cn=Manager,dc=ldap,dc=com
> objectClass: organizationalRole
> cn: Manager
> 
> dn: cn=Host,ou=Group,dc=ldap,dc=com
> objectClass: posixGroup
> cn: Host
> gidNumber: 1010
> EOF
Enter LDAP Password: 
adding new entry "dc=ldap,dc=com"
adding new entry "ou=People,dc=ldap,dc=com"
adding new entry "ou=Group,dc=ldap,dc=com"
adding new entry "cn=Manager,dc=ldap,dc=com"
adding new entry "cn=Host,ou=Group,dc=ldap,dc=com"
[[email protected] cn=config]#


查看添加的条目有两种方法

①命令方式查看,添加字段BASE和URI

[[email protected] cn=config]# vim  /etc/openldap/ldap.conf    
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
TLS_CACERTDIR   /etc/openldap/certs
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on
BASE  dc=ldap,dc=com
URI   ldap://192.168.112.200
[[email protected] cn=config]# 
[[email protected] cn=config]# ldapsearch -x -LLL
dn: dc=ldap,dc=com
objectClass: dcObject
objectClass: organization
dc: ldap
o: ldap.com
dn: ou=People,dc=ldap,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People
dn: ou=Group,dc=ldap,dc=com
objectClass: organizationalUnit
ou: Group
dn: cn=Manager,dc=ldap,dc=com
objectClass: organizationalRole
cn: Manager
dn: cn=Host,ou=Group,dc=ldap,dc=com
objectClass: posixGroup
cn: Host
gidNumber: 1010
[[email protected] cn=config]#


②url方式查看,该方式主要通过ldapadmin工具查看

www.ldapadmin.org/download/languages/index.html


③通过web界面方式查看,后面会介绍


6、添加用户:

cat << EOF |ldapadd -x -D cn=Manager,dc=ldap,dc=com -W
dn: uid=user01,ou=People,dc=ldap,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
homeDirectory: /home/user01
userPassword: {SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr
loginShell: /bin/bash
cn: user01
uidNumber: 1000
gidNumber: 1010
sn: System Administrator
mail: [email protected]
mobile: 12888888888
EOF


6.1 执行添加用户操作命令:

[[email protected] cn=config]# cat << EOF |ldapadd -x -D cn=Manager,dc=ldap,dc=com -W
> dn: uid=user01,ou=People,dc=ldap,dc=com
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> homeDirectory: /home/user01
> userPassword: {SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr
> loginShell: /bin/bash
> cn: user01
> uidNumber: 1000
> gidNumber: 1010
> sn: System Administrator
> mail: [email protected]
> mobile: 12888888888
> EOF
Enter LDAP Password: 
adding new entry "uid=user01,ou=People,dc=ldap,dc=com"
[[email protected] cn=config]#


至此,一个简单的ldap服务端配置完成,接下来配置ldap客户端


以上是关于统一用户登录管理认证LDAP 服务端部署的主要内容,如果未能解决你的问题,请参考以下文章

Zabbix对接LDAP实现用户统一登录

Zabbix对接LDAP实现用户统一登录

Zabbix 对接 LDAP 实现用户统一登录的方法

LDAP/AD认证

Deepin系统基于LDAP统一认证

cas单点登录怎么在服务器端获得用户信息