一、环境
系统 CentOS 6.4x64最小化安装
IP 192.168.3.19
二、安装ldap
[root@test ~]# yum install openldap openldap-* -y [root@test ~]# yum install nscd nss-pam-ldapd nss-* pcre pcre-* -y
配置ldap
[root@test ~]# cd /etc/openldap/ [root@test openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf [root@test openldap]# cp slapd.conf slapd.conf_`date +%Y%m%d`.bak [root@test openldap]# ll total 32 drwxr-xr-x. 2 root root 4096 Jul 14 09:48 certs -rw-r--r--. 1 root root 282 Jul 14 09:40 ldap.conf drwxr-xr-x 2 root root 4096 Jul 14 09:48 schema -rw-r--r-- 1 root root 4635 Jul 14 09:49 slapd.conf -rw-r--r-- 1 root root 4635 Jul 14 09:49 slapd.conf_20150714.bak drwx------ 3 ldap ldap 4096 Jul 14 09:48 slapd.d
设置ldap管理员密码
[root@test openldap]# slappasswd -s weyee {SSHA}+lnTFVa2PrStKgqt4SNFk4pl7Vo7QFUr [root@test openldap]# slappasswd -s weyee|sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>/etc/openldap/slapd.conf [root@test openldap]# tail -1 /etc/openldap/slapd.conf rootpw {SSHA}d+rLMyEPKqcBroWW0vvazZ1+DRY2UmsP
修改dc配置
[root@test openldap]# vim /etc/openldap/slapd.conf #以下参数大概在114行 database bdb #使用bdb数据库 suffix "dc=test,dc=org" #定义dc,指定搜索的域 rootdn "cn=admin,dc=test,dc=org" #定义管理员的dn,使用这个dn能登陆openldap
优化ldap配置参数
[root@test openldap]# vim /etc/openldap/slapd.conf loglevel 296 #定义日志级别 cachesize 1000 #换成条目数 checkpoint 2048 10 #表示内存中达到2048k或者10分钟,执行一次checkpoint,即写入数据文件的操作
配置相关权限
[root@test openldap]# vim /etc/openldap/slapd.conf #删除默认权限,将下面的内容都删除 database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none # enable server status monitoring (cn=monitor) database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=my-domain,dc=com" read by * none #添加新的权限(这是2.3的权限设置方式) access to * by self write by anonymous auth by * read
配置syslog记录ldap的服务日志
[root@test openldap]# cp /etc/rsyslog.conf /etc/rsyslog.conf_`date +%Y%m%d`.bak #往配置文件中增加如下内容 [root@test openldap]# tail -1 /etc/rsyslog.conf local4.* /var/log/ldap.log #重启rsyslog服务 [root@test openldap]# /etc/init.d/rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]
配置ldap数据库路径
#创建数据文件 [root@test openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@test openldap]# chown ldap.ldap /var/lib/ldap/DB_CONFIG [root@test openldap]# chmod 700 /var/lib/ldap/ [root@test openldap]# ll /var/lib/ldap/ total 4 -rw-r--r-- 1 ldap ldap 845 Jul 14 09:58 DB_CONFIG [root@test openldap]# egrep -v "\#|^$" /var/lib/ldap/DB_CONFIG set_cachesize 0 268435456 1 set_lg_regionmax 262144 set_lg_bsize 2097152 [root@test openldap]# slaptest -u #检查配置文件是否正常 config file testing succeeded
启动ldap服务
[root@test ~]# /etc/init.d/slapd start Starting slapd: [ OK ] [root@test ~]# ps aux |grep ldap ldap 1700 0.0 1.6 490532 16592 ? Ssl 10:00 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -u ldap root 1706 0.0 0.0 103240 868 pts/0 S+ 10:00 0:00 grep ldap [root@test ~]# netstat -tunlp |grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1700/slapd tcp 0 0 :::389 :::* LISTEN 1700/slapd #添加到开机自启动 [root@test ~]# chkconfig slapd on #查看日志文件 [root@test ~]# tail /var/log/ldap.log Jul 14 10:00:11 test slapd[1699]: @(#) $OpenLDAP: slapd 2.4.39 (Oct 15 2014 09:51:43) $#012#[email protected]:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/build-servers/servers/slapd
查询一下ldap的内容
[root@test ~]# ldapsearch -LLL -W -x -H ldap://test.org -D "cn=admin,dc=test,dc=org" -b "dc=test,dc=org" "(udi=*)" Enter LDAP Password: ldap_bind: Invalid credentials (49) #这里报错 #解决如下,删除默认2.4的配置文件,重新生成2.3的配置文件 [root@test ~]# rm -rf /etc/openldap/slapd.d/* [root@test ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ 55a46df9 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable config file testing succeeded [root@test ~]# ll /etc/openldap/slapd.d/ total 8 drwxr-x--- 3 root root 4096 Jul 14 10:03 cn=config -rw------- 1 root root 1302 Jul 14 10:03 cn=config.ldif #修改权限 [root@test ~]# chown -R ldap.ldap /etc/openldap/slapd.d/ #重启服务 [root@test ~]# /etc/init.d/slapd restart Stopping slapd: [ OK ] Starting slapd: [ OK ] #再次查询ldap内容 [root@test ~]# ldapsearch -LLL -W -x -H ldap://test.org -D "cn=admin,dc=test,dc=org" -b "dc=test,dc=org" "(udi=*)" Enter LDAP Password: #密码是上文中的weyee No such object (32) #ldap中还没有任何数据
创建一个系统用户user1,设置密码user1
[root@test ~]# useradd user1 [root@test ~]# passwd user1 Changing password for user user1. New password: BAD PASSWORD: it is too short BAD PASSWORD: is too simple Retype new password: passwd: all authentication tokens updated successfully.
安装migrationtools
[root@test ~]# yum install migrationtools -y
编辑migrationtool的配置文件/usr/share/migrationtools/migrate_common.ph
[root@test ~]# vim /usr/share/migrationtools/migrate_common.ph # Default DNS domain $DEFAULT_MAIL_DOMAIN = "test.org"; # Default base $DEFAULT_BASE = "dc=test,dc=org";
下面利用pl脚本将/etc/passwd 和/etc/shadow生成LDAP能读懂的文件格式,保存在/tmp/下
[root@test ~]# /usr/share/migrationtools/migrate_base.pl >/tmp/base.ldif [root@test ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd >/tmp/passwd.ldif [root@test ~]# /usr/share/migrationtools/migrate_group.pl /etc/group >/tmp/group.ldif
下面就要把这三个文件导入到LDAP,这样LDAP的数据库里就有了我们想要的用户
#导入base [root@test ~]# ldapadd -x -D "cn=admin,dc=test,dc=org" -W -f /tmp/base.ldif Enter LDAP Password: adding new entry "dc=test,dc=org" adding new entry "ou=Hosts,dc=test,dc=org" adding new entry "ou=Rpc,dc=test,dc=org" adding new entry "ou=Services,dc=test,dc=org" adding new entry "nisMapName=netgroup.byuser,dc=test,dc=org" adding new entry "ou=Mounts,dc=test,dc=org" adding new entry "ou=Networks,dc=test,dc=org" adding new entry "ou=People,dc=test,dc=org" adding new entry "ou=Group,dc=test,dc=org" adding new entry "ou=Netgroup,dc=test,dc=org" adding new entry "ou=Protocols,dc=test,dc=org" adding new entry "ou=Aliases,dc=test,dc=org" adding new entry "nisMapName=netgroup.byhost,dc=test,dc=org" #导入passwd [root@test ~]# ldapadd -x -D "cn=admin,dc=test,dc=org" -W -f /tmp/passwd.ldif Enter LDAP Password: adding new entry "uid=root,ou=People,dc=test,dc=org" adding new entry "uid=bin,ou=People,dc=test,dc=org" adding new entry "uid=daemon,ou=People,dc=test,dc=org" adding new entry "uid=adm,ou=People,dc=test,dc=org" adding new entry "uid=lp,ou=People,dc=test,dc=org" adding new entry "uid=sync,ou=People,dc=test,dc=org" adding new entry "uid=shutdown,ou=People,dc=test,dc=org" adding new entry "uid=halt,ou=People,dc=test,dc=org" adding new entry "uid=mail,ou=People,dc=test,dc=org" adding new entry "uid=uucp,ou=People,dc=test,dc=org" adding new entry "uid=operator,ou=People,dc=test,dc=org" adding new entry "uid=games,ou=People,dc=test,dc=org" adding new entry "uid=gopher,ou=People,dc=test,dc=org" adding new entry "uid=ftp,ou=People,dc=test,dc=org" adding new entry "uid=nobody,ou=People,dc=test,dc=org" adding new entry "uid=dbus,ou=People,dc=test,dc=org" adding new entry "uid=vcsa,ou=People,dc=test,dc=org" adding new entry "uid=abrt,ou=People,dc=test,dc=org" adding new entry "uid=haldaemon,ou=People,dc=test,dc=org" adding new entry "uid=ntp,ou=People,dc=test,dc=org" adding new entry "uid=saslauth,ou=People,dc=test,dc=org" adding new entry "uid=postfix,ou=People,dc=test,dc=org" adding new entry "uid=sshd,ou=People,dc=test,dc=org" adding new entry "uid=tcpdump,ou=People,dc=test,dc=org" adding new entry "uid=ldap,ou=People,dc=test,dc=org" adding new entry "uid=nscd,ou=People,dc=test,dc=org" adding new entry "uid=nslcd,ou=People,dc=test,dc=org" adding new entry "uid=user1,ou=People,dc=test,dc=org" #导入group [root@test ~]# ldapadd -x -D "cn=admin,dc=test,dc=org" -W -f /tmp/group.ldif
再次查询ldap的内容
[root@test ~]# ldapsearch -LLL -w weyee -x -H ldap://test.org -D "cn=admin,dc=test,dc=org" -b "dc=test,dc=org" "(uid=user1)" dn: uid=user1,ou=People,dc=test,dc=org uid: user1 cn: user1 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJEovVFNOUFhVJHdmWXhyN3MzdTNVa0NVN0h0WHlHVDA= shadowLastChange: 16630 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 500 gidNumber: 500 homeDirectory: /home/user1
安装配置ldap客户端phpladpadmin
[root@test ~]# rpm -ivh http://mirrors.ukfast.co.uk/sites/dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm [root@test ~]# yum install phpldapadmin -y
配置Apache's phpLDAPadmin的配置文件
[root@test ~]# vim /etc/httpd/conf.d/phpldapadmin.confOrder Allow,Deny Allow from all Allow from 127.0.0.1 Allow from ::1 Allow from 192.168.3.0
禁用自动登录
[root@test ~]# vim /etc/phpldapadmin/config.php #(line 398) //$servers->setValue('login','attr','uid');
启动httpd服务
[root@test ~]# service httpd start Starting httpd: [ OK ]
通过web界面访问ldap地址是http://192.168.3.19/ldapadmin/
三、安装配置vsftp
[root@test ~]# yum install vsftpd -y
修改pam_ldap配置文件
[root@test ~]# vim /etc/pam_ldap.conf host 192.168.3.19 # The distinguished name of the search base. base dc=test,dc=org #uri ldap://192.168.3.19 binddn cn=admin,dc=test,dc=org bindpw weyee #修改文件/etc/pam.d/vsftpd.vu [root@test ~]# vim /etc/pam.d/vsftpd.vu auth required pam_ldap.so account required pam_ldap.so
编辑vsftpd配置文件
[root@test ~]# vim /etc/vsftpd/vsftpd.conf nonymous_enable=NO #不允许匿名用户访问 anon_upload_enable=YES anon_mkdir_write_enable=YES #开启这项和上一项才能上传文件和文件夹 chroot_local_user=YES guest_enable=YES #设定启用虚拟用户功能 guest_username=ftp #指定虚拟用户的宿主用户 pam_service_name=vsftpd.vu #设定PAM服务下Vsftpd的验证配置文件名。 local_root=/data
启动vsftpd服务
[root@test ~]# /etc/init.d/vsftpd start Starting vsftpd for vsftpd: [ OK ] [root@test ~]# yum install ftp -y [root@test ~]# chown -R ftp.ftp /data/
测试,在ldap中创建用户ldapftp,设置密码ldapftp
#查看ldapftp用户 [root@test ~]# ldapsearch -LLL -w weyee -x -H ldap://test.org -D "cn=admin,dc=test,dc=org" -b "dc=test,dc=org" "(uid=ldapftp)" dn: uid=ldapftp,ou=People,dc=test,dc=org objectClass: posixAccount objectClass: top objectClass: inetOrgPerson gidNumber: 0 givenName: ldapftp sn: ldapftp uid: ldapftp homeDirectory: /home/ldapftp cn: ldapftp uidNumber: 5355 userPassword:: e1NIQX1XZnNSS0U1dlVhR0xma0lINlFqU0F2VDJqU1U9 [root@test ~]# id ldapftp id: ldapftp: No such user #从上面的结果能看出ldapftp用户只有ldap数据库中才有 #测试访问ftp [root@test ~]# ftp 127.0.0.1 Connected to 127.0.0.1 (127.0.0.1). 220 (vsFTPd 2.2.2) Name (127.0.0.1:root): ldapftp #输入用户ldapftp 331 Please specify the password. Password: 230 Login successful. #这里显示登陆成功 Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (127,0,0,1,151,90). 150 Here comes the directory listing. -rw-r--r-- 1 0 0 0 Jul 14 03:05 1.txt -rw-r--r-- 1 0 0 0 Jul 14 03:05 2.txt drwx------ 2 14 50 4096 Jul 14 03:07 新文件夹 226 Directory send OK.
我们再次创建一个ldap用户test,密码test
[root@test ~]# id test id: test: No such user [root@test ~]# ldapsearch -LLL -w weyee -x -H ldap://test.org -D "cn=admin,dc=test,dc=org" -b "dc=test,dc=org" "(uid=test)" dn: uid=test,ou=People,dc=test,dc=org objectClass: posixAccount objectClass: top objectClass: inetOrgPerson gidNumber: 0 givenName: test sn: test uid: test homeDirectory: /home/test cn: test uidNumber: 41881 userPassword:: e1NIQX1xVXFQNWN5eG02WWNUQWh6MDVIcGg1Z3Z1OU09 #上面结果表明test用户只存在于ldap中 #用test访问ftp [root@test ~]# ftp 127.0.0.1 Connected to 127.0.0.1 (127.0.0.1). 220 (vsFTPd 2.2.2) Name (127.0.0.1:root): test 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (127,0,0,1,208,151). 150 Here comes the directory listing. -rw-r--r-- 1 0 0 0 Jul 14 03:05 1.txt -rw-r--r-- 1 0 0 0 Jul 14 03:05 2.txt drwx------ 2 14 50 4096 Jul 14 03:07 新文件夹 226 Directory send OK.
到这里vsftpd+ldap的配置已完成