写前先祝福下勒布朗·詹姆斯
网上搜了很多关于centos7.2部署ldap的文章,这里也写一下自己的
实验环境
系统:CentOS Linux release 7.2.1511 (Core)
内核:3.10.0-327.el7.x86_64
服务端IP:192.168.10.16
客户端IP:192.168.10.17
第一步
selinux和firewalld
[root@ldap opt]# getenforce
Permissive
[root@ldap opt]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
第二步
服务端装包
[root@ldap openldap]# yum install -y openldap-servers openldap-clients openldap
如果不小心误删除了ldap的文件,会发现yum也用不了了,因为依赖模块被删掉了---解决方法
openldap-2.4.44-13.el7.x86_64.rpm(使用rpm把ldap装起来是一种方法)
第三步
服务端配置文件
[root@ldap openldap]# pwd
/etc/openldap
[root@ldap openldap]# vim ldap.conf
TLS_CACERTDIR /etc/openldap/certs #这里很重要,指定你的TLS的文件放在那个目录下,默认此目录
TLS_REQCERT allow #这里是指可以切换TLS的文件存放目录
[root@ldap openldap]# slappasswd(生成密码)
New password:
Re-enter new password:
{SSHA}Yh7b45nHZmNHuk+3gg8mtIsuGiWzb3gA(这个加密字符串记录下来)
[root@ldap openldap]# vim slapd.conf(注意这个文件不是上面的ldap.conf)
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/pmi.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/misc.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#TLS的几个文件很容易混淆,后面做CA的时候也会着重标明)
TLSCACertificateFile /etc/openldap/certs/ca.crt (这个是CA的公钥)
TLSCertificateFile /etc/openldap/certs/slapd.crt(这个是CA颁发的证书文件)
TLSCertificateKeyFile /etc/openldap/certs/slapd.key(这个是本地私钥)
database config
rootdn "cn=admin,cn=config"(超级用户)
rootpw {SSHA}Yh7b45nHZmNHuk+3gg8mtIsuGiWzb3gA (这里把上面的字符串写进来)
access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
database monitor
access to * by dn.exact="cn=admin,cn=config" read by * none
[root@ldap openldap]# rm -rf slapd.d/*
[root@ldap openldap]# slaptest -f slapd.conf -F slapd.d/ (转换成ldap识别的文件,这里一定看清楚是slapd.conf文件)
config file testing succeeded
[root@ldap openldap]# chown ldap. -R slapd.d/(加权限)
[root@ldap openldap]# cd slapd.d/
[root@ldap slapd.d]# ll
total 8
drwxr-x---. 3 ldap ldap 4096 Jun 1 07:50 cn=config
-rw-------. 1 ldap ldap 1272 Jun 1 07:50 cn=config.ldif
[root@ldap openldap]# grep TLS slapd.conf(使用之前的https的方式生成CA证书)
TLSCACertificateFile /etc/openldap/certs/ca.crt
TLSCertificateFile /etc/openldap/certs/slapd.crt
TLSCertificateKeyFile /etc/openldap/certs/slapd.key
对于CA认证来说现在的服务器作为客户端
[root@ldap certs]# pwd
/etc/openldap/certs (这个目录是根据你之前ldap.conf文件里定义的)
[root@ldap certs]# openssl genrsa 2048 > slapd.key(这个文件毫无疑问就是上文对应的slapd.key文件)
Generating RSA private key, 2048 bit long modulus
........................................................................................+++
............................................+++
e is 65537 (0x10001)
[root@ldap certs]# ls
cert8.db key3.db password secmod.db slapd.key
(这里先别给最小权限,怕会ldap读取不了文件,使用/usr/sbin/sladp -d 256 也能看出问题)
[root@localhost keyes]# openssl req -new -key slapd.key -out siyao.csr (创建证书办法请求)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN (国家)
State or Province Name (full name) []:shanghai (省份)
Locality Name (eg, city) [Default City]:shanghai (市区)
Organization Name (eg, company) [Default Company Ltd]:boke (公司名)
Organizational Unit Name (eg, section) []:boke - cainiao (部门)
Common Name (eg, your name or your server's hostname) []:192.168.10.16 (要加密的server)
Email Address []:[email protected] (邮箱)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (这里不要写密码,CA哪里一会解不开密码,自签名。。)
An optional company name []: (这里也跳过)
[root@ldap certs]# ls
cert8.db key3.db password secmod.db siyao.csr (这里可不是公钥哦) slapd.key
现在客户端作为CA服务器
[root@ldap certs]# scp siyao.csr 192.168.10.17:/root/
[email protected]'s password:
siyao.csr 100% 1009 1.0KB/s 00:00
[root@localhost ~]# openssl genrsa -des3 -out ca.key 4096 (生成公私钥,做自签名)
Generating RSA private key, 4096 bit long modulus
............................++
.......................++
e is 65537 (0x10001)
Enter pass phrase for ca.key: (自签名密码要记住,一会自签名过程要用到)
Verifying - Enter pass phrase for ca.key:
[root@localhost ~]# ls
anaconda-ks.cfg ca.key siyao.csr
[root@localhost ~]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt (自签名)
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:NSA
Organizational Unit Name (eg, section) []:FBI
Common Name (eg, your name or your server's hostname) []:192.168.10.17(指定你的server)
Email Address []:
[root@localhost ~]# ls
anaconda-ks.cfg ca.crt (这个是我们的CA公钥和LDAP识别的ca.crt文件对应) ca.key siyao.csr
[root@192 ~]# openssl x509 -req -days 365 -in siyao.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out slapd.crt
Signature ok
subject=/C=cn/ST=shanghai/L=shanghai/O=boke/OU=cainiao/CN=192.168.10.16
Getting CA Private Key
Enter pass phrase for ca.key:
[root@192 ~]# ls
anaconda-ks.cfg ca.crt ca.key siyao.csr slapd.crt(这是证书,和LDAP识别的slapd.crt对应)
[root@192 ~]# scp ca.crt slapd.crt 192.168.10.16:/etc/openldap/certs/(两个文件都传过去)
[email protected]'s password:
ca.crt 100% 2013 2.0KB/s 00:00
slapd.crt 100% 1545 1.5KB/s 00:00
CA完毕,以下是正常的服务器和客户端
服务器16这里
[root@ldap certs]# ls
ca.crt(1) cert8.db key3.db password secmod.db siyao.csr slapd.crt (2) slapd.key(3) (1),(2),(3)三个文件分别代表上文定义的TLS文件,千万别搞乱了)
[root@ldap certs]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG.example(拷贝缓冲数据文件)
[root@ldap certs]# chown ldap. /var/lib/ldap/DB_CONFIG.example(授权)
[root@ldap certs]# vim /etc/sysconfig/slapd
LAPD_URLS="ldapi:/// ldap:/// ldaps:///"(添加上ldaps:///)
[root@ldap certs]# systemctl start slapd(起服务,如果上面没好好看的话,这里启动会报错的)
[root@ldap certs]# ps -ef|grep slapd
ldap 4413 1 0 22:07 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// ldaps:///
root 4672 2597 0 22:24 pts/0 00:00:00 grep --color=auto slapd
[root@ldap certs]# netstat -luntp|grep slap
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 4413/slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 4413/slapd
tcp6 0 0 :::636 :::* LISTEN 4413/slapd
tcp6 0 0 :::389 :::* LISTEN 4413/slapd
定义用户数据库
[root@ldap certs]# mkdir /root/ldif
[root@ldap certs]# cd
[root@ldap ~]# cd ldif/
[root@ldap ldif]# ls
[root@ldap ldif]# vim bdb.ldif
dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {1}bdb(数据库)
olcSuffix: dc=example,dc=org
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=Manager,dc=example,dc=org(用户)
olcRootPW: 456 (密码)
olcLimits: dn.exact="cn=Manager,dc=example,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,displayName pres,eq,approx,sub
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: objectClass eq
olcDbIndex: entryUUID pres,eq
olcDbIndex: entryCSN pres,eq
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.children="ou=admins,dc=example,dc=org" write by * none
olcAccess: to * by self write by dn.children="ou=admins,dc=example,dc=org" write by * read
[root@ldap ldif]# ldapadd -x -D "cn=admin,cn=config" -w 123 -f ~/ldif/bdb.ldif -h localhost(添加条目,这个是超级用户和超级用户的免密123)
adding new entry "olcDatabase=bdb,cn=config"
[root@ldap openldap]# cd slapd.d/
[root@ldap slapd.d]# ls
cn=config cn=config.ldif
[root@ldap slapd.d]# cd cn\=config/
[root@ldap cn=config]# ls
cn=schema olcDatabase={0}config.ldif olcDatabase={1}monitor.ldif
cn=schema.ldif olcDatabase={-1}frontend.ldif olcDatabase={2}bdb.ldif(这个bdb数据文件被生成出来了)
ssh ----》ldap(实验)
使我们的系统用户转变为ldap用户
[root@ldap cn=config]# yum search migrationtools
[root@ldap cn=config]# yum install -y migrationtools.noarch(下载工具)
[root@ldap cn=config]# cd /usr/share/migrationtools/
[root@ldap migrationtools]# groupadd -g 100001 ldap1(生成系统用户)
[root@ldap migrationtools]# mkdir /ldapuser
[root@ldap migrationtools]# useradd -u 100001 -g 100001 -d /ldapuser/ldap1 ldap1
[root@ldap migrationtools]# id ldap1
uid=100001(ldap1) gid=100001(ldap1) groups=100001(ldap1)
[root@ldap migrationtools]# groupadd -g 100002 ldap2(之前说过65535只是限制个数)
[root@ldap migrationtools]# useradd -u 100002 -g 100002 -d /ldapuser/ldap2 ldap2
[root@ldap migrationtools]# vim migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "example.org";(这里可不是主机名哦)
# Default base
$DEFAULT_BASE = "dc=example,dc=org";
[root@ldap migrationtools]# ./migrate_base.pl > ~/ldif/base.ldif
[root@ldap migrationtools]# vim /root/ldif/base.ldif(留三组信息即可)
dn: dc=example,dc=org(顶级域)
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=org(条目)
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=org(条目)
ou: Group
objectClass: top
objectClass: organizationalUnit
[root@ldap migrationtools]# cat -A /root/ldif/base.ldif(检查格式是否有问题)
dn: dc=example,dc=org$
dc: example$
objectClass: top$
objectClass: domain$
$
dn: ou=People,dc=example,dc=org$
ou: People$
objectClass: top$
objectClass: organizationalUnit$
$
dn: ou=Group,dc=example,dc=org$
ou: Group$
objectClass: top$
objectClass: organizationalUnit$
$
[root@ldap migrationtools]# ldapadd -x -D "cn=Manager,dc=example,dc=org" -w 456 -f /root/ldif/base.ldif -h localhost(将条目加入到数据库里,这里是用的是数据库的用户和密码)
adding new entry "dc=example,dc=org"
adding new entry "ou=People,dc=example,dc=org"
adding new entry "ou=Group,dc=example,dc=org"
[root@ldap certs]# passwd ldap1
[root@ldap certs]# passwd ldap2
[root@ldap migrationtools]# ./migrate_passwd.pl /etc/passwd > /root/ldif/user.ldif(将用户和组添加条目)
[root@ldap migrationtools]# ./migrate_group.pl /etc/group > /root/ldif/group.ldif
[root@ldap migrationtools]# vim /root/ldif/user.ldif(只留两个即可,做实验)
dn: uid=ldap1,ou=People,dc=example,dc=org
uid: ldap1
cn: ldap1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 17683
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 100001
gidNumber: 100001
homeDirectory: /ldapuser/ldap1
dn: uid=ldap2,ou=People,dc=example,dc=org
uid: ldap2
cn: ldap2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 17683
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 100002
gidNumber: 100002
homeDirectory: /ldapuser/ldap2
[root@ldap migrationtools]# vim /root/ldif/group.ldif(和用户相同)
[root@ldap migrationtools]# ldapadd -x -D "cn=Manager,dc=example,dc=org" -w 456 -f /root/ldif/group.ldif -h localhost
adding new entry "cn=ldap1,ou=Group,dc=example,dc=org"
adding new entry "cn=ldap2,ou=Group,dc=example,dc=org"
[root@ldap migrationtools]# ldapadd -x -D "cn=Manager,dc=example,dc=org" -w 456 -f /root/ldif/user.ldif -h localhost
adding new entry "uid=ldap1,ou=People,dc=example,dc=org"
adding new entry "uid=ldap2,ou=People,dc=example,dc=org"
[root@ldap conf.d]# cp /etc/openldap/certs/ca.crt /var/www/html/(共享公钥)
[root@ldap html]# systemctl restart httpd
终于到客户端了
[root@192 ~]# vim /etc/hosts
192.168.10.16 ldap
[root@l92 html]# yum install -y openldap openldap-clients nss-pam-ldapd
[root@192 html]# yum install -y authconfig.x86_64 authconfig-gtk.x86_64
[root@192 openldap]# authconfig --enableldap --enableldapauth --ldapserver=ldap --ldapbasedn="dc=example,dc=org" --enableldaptls --ldaploadcacert=http://ldap/ca.crt --update
*(上面的命令执行完毕,本地应该有ldap1和ldap2用户,但是我这次不行了,之前一台机器是可以的,大家试下,今晚我在看看到底哪出问题了)
[root@192 openldap]# ssh [email protected](这里是登陆不了的,应为上一条命令执行不成功)
[email protected]'s password:
Last login: Fri Jun 1 22:29:45 2018 from ldapfu
Could not chdir to home directory /ldapuser/ldap1: No such file or directory
-bash-4.2$(缺少家目录)
[root@192 ~]# mkdir /ldapuser
[root@192 ~]# yum install -y autofs
服务端这里
[root@ldap ldapuser]# vim /etc/exports
/ldapuser 192.168.10.0/24(rw)
[root@ldap ldapuser]# systemctl start nfs(启动不了,先启动rpcbind)
客户端
[root@192 ~]# vim /etc/auto.master
# For details of the format look at auto.master(5).
/ldapuser /etc/ldap.misc(添加此条)
#
/misc /etc/auto.misc
[root@192 ~]# cp /etc/auto.misc /etc/ldap.misc
[root@192 ~]# vim /etc/ldap.misc
#removable -fstype=ext2 :/dev/hdd
* -fstype=nfs 192.168.10.16:/ldapuser/&(添加此条)
[root@192 ~]# systemctl start autofs.service(再次使用ldap1登录客户端即可
客户端获取不到ldap用户这个我今晚再看看,大神也给下建议。