写前先祝福下勒布朗·詹姆斯



网上搜了很多关于centos7.2部署ldap的文章,这里也写一下自己的



实验环境
系统:CentOS Linux release 7.2.1511 (Core)
内核:3.10.0-327.el7.x86_64
服务端IP:192.168.10.16
客户端IP:192.168.10.17

第一步
selinux和firewalld
[root@ldap opt]# getenforce
Permissive
[root@ldap opt]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)

第二步
服务端装包

[root@ldap openldap]# yum install -y openldap-servers openldap-clients openldap

如果不小心误删除了ldap的文件,会发现yum也用不了了,因为依赖模块被删掉了---解决方法
openldap-2.4.44-13.el7.x86_64.rpm(使用rpm把ldap装起来是一种方法)

第三步
服务端配置文件
[root@ldap openldap]# pwd
/etc/openldap
[root@ldap openldap]# vim ldap.conf
TLS_CACERTDIR   /etc/openldap/certs #这里很重要,指定你的TLS的文件放在那个目录下,默认此目录
TLS_REQCERT allow #这里是指可以切换TLS的文件存放目录

[root@ldap openldap]# slappasswd(生成密码)
New password:
Re-enter new password:
{SSHA}Yh7b45nHZmNHuk+3gg8mtIsuGiWzb3gA(这个加密字符串记录下来)

[root@ldap openldap]# vim slapd.conf(注意这个文件不是上面的ldap.conf)
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/pmi.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/misc.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
#TLS的几个文件很容易混淆,后面做CA的时候也会着重标明)
TLSCACertificateFile /etc/openldap/certs/ca.crt (这个是CA的公钥)
TLSCertificateFile /etc/openldap/certs/slapd.crt(这个是CA颁发的证书文件)
TLSCertificateKeyFile /etc/openldap/certs/slapd.key(这个是本地私钥)

database config
rootdn "cn=admin,cn=config"(超级用户)
rootpw {SSHA}Yh7b45nHZmNHuk+3gg8mtIsuGiWzb3gA (这里把上面的字符串写进来)
access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

database monitor
access to * by dn.exact="cn=admin,cn=config" read by * none

[root@ldap openldap]# rm -rf slapd.d/*
[root@ldap openldap]# slaptest -f slapd.conf -F slapd.d/ (转换成ldap识别的文件,这里一定看清楚是slapd.conf文件)
config file testing succeeded
[root@ldap openldap]# chown ldap. -R slapd.d/(加权限)
[root@ldap openldap]# cd slapd.d/
[root@ldap slapd.d]# ll
total 8
drwxr-x---. 3 ldap ldap 4096 Jun  1 07:50 cn=config
-rw-------. 1 ldap ldap 1272 Jun  1 07:50 cn=config.ldif

[root@ldap openldap]# grep TLS slapd.conf(使用之前的https的方式生成CA证书)
TLSCACertificateFile /etc/openldap/certs/ca.crt
TLSCertificateFile /etc/openldap/certs/slapd.crt
TLSCertificateKeyFile /etc/openldap/certs/slapd.key

对于CA认证来说现在的服务器作为客户端

[root@ldap certs]# pwd
/etc/openldap/certs (这个目录是根据你之前ldap.conf文件里定义的)
[root@ldap certs]# openssl genrsa 2048 > slapd.key(这个文件毫无疑问就是上文对应的slapd.key文件)
Generating RSA private key, 2048 bit long modulus
........................................................................................+++
............................................+++
e is 65537 (0x10001)
[root@ldap certs]# ls
cert8.db  key3.db  password  secmod.db  slapd.key
(这里先别给最小权限,怕会ldap读取不了文件,使用/usr/sbin/sladp -d 256 也能看出问题)

[root@localhost keyes]# openssl req -new -key slapd.key -out siyao.csr  (创建证书办法请求)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    (国家)
State or Province Name (full name) []:shanghai  (省份)
Locality Name (eg, city) [Default City]:shanghai   (市区)
Organization Name (eg, company) [Default Company Ltd]:boke  (公司名)  
Organizational Unit Name (eg, section) []:boke - cainiao  (部门)
Common Name (eg, your name or your server's hostname) []:192.168.10.16  (要加密的server)
Email Address []:[email protected]  (邮箱)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:     (这里不要写密码,CA哪里一会解不开密码,自签名。。)
An optional company name []:  (这里也跳过)

[root@ldap certs]# ls
cert8.db  key3.db  password  secmod.db  siyao.csr (这里可不是公钥哦) slapd.key

现在客户端作为CA服务器
[root@ldap certs]# scp siyao.csr 192.168.10.17:/root/
[email protected]'s password:
siyao.csr                                                                                      100% 1009     1.0KB/s   00:00

[root@localhost ~]# openssl genrsa -des3 -out ca.key 4096  (生成公私钥,做自签名)
Generating RSA private key, 4096 bit long modulus
............................++
.......................++
e is 65537 (0x10001)
Enter pass phrase for ca.key:                  (自签名密码要记住,一会自签名过程要用到)
Verifying - Enter pass phrase for ca.key:
[root@localhost ~]# ls
anaconda-ks.cfg  ca.key  siyao.csr

[root@localhost ~]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt  (自签名)
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai    
Organization Name (eg, company) [Default Company Ltd]:NSA    
Organizational Unit Name (eg, section) []:FBI   
Common Name (eg, your name or your server's hostname) []:192.168.10.17(指定你的server)
Email Address []:
[root@localhost ~]# ls
anaconda-ks.cfg  ca.crt (这个是我们的CA公钥和LDAP识别的ca.crt文件对应) ca.key  siyao.csr

[root@192 ~]# openssl x509 -req -days 365 -in siyao.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out slapd.crt
Signature ok
subject=/C=cn/ST=shanghai/L=shanghai/O=boke/OU=cainiao/CN=192.168.10.16
Getting CA Private Key
Enter pass phrase for ca.key:
[root@192 ~]# ls
anaconda-ks.cfg  ca.crt  ca.key  siyao.csr  slapd.crt(这是证书,和LDAP识别的slapd.crt对应)

[root@192 ~]# scp ca.crt slapd.crt 192.168.10.16:/etc/openldap/certs/(两个文件都传过去)
[email protected]'s password:
ca.crt                                                                                         100% 2013     2.0KB/s   00:00
slapd.crt                                                                                      100% 1545     1.5KB/s   00:00

CA完毕,以下是正常的服务器和客户端
服务器16这里
[root@ldap certs]# ls
ca.crt(1)  cert8.db  key3.db  password  secmod.db  siyao.csr  slapd.crt (2) slapd.key(3) (1),(2),(3)三个文件分别代表上文定义的TLS文件,千万别搞乱了)

[root@ldap certs]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG.example(拷贝缓冲数据文件)
[root@ldap certs]# chown ldap. /var/lib/ldap/DB_CONFIG.example(授权)

[root@ldap certs]# vim /etc/sysconfig/slapd
LAPD_URLS="ldapi:/// ldap:/// ldaps:///"(添加上ldaps:///)

[root@ldap certs]# systemctl start slapd(起服务,如果上面没好好看的话,这里启动会报错的)
[root@ldap certs]# ps -ef|grep slapd
ldap       4413      1  0 22:07 ?        00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// ldaps:///
root       4672   2597  0 22:24 pts/0    00:00:00 grep --color=auto slapd
[root@ldap certs]# netstat -luntp|grep slap
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      4413/slapd
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      4413/slapd
tcp6       0      0 :::636                  :::*                    LISTEN      4413/slapd
tcp6       0      0 :::389                  :::*                    LISTEN      4413/slapd

定义用户数据库
[root@ldap certs]# mkdir /root/ldif
[root@ldap certs]# cd
[root@ldap ~]# cd ldif/
[root@ldap ldif]# ls
[root@ldap ldif]# vim bdb.ldif

dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {1}bdb(数据库)
olcSuffix: dc=example,dc=org
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=Manager,dc=example,dc=org(用户)
olcRootPW: 456 (密码)
olcLimits: dn.exact="cn=Manager,dc=example,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,displayName pres,eq,approx,sub
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: objectClass eq
olcDbIndex: entryUUID pres,eq
olcDbIndex: entryCSN pres,eq
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.children="ou=admins,dc=example,dc=org" write by * none
olcAccess: to * by self write by dn.children="ou=admins,dc=example,dc=org" write by * read

[root@ldap ldif]# ldapadd -x -D "cn=admin,cn=config" -w 123 -f ~/ldif/bdb.ldif -h localhost(添加条目,这个是超级用户和超级用户的免密123)
adding new entry "olcDatabase=bdb,cn=config"

[root@ldap openldap]# cd slapd.d/
[root@ldap slapd.d]# ls
cn=config  cn=config.ldif
[root@ldap slapd.d]# cd cn\=config/
[root@ldap cn=config]# ls
cn=schema       olcDatabase={0}config.ldif     olcDatabase={1}monitor.ldif
cn=schema.ldif  olcDatabase={-1}frontend.ldif  olcDatabase={2}bdb.ldif(这个bdb数据文件被生成出来了)

ssh  ----》ldap(实验)
使我们的系统用户转变为ldap用户
[root@ldap cn=config]# yum search migrationtools
[root@ldap cn=config]# yum install -y migrationtools.noarch(下载工具)

[root@ldap cn=config]# cd /usr/share/migrationtools/
[root@ldap migrationtools]# groupadd -g 100001 ldap1(生成系统用户)
[root@ldap migrationtools]# mkdir /ldapuser
[root@ldap migrationtools]# useradd -u 100001 -g 100001 -d /ldapuser/ldap1 ldap1
[root@ldap migrationtools]# id ldap1
uid=100001(ldap1) gid=100001(ldap1) groups=100001(ldap1)

[root@ldap migrationtools]# groupadd -g 100002 ldap2(之前说过65535只是限制个数)
[root@ldap migrationtools]# useradd -u 100002 -g 100002 -d /ldapuser/ldap2 ldap2

[root@ldap migrationtools]# vim migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "example.org";(这里可不是主机名哦)

# Default base
$DEFAULT_BASE = "dc=example,dc=org";

[root@ldap migrationtools]# ./migrate_base.pl > ~/ldif/base.ldif
[root@ldap migrationtools]# vim /root/ldif/base.ldif(留三组信息即可)
dn: dc=example,dc=org(顶级域)
dc: example
objectClass: top
objectClass: domain

dn: ou=People,dc=example,dc=org(条目)
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=example,dc=org(条目)
ou: Group
objectClass: top
objectClass: organizationalUnit

[root@ldap migrationtools]# cat -A /root/ldif/base.ldif(检查格式是否有问题)
dn: dc=example,dc=org$
dc: example$
objectClass: top$
objectClass: domain$
$
dn: ou=People,dc=example,dc=org$
ou: People$
objectClass: top$
objectClass: organizationalUnit$
$
dn: ou=Group,dc=example,dc=org$
ou: Group$
objectClass: top$
objectClass: organizationalUnit$
$

[root@ldap migrationtools]# ldapadd -x -D "cn=Manager,dc=example,dc=org" -w 456 -f /root/ldif/base.ldif -h localhost(将条目加入到数据库里,这里是用的是数据库的用户和密码)
adding new entry "dc=example,dc=org"

adding new entry "ou=People,dc=example,dc=org"

adding new entry "ou=Group,dc=example,dc=org"

[root@ldap certs]# passwd ldap1
[root@ldap certs]# passwd ldap2

[root@ldap migrationtools]# ./migrate_passwd.pl /etc/passwd > /root/ldif/user.ldif(将用户和组添加条目)
[root@ldap migrationtools]# ./migrate_group.pl /etc/group > /root/ldif/group.ldif

[root@ldap migrationtools]# vim /root/ldif/user.ldif(只留两个即可,做实验)

dn: uid=ldap1,ou=People,dc=example,dc=org
uid: ldap1
cn: ldap1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 17683
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 100001
gidNumber: 100001
homeDirectory: /ldapuser/ldap1

dn: uid=ldap2,ou=People,dc=example,dc=org
uid: ldap2
cn: ldap2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 17683
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 100002
gidNumber: 100002
homeDirectory: /ldapuser/ldap2

[root@ldap migrationtools]# vim /root/ldif/group.ldif(和用户相同)

[root@ldap migrationtools]# ldapadd -x -D "cn=Manager,dc=example,dc=org" -w 456 -f /root/ldif/group.ldif -h localhost
adding new entry "cn=ldap1,ou=Group,dc=example,dc=org"

adding new entry "cn=ldap2,ou=Group,dc=example,dc=org"

[root@ldap migrationtools]# ldapadd -x -D "cn=Manager,dc=example,dc=org" -w 456 -f /root/ldif/user.ldif -h localhost
adding new entry "uid=ldap1,ou=People,dc=example,dc=org"

adding new entry "uid=ldap2,ou=People,dc=example,dc=org"

[root@ldap conf.d]# cp /etc/openldap/certs/ca.crt /var/www/html/(共享公钥)
[root@ldap html]# systemctl restart httpd

终于到客户端了
[root@192 ~]# vim /etc/hosts
192.168.10.16   ldap

[root@l92 html]# yum install -y openldap openldap-clients nss-pam-ldapd

[root@192 html]# yum install -y authconfig.x86_64 authconfig-gtk.x86_64

[root@192 openldap]# authconfig --enableldap --enableldapauth --ldapserver=ldap --ldapbasedn="dc=example,dc=org" --enableldaptls --ldaploadcacert=http://ldap/ca.crt --update
*(上面的命令执行完毕,本地应该有ldap1和ldap2用户,但是我这次不行了,之前一台机器是可以的,大家试下,今晚我在看看到底哪出问题了)

[root@192 openldap]# ssh [email protected](这里是登陆不了的,应为上一条命令执行不成功)
[email protected]'s password:
Last login: Fri Jun  1 22:29:45 2018 from ldapfu
Could not chdir to home directory /ldapuser/ldap1: No such file or directory
-bash-4.2$(缺少家目录)

[root@192 ~]# mkdir /ldapuser
[root@192 ~]# yum install -y autofs

服务端这里
[root@ldap ldapuser]# vim /etc/exports
/ldapuser 192.168.10.0/24(rw)

[root@ldap ldapuser]# systemctl start nfs(启动不了,先启动rpcbind)

客户端
[root@192 ~]# vim /etc/auto.master
# For details of the format look at auto.master(5).
/ldapuser       /etc/ldap.misc(添加此条)
#
/misc   /etc/auto.misc

[root@192 ~]# cp /etc/auto.misc /etc/ldap.misc

[root@192 ~]# vim /etc/ldap.misc
#removable      -fstype=ext2            :/dev/hdd
*               -fstype=nfs             192.168.10.16:/ldapuser/&(添加此条)

[root@192 ~]# systemctl start autofs.service(再次使用ldap1登录客户端即可

客户端获取不到ldap用户这个我今晚再看看,大神也给下建议。