NIS-LDAP活动目录的迁移
我的这篇文章的目的是:实现NIS账号到LINUX LDAP活动目录的迁移;
实验环境:
| 服务器角色 |
系统 |
IP |
备注 |
| LDAP-SERVER |
RHEL 5.4 |
192.168.0.1 |
Station1.example.com |
| NIS-SERVER |
RHEL 5.4 |
192.168.0.2 |
|
| LDAP-CLIENT |
RHEL 5.4 |
192.168.0.3 |
|
| NIS-CLIENT |
RHEL 5.4 |
192.168.0.4 |
|
这篇文章按照下面步骤进行:
1. 安装和配置NIS SERVER和CLIENT;测试CLIENT加入到NISDOMAIN正常;
2. 安装和配置LDAP-SERVER和CLIENT;测试client端能够使用加密机制进行ldap之间的通信;
3. NIS-SERVER账号迁移到LDAP-SERVER;分别在两个客户端之间进行测试;
说明:该文章配置非常详细,对于没有任何NIS LDAP基础的人都是可以看懂的;既是对我以前NIS学习的复习,也是对现在正在进行的LDAP进行实验和巩固;
1.安装和配置NIS-SERVER 和CLIENT;测试CLIENT加入NISDOMAIN之后是否正常;
NIS ( network information service )
说明:
nis主要是为了在linux系统主机不是很多的情况下实现统一的集中账号认证;
虽然linux nis已经被linux的活动目录(LDAP)所取代,但是还是需要掌握这种比较传统的集中认证方式;
Network information service 最早是称为sun yellow pages(yp),也就是sun推出的一个yellow pages服务器,NIS也是这样的服务器,这就可以理解为什么服务是ypserv开始了;
NIS和NFS一样,也许要RPC服务的支持,向RPC注册端口;
补充:红帽关于NIS信息(RHS333)
Type: system v-managed services
Packages:ypserv
Daemons:ypserv,rpc.yppasswdd,rpc.ypxfrd
Scripts:ypserv,yppasswdd,ypxfrd
Ports: dynamically assigned by portmap
如果是NIS-SERVER中添加了用户,直接查询是查询不到的,需要同步到数据,同步到数据库的命令是
Make –C /var/yp/
提升NIS安全需要在三个方面来提升:TCP wrappers and iptables static ports /var/yp/securenets
我们这里的实验就是通过静态端口绑定,使用iptables控制实现的,当然也可以通过文件实现
/var/yp/securenets 255.255.255.0 192.168.0.0 允许此地址的访问
(1)NIS-SERVER的设定(这里的配置主要参考“鸟哥”)
需要的软件:
Yp-tools:提供NIS相关的查询指定功能;
Ypbind:提供NIS Client端的设定;
Ypserv:提供NIS SERVER端的设定;
Rpcbind:RPC
[root@nis-server ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 nis-server localhost.localdomain localhost
#::1 localhost6.localdomain6 localhost6
192.168.0.1 station1.example.com
192.168.0.3 ldap-client
192.168.0.4 nis-client
[root@nis-server ~]#
[root@nis-server ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:17:19:21
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
可以看到服务器端的网络设置参数;
[root@nis-server ~]# rpm -qa | grep yp
yp-tools-2.9-0.1
ypbind-1.19-12.el5
[root@nis-server ~]#
默认yp-tools,ypbind都已经安装了;
[root@nis-server ~]# yum -y install ypserv
需要设置的文件:
/etc/ypserv.conf
/etc/hosts 主要是为了解析
/etc/sysconfig/network 主要为了解析和设置NISDOMAIN
/var/yp/Makefile 建立库文件时用到命令
主要服务
/usr/sbin/ypserv nis服务器的服务
/usr/sbin/rpc.yppasswdd 提供额外的NIS用户端修改密码服务,通过这个服务,NIS用户可以直接修改NIS服务器上的密码;
主要命令
/usr/lib/yp/ypinit 建立库
/usr/bin/yppasswd 与NIS用户有关,让用户修改密码
具体配置如下:
A.设定NIS domain name
[root@nis-server ~]# vim /etc/sysconfig/network
[root@nis-server ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=nis-server
NISDOMAIN=ytrbnis 设置NIS DOMAIN NAME
YPSERV_ARGS="-p 1011" 设置NIS启动的端口为1011,为了便于使用iptables管理控制;
[root@nis-server ~]#
B.设置/etc/ypserv.conf
[root@nis-server ~]# vim /etc/ypserv.conf
[root@nis-server ~]# cat /etc/ypserv.conf
dns: no NIS解析是否使用DNS,因为实验环境,而起时NIS,一般不会使用DNS,除非linux主机很多,如果主机数目庞大,也不会使用NIS
# How many map file handles should be cached ?
files: 30 记录用户的库文件的数据量,30已经够了;
# Not everybody should see the shadow passwords, not secure, since
# under MSDOG everbody is root and can access ports < 1024 !!!
127.0.0.0/255.255.255.0 : * : * : none
192.168.0.0/255.255.255.0 : * : * : none
* : * : * : deny
主机名/ip : NIS domain NAME : 可用库文件名称 : 安全限制:
None没有限制;deny拒绝
[root@nis-server ~]#
C.设置HOSTS表实现主机名和IP地址对应
[root@nis-server ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 nis-server localhost.localdomain localhost
#::1 localhost6.localdomain6 localhost6
192.168.0.1 station1.example.com
192.168.0.3 ldap-client
192.168.0.4 nis-client
[root@nis-server ~]# hostname
nis-server
[root@nis-server ~]#
D.启动相关服务:RPC(portmap),ypserv,yppasswdd
说明:为了能使yppasswdd启动在固定的端口,我们需要修改/etc/sysconfig/yppasswdd
[root@nis-server ~]# vim /etc/sysconfig/yppasswdd
[root@nis-server ~]# tail -n 1 /etc/sysconfig/yppasswdd
YPPASSWDD_ARGS="--port 1012"
[root@nis-server ~]# /etc/init.d/portmap restart
停止 portmap: [确定]
启动 portmap: [确定]
[root@nis-server ~]# /etc/init.d/ypserv restart
停止 YP 服务器的服务: [失败]
设置 NIS 域名 ytrbnis: [确定]
启动 YP 服务器的服务: [确定]
[root@nis-server ~]# /etc/init.d/yppasswdd restart
停止 YP 口令服务: [失败]
启动 YP 口令服务: [确定]
[root@nis-server ~]# chkconfig ypserv on
[root@nis-server ~]# chkconfig yppasswdd on
服务启动是有顺序的,需要先启动portmap,然后启动上面两个服务,因为ypserv需要向portmap注册端口;
测试是否ok,如果出现下面另个界面,说明服务已经正常启动并且已经在准备就绪状态;
[root@nis-server ~]# rpcinfo -p localhost
程序 版本 协议 端口
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100004 2 udp 1011 ypserv
100004 1 udp 1011 ypserv
100004 2 tcp 1011 ypserv
100004 1 tcp 1011 ypserv
100009 1 udp 1012 yppasswdd
[root@nis-server ~]# rpcinfo -u localhost ypserv
程序 100004 版本 1 就绪并等待
程序 100004 版本 2 就绪并等待
[root@nis-server ~]#
E.建立库,并创建测试账号
[root@nis-server ~]# useradd -u 1001 nisuser1
[root@nis-server ~]# useradd -u 1002 nisuser2
[root@nis-server ~]# useradd -u 1003 nisuser3
[root@nis-server ~]# echo password | passwd --stdin nisuser1
Changing password for user nisuser1.
passwd: all authentication tokens updated successfully.
[root@nis-server ~]# echo password | passwd --stdin nisuser2
Changing password for user nisuser2.
passwd: all authentication tokens updated successfully.
[root@nis-server ~]# echo password | passwd --stdin nisuser3
Changing password for user nisuser3.
passwd: all authentication tokens updated successfully.
使用ypinit将账号转换成库文件
[root@nis-server ~]# /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. nis-server is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: nis-server
next host to add:
The current list of NIS servers looks like this:
nis-server
Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/ytrbnis/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/ytrbnis'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/ytrbnis'
nis-server has been set up as a NIS master server.
Now you can run ypinit -s nis-server on all slave server.
[root@nis-server ~]# echo $?
0
[root@nis-server ~]#
可以看到转换成功;
F.防火墙开启端口
[root@nis-server ~]# iptables -I RH-Firewall-1-INPUT -s 192.168.0.0/24 -p tcp -m multiport --dport 111,1011 -j ACCEPT
[root@nis-server ~]# iptables -I RH-Firewall-1-INPUT -s 192.168.0.0/24 -p udp -m multiport --dport 111,1011,1012 -j ACCEPT
到此为止:NIS-SERVER端的设置结束;
(2)NIS-CLIENT端的设定
客户端需要安装的软件:ypbind yp-tools默认系统都已经安装了;
涉及的文件:
/etc/sysconfig/network NIS domain name
/etc/hosts 解析
/etc/yp.conf ypbind的配置文件
/etc/sysconfig/authconfig
/etc/pam.d/system-auth 在PAM中加入对NIS的支持
/etc/nsswitch.conf 账号查询顺序
客户端的命令
/usr/bin/yppasswd 修改密码
/usr/bin/ypchsh 更改shell
/usr/bin/ypchfn 更改使用者信息
如果要修改上述的配置文件,对客户端而言实在太麻烦了,系统也给我们提供了一个工具;
输入setup,进入
查看客户端的配置文件里面是否自动添加了条目:
NIS-CLIENT客户端的检验:yptest,ypwhich,ypcat
可以看到转换生成的库文件
可以看到普通用户可以修改自己的NIS domain的密码,只是密码需要遵循一定的规则;
NIS-CLIENT已经配置完成,并且测试成功;
我们接下来开始第二部分的测试:安装和配置LDAP-SERVER和CLIENT;测试client端能够使用加密机制进行ldap之间的通信;
1.ldap-server 服务器端的配置
A.安装RHDS红帽目录服务套件,开启防火墙对应端口;
Use rpm –q to verify the openldap-clients and openldap-servers RPM packages are installed. Required installed two packages.
Openldap-clients provides command-line management tools ; openldap-servers rpm provides a user and group, ldap, we will use for directory server.
[root@station1 ~]# rpm -qa | grep openldap
openldap-servers-2.3.43-3.el5
openldap-2.3.43-3.el5
openldap-clients-2.3.43-3.el5
openldap-devel-2.3.43-3.el5
[root@station1 ~]#
[root@station1 RHDS]# yum -y install java-1.5.0-ibm-1.5.0.5-1jpp.5.el5.i386.rpm
Running Transaction
Installing : libXp 1/2
Installing : java-1.5.0-ibm 2/2
[root@station1 RHDS]# yum -y install redhat-ds
[root@station1 RHDS]# setup-ds-admin.pl -k
==============================================================================
This program will set up the Red Hat Directory and Administration Servers.
It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
- Press "Enter" to choose the default and go to the next screen
- Type "Control-B" then "Enter" to go back to the previous screen
- Type "Control-C" to cancel the setup program
Would you like to continue with set up? [yes]: 是否继续,是
==============================================================================
BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY
AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE
LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS
OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE.
Do you agree to the license terms? [no]: yes 是否接受lincense,接受
==============================================================================
Your system has been scanned for potential problems, missing patches,
etc. The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
Red Hat Directory Server system tuning analysis version 10-AUGUST-2007.
NOTICE : System is i686-unknown-linux2.6.18-164.el5 (2 processors).
WARNING: 503MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system.
NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes). This may cause temporary server congestion from lost
client connections.
WARNING: There are only 1024 file descriptors (hard limit) available, which
limit the number of simultaneous connections.
WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.
Would you like to continue? [no]: yes 系统需要调优,是否继续,是
==============================================================================
Choose a setup type:
1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.
2. Typical
Allows you to specify common defaults and options.
3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
Choose a setup type [2]: 选择安装类型,选择典型 typical
==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Computer name [station1.example.com]: 计算机名 默认
==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.
System User [nobody]: ldap 选择运行ldap服务的用户名和组
System Group [nobody]: ldap
==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers. If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server. To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).
If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.
Do you want to register this software with an existing
configuration directory server? [no]: 是否将其注册到一个已经存在的目录服务器中,NO
==============================================================================
Please enter the administrator ID for the configuration directory
server. This is the ID typically used to log in to the console. You
will also be prompted for the password.
Configuration directory server
administrator ID [admin]: CONSOLE控制台的用户名和密码,用默认的admin 密码redhat
Password:
Password (confirm):
==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains. If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.
If you are not using administrative domains, press Enter to select the
default. Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.
Administration Domain [example.com]: station1.example.com 给管理的域起一个名字,随便了
==============================================================================
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]: 目录服务用到的端口:默认就好了
==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [station1]: 默认
==============================================================================
The suffix is the root of your directory tree. The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.
Suffix [dc=example, dc=com]: dc=station1,dc=example,dc=com 目录服务的后缀
==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user. The password must
be at least 8 characters long, and contain no spaces.
Directory Manager DN [cn=Directory Manager]: ldap权限最大用户的密码和用户名,用户名不需要修改,密码最低8位,一定不要输错,否则不会提示出错;
Password:
Password (confirm):
==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.
Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.
Administration port [9830]: 8888 console控制台的端口
==============================================================================
The interactive phase is complete. The script will now set up your
servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]:
Creating directory server . . .
Your new DS instance 'station1' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setup5YKRgD.log'
[root@station1 RHDS]# /etc/init.d/dirsrv restart 启动服务
Shutting down dirsrv:
station1... [确定]
Starting dirsrv:
station1... [确定]
[root@station1 RHDS]# /etc/init.d/dirsrv-admin restart 启动控制台的服务
Shutting down dirsrv-admin:
[确定]
Starting dirsrv-admin:
[确定]
[root@station1 RHDS]# chkconfig dirsrv on
[root@station1 RHDS]# chkconfig dirsrv-admin on
[root@station1 RHDS]# iptables -I RH-Firewall-1-INPUT -s 192.168.0.0/24 -p tcp --dport 389 -j ACCEPT
[root@station1 RHDS]# iptables -I RH-Firewall-1-INPUT -s 192.168.0.0/24 -p tcp --dport 636 -j ACCEPT
[root@station1 RHDS]# iptables -I RH-Firewall-1-INPUT -s 192.168.0.0/24 -p tcp --dport 8888 -j ACCEPT 防火墙开启端口,636是为以后ldap ssl加密做准备的;
[root@station1 RHDS]# service iptables save
将当前规则保存到 /etc/sysconfig/iptables: [确定]
[root@station1 RHDS]#
[root@station1 RHDS]# redhat-idm-console
Java Accessibility Bridge for GNOME loaded.
Jun 7, 2012 10:04:04 AM java.util.prefs.FileSystemPreferences$2 run
INFO: Created user preferences directory.
[root@station1 RHDS]#
登陆测试:
登陆成功;
下面我们来做一些基本的ldap目录服务的操作,也是对原来的操作进行复习;
1.ldapsearch工具的使用---查询
[root@ldap-client ~]# ldapsearch -x 'uid=chong' -s sub -b 'ou=People,dc=station1,dc=example,dc=com' -h 192.168.0.1
客户端的查询需要输入的指令
-x use simple, not SASL binds 使用简单查询,不是加密;
-s scope: sub 递归查询,one 查询自己和自己下一级,base仅自己
-b dn :从什么位置开始搜索
-h 指定ldap 服务器的地址
客户端查询每次都输入那么长的指令太麻烦了,所以我们简化指令的输入:
[root@ldap-client ~]# vim /etc/openldap/ldap.conf
[root@ldap-client ~]# cat /etc/openldap/ldap.conf
BASE dc=station1,dc=example,dc=com
HOST station1.example.com
[root@ldap-client ~]# ldapsearch -x 'uid=chong'
加入上面两行,这样每次输入时都不必输入那么长了;
[root@ldap-client ~]# ldapsearch -x -Z 'uid=chong'
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=chong
# requesting: ALL
#
# chong, People, station1.example.com
dn: uid=chong,ou=People, dc=station1,dc=example,dc=com
mail: [email protected]
uid: chong
givenName: hu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: chong
cn: hu chong
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@ldap-client ~]# ldapsearch -x -ZZ 'uid=chong'
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
[root@ldap-client ~]#
-Z 尝试使用加密,-ZZ必须使用加密;因为没有客户端和服务器端的加密所以-ZZ命令执行失败;
[root@ldap-client ~]# ldapsearch -x -LLL 'uid=chong'
dn: uid=chong,ou=People, dc=station1,dc=example,dc=com
mail: [email protected]
uid: chong
givenName: hu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: chong
cn: hu chong
[root@ldap-client ~]# ldapsearch -x -L 'uid=chong' | wc -l
25
[root@ldap-client ~]# ldapsearch -x -LLL 'uid=chong' | wc -l
11
[root@ldap-client ~]#
-L 尽量减少输出,-LLL最少的输出
注意:下面的几个命令都是服务器端要做的事情,所以没有必要在客户端上进行;
2.ldapdelete删除目录中的条目
举例:删除一个用户
[root@station1 ~]# vim /etc/openldap/ldap.conf
[root@station1 ~]# tail -n 2 /etc/openldap/ldap.conf
BASE dc=station1,dc=example,dc=com
HOST station1.example.com
[root@station1 ~]# vim .ldaprc
[root@station1 ~]# cat .ldaprc
BINDDN cn=Directory Manager
[root@station1 ~]# pwd
/root
服务器的删除之前的设置;
[root@station1 ~]# ldapsearch -x 'uid=sun' | grep dn
dn: uid=sun,ou=People, dc=station1,dc=example,dc=com
[root@station1 ~]#
[root@station1 ~]# echo 'uid=sun,ou=People, dc=station1,dc=example,dc=com' > delete.ldif
[root@station1 ~]# cat delete.ldif
uid=sun,ou=People, dc=station1,dc=example,dc=com
[root@station1 ~]# ldapdelete -x -W -f delete.ldif
Enter LDAP Password:
[root@station1 ~]# ldapsearch -x 'uid=sun'
[root@station1 ~]#
解释下操作步骤:查找该entire的DN,然后将该dn名成导入到一个文件中,使用ldapdelete命令调用该文件;
3.另一个工具修改RDN:ldapmodrdn
例如用户的uid就是一个RDN,这个命令有一个实例可以帮助我们很快的学习该命令
EXAMPLE
Assuming that the file /tmp/entrymods exists and has the contents:
cn=Modify Me,dc=example,dc=com
cn=The New Me
the command:
ldapmodrdn -r -f /tmp/entrymods
will change the RDN of the "Modify Me" entry from "Modify Me" to "The New Me" and the old cn, "Modify Me" will be removed.
以上就是man 该命令得到的实例;
[root@station1 ~]# vim rdn.ldif
[root@station1 ~]# cat rdn.ldif
uid=chong,ou=People, dc=station1,dc=example,dc=com
uid=xiaohu
[root@station1 ~]# ldapmodrdn -x -r -W -f rdn.ldif
Enter LDAP Password:
[root@station1 ~]# ldapsearch -x 'uid=chong'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=chong
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
4.继续来介绍另一个工具ldapadd:创建一个新的条目entire
[root@station1 ~]# ldapsearch -x 'uid=tclow' -LLL
dn: uid=tclow, ou=People, dc=station1,dc=example,dc=com
cn: Torrey Clow
sn: Clow
givenName: Torrey
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: tclow
mail: [email protected]
telephoneNumber: +1 408 555 8825
facsimileTelephoneNumber: +1 408 555 1992
roomNumber: 4376
manager: uid=trigden, ou=People, dc=station1,dc=example,dc=com
[root@station1 ~]# ldapsearch -x 'uid=tclow' -LLL > addr.ldif
[root@station1 ~]# vim addr.ldif
[root@station1 ~]# ldapadd -x -W -c -f addr.ldif
Enter LDAP Password:
adding new entry "uid=shmadmin, ou=People, dc=station1,dc=example,dc=com"
[root@station1 ~]# ldapsearch -x 'uid=shmadmin' | wc -l
28
[root@station1 ~]#
4.继续介绍另一个工具:ldapmodify
可以实现多种LDAP 操作,add delete,replace等属性
这次我详细介绍下该工具的使用;
3种语法:
Changetype: add 添加一个条目
Changetype:delete 删除一个条目
Changetype: modify
Add:attribute
Attribute: newvalue
Replace:attribute
Attribute:newvalue
Delete:attribute
下面我就分别进行实验测试:
[root@station1 ~]# ldapsearch -x 'uid=xiaohu' > modify.ldif
[root@station1 ~]# vim modify.ldif
[root@station1 ~]# ldapmodify -x -W -f modify.ldif
Enter LDAP Password:
modifying entry "uid=xiaohu,ou=People, dc=station1,dc=example,dc=com"
[root@station1 ~]# cat modify.ldif
# xiaohu, People, station1.example.com
dn: uid=xiaohu,ou=People, dc=station1,dc=example,dc=com
changetype: modify
replace: mail
mail: [email protected]
-
delete: telephoneNumber
telephoneNumber: 123456789
-
[root@station1 ~]# ldapsearch -x 'uid=xiaohu'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=xiaohu
# requesting: ALL
#
# xiaohu, People, station1.example.com
dn: uid=xiaohu,ou=People, dc=station1,dc=example,dc=com
mail: [email protected]
givenName: hu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: chong
cn: hu chong
uid: xiaohu
mobile: 1111111
title: ddddd
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@station1 ~]#
可以看到都已经修改过来了;
通过以上的操作,LDAP-SERVER的基本的查询,删除,添加,修改操作我们都会了;下面我们继续做SASL 和ACI
通过加密机制实现LDAP与客户端之间实现加密传输,比较安全;通过ACI设置策略,并不是所有信息对每个用户都是开放的;比如比较有隐患的密码电话等信息;
第一个实验:客户端和服务器端实现加密传输数据;
要实现加密首先要有证书,证书就要有证书认证机构CA中心,在这次试验中,我的LDAP server也是CA中心;
1.创建CA中心
[root@station1 ~]# rpm -qa | grep openssl 使用openssl生成密钥
openssl-0.9.8e-12.el5
openssl-devel-0.9.8e-12.el5
[root@station1 ~]# cd /etc/pki/
[root@station1 pki]# ls
CA nssdb rpm-gpg tls
[root@station1 pki]# cd tls/
[root@station1 tls]# ls
cert.pem certs misc openssl.cnf private
[root@station1 tls]# vim openssl.cnf
[root@station1 tls]# cd ..
[root@station1 pki]# ls
CA nssdb rpm-gpg tls
[root@station1 pki]# pwd
/etc/pki
[root@station1 pki]# cd CA/
[root@station1 CA]# ls
private
[root@station1 CA]# mkdir {certs,crl,newcerts}
[root@station1 CA]# touch index.txt
[root@station1 CA]# echo 01 > serial
[root@station1 CA]# ls
certs crl index.txt newcerts private serial
[root@station1 CA]# (umask 077; openssl genrsa -out private/my-ca.key) 创建CA中心的私钥
Generating RSA private key, 512 bit long modulus
.............++++++++++++
.++++++++++++
e is 65537 (0x10001)
[root@station1 CA]# cd private/
[root@station1 private]# ls
my-ca.key
[root@station1 private]# cd ..
[root@station1 CA]# ls
certs crl index.txt newcerts private serial
[root@station1 CA]# openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt 利用CA中心私钥生成公钥
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ShanDong]:
Locality Name (eg, city) [yantai]:
Organization Name (eg, company) [chong, Inc.]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:station1.example.com
Email Address []:
[root@station1 CA]# ls
certs crl index.txt my-ca.crt newcerts private serial
[root@station1 CA]#
[root@station1 CA]# rpm -qa | grep openssl
openssl-0.9.8e-12.el5
openssl-devel-0.9.8e-12.el5
[root@station1 CA]# pwd
/etc/pki/CA
[root@station1 CA]# ls
certs crl index.txt my-ca.crt newcerts private serial
[root@station1 CA]#
经过以上步骤,CA中心创建完毕,并且生成了CA中心的私钥和公钥,在这里,CA中心也充当ldap-server的角色,就是是他的公钥和私钥
第二步:LDAP-server生成证书请求文件station1.csr
首先输入LDAP 私钥的保护密码:redhat
点击request,到整数请求向导,此处显示会生成一个csr文件,点击next继续
第三步:CA中心对LDAP SERVER产生的证书请求文件进行签名,并生成LDAP-server的公钥,发送给LDAP-server
[root@station1 ~]# openssl ca -in station1.csr -out station1.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 11 03:04:23 2012 GMT
Not After : Jun 11 03:04:23 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = ShanDong
organizationName = chong, Inc.
organizationalUnitName = IT
commonName = station1.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
42:D5:8A:6F:96:DC:1B:FD:43:2A:2B:C6:44:36:F1:D4:D8:42:C7:70
X509v3 Authority Key Identifier:
keyid:60:95:AB:5A:79:41:1E:9E:14:51:87:74:8C:1A:C6:88:C1:4B:B9:EE
Certificate is to be certified until Jun 11 03:04:23 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@station1 ~]# ls
addr.ldif delete.ldif Example.ldif install.log.syslog rdn.ldif station1.csr
anaconda-ks.cfg Desktop install.log modify.ldif station1.crt
[root@station1 ~]#
CA中心对LDAP-SERVER的证书请求文件签名,并生成LDAP-SERVER的公钥station1.crt
第四步:LDAP-SERVER安装CA中心的公钥(my-ca.crt)和签名后的公钥(station1.crt)
第五步:LDAP-SERVER开启TLS加密
第六步:重启服务
[root@station1 ~]# /etc/init.d/dirsrv restart
Shutting down dirsrv:
station1... [确定]
Starting dirsrv:
station1...Enter PIN for Internal (Software) Token:
[确定]
[root@station1 ~]# vim /etc/dirsrv/slapd-station1/pin.txt
[root@station1 ~]# vim /etc/dirsrv/slapd-station1/pin.txt
[root@station1 ~]# cat /etc/dirsrv/slapd-station1/pin.txt
Internal (Software) Token:redhat
[root@station1 ~]# chmod 400 /etc/dirsrv/slapd-station1/pin.txt
[root@station1 ~]# service dirsrv restart
Shutting down dirsrv:
station1... [确定]
Starting dirsrv:
station1... [确定]
[root@station1 ~]#
第七步:客户端测试
[root@ldap-client ~]# scp 192.168.0.1:/etc/pki/CA/my-ca.crt /root/
[root@ldap-client ~]# cp my-ca.crt /etc/openldap/cacerts/
[root@ldap-client ~]# cd /etc/openldap/cacerts/
[root@ldap-client cacerts]# ls
my-ca.crt
[root@ldap-client cacerts]# vim /etc/openldap/ldap.conf
[root@ldap-client cacerts]# tail -n 3 /etc/openldap/ldap.conf
BASE dc=station1,dc=example,dc=com
HOST station1.example.com
TLS_CACERT /etc/openldap/cacerts/my-ca.crt
[root@ldap-client cacerts]#
测试成功,实现了加密传输;第二个大的实验已经测试完毕!
我们来做最后一个实验:NIS-SERVER账号迁移到LDAP-SERVER并在两个客户端之间进行测试;
主要操作步骤就是:将ldap-server加入到nisdomain中,然后将nis-domain中的用户信息导出成和本机/etc/passwd group shadow格式一样的文件,再用脚本导入就可以了;
1.将LDAP-SERVER加入NIS domain
[root@station1 ~]# authconfig-tui
停止 portmap: [确定]
启动 portmap: [确定]
关联到 NIS 域: [确定]
监听 NIS 域服务器。
2.得到用户名和密码,组文件
[root@station1 ~]#
[root@station1 ~]# ypcat passwd
nisuser3:$1$8xCDhab.$KzPfmanT1hRlDlRYvY8mU.:1003:1003::/home/nisuser3:/bin/bash
nisuser1:$1$LxBjkOYD$nobktqZXdTxhjJXjOiyfi1:1001:1001::/home/nisuser1:/bin/bash
nisuser2:$1$eLc7c2ti$ONm9/c2266YUn/oyep21//:1002:1002::/home/nisuser2:/bin/bash
得到nisdomain 中的用户名和密码,组等信息,放到文件中,文件格式必须和本地用户名和密码文件一样
[root@station1 ~]# ypcat passwd > passwd.nis 用户文件
[root@station1 ~]# vim passwd.nis
[root@station1 ~]# ypcat group > group.nis 组文件
[root@station1 ~]# cat group.nis
nisuser3:!:1003:
nisuser1:!:1001:
nisuser2:!:1002:
[root@station1 ~]# sed -r 's/\$1\$.{8}\$.{22}/x/g' passwd.nis > passwd.nis.new
[root@station1 ~]# mv passwd.nis.new passwd.nis
mv:是否覆盖“passwd.nis”? y
[root@station1 ~]# cat passwd.nis
nisuser3:x:1003:1003::/home/nisuser3:/bin/bash
nisuser1:x:1001:1001::/home/nisuser1:/bin/bash
nisuser2:x:1002:1002::/home/nisuser2:/bin/bash
利用passwd文件生成密码shadow文件
[root@station1 ~]# for i in $( cut -d: -f1-2 /root/passwd.nis );do
> echo "$i:$[$(date +%s)/86400]:0:99999:7:::"
> done > /root/shadow.nis
文件生成完毕;passwd.nis,shadow.nis,group.nis
3.准备迁移
[root@station1 ~]# find / -type d -name migration
/usr/share/openldap/migration
[root@station1 ~]# cd /usr/share/openldap/migration/
[root@station1 migration]# ls
base.ldif migrate_automount.pl migrate_passwd.pl
migrate_aliases.pl migrate_base.pl migrate_profile.pl
migrate_all_netinfo_offline.sh migrate_common.ph migrate_protocols.pl
migrate_all_netinfo_online.sh migrate_fstab.pl migrate_rpc.pl
migrate_all_nis_offline.sh migrate_group.pl migrate_services.pl
migrate_all_nis_online.sh migrate_hosts.pl migrate_slapd_conf.pl
migrate_all_nisplus_offline.sh migrate_netgroup_byhost.pl migration-tools.txt
migrate_all_nisplus_online.sh migrate_netgroup_byuser.pl README
migrate_all_offline.sh migrate_netgroup.pl
migrate_all_online.sh migrate_networks.pl
[root@station1 migration]# vim migrate_common.ph
$NAMINGCONTEXT{'group'} = "ou=Groups";
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "station1.example.com";
# Default base
$DEFAULT_BASE = "dc=station1,dc=example,dc=com";
# turn this on to support more general object clases
# such as person.
$EXTENDED_SCHEMA = 1;
[root@station1 migration]# ./migrate_base.pl > /root/base.ldif
[root@station1 migration]# vim migrate_passwd.pl
open(SHADOW, "/root/shadow.nis") || return;
[root@station1 migration]# ./migrate_passwd.pl /root/passwd.nis /root/passwd.ldif
[root@station1 migration]# ./migrate_group.pl /root/group.nis /root/group.ldif
[root@station1 migration]#
导入迁移文件,执行迁移
[root@station1 migration]# ldapadd -x -W -c -f /root/base.ldif
[root@station1 migration]# ldapadd -x -W -c -f /root/passwd.ldif
[root@station1 migration]# ldapadd -x -W -c -f /root/group.ldif
[root@station1 migration]#
执行成功之后可以看到活动目录已经有用户了!本地测试
用户已经加上了,用户家目录,要不然没有办法登录;system-configure-authentication
说明:这儿一定要是
不能写成ip地址的格式,否则用户是无法登陆的;
这一点是非常重要的,也是我这一个星期的时间琢磨出来的;太搞人了!
在客户端如果不能用ldap用户登录:就是一下几个问题的原因:
上图使用的ip地址,第二个原因用户没有home目录,shell等信息,报错信息如下:
Jun 27 18:46:31 localhost su: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Jun 27 18:46:35 localhost su: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Jun 27 18:46:43 localhost su: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
测试客户端是否得到用户名
[root@nis-client cacerts]# ldapsearch -x -ZZ 'uid=xiama'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=xiama
# requesting: ALL
#
# search result
search: 3
result: 0 Success
# numResponses: 1
[root@nis-client cacerts]# getent passwd | grep nisuser
nisuser3:x:1003:1003:nisuser3:/home/nisuser3:/bin/bash
nisuser1:x:1001:1001:nisuser1:/home/nisuser1:/bin/bash
nisuser2:x:1002:1002:nisuser2:/home/nisuser2:/bin/bash
[root@nis-client cacerts]#
可以看到测试成功!
我们继续来做实验
如果执行getent shadow命令我们是可以看到shadow里面的一些敏感信息的,为了不让匿名用户看到,我们要配置客户端,我们自己使用一个单独的用户可以看到敏感信息;
1.Preparing the LDAP directory server
准备配置好的ldap server创建管理员账号;
Redhat-idm-console
Configuration passwords 选择crypt加密方式;
添加一个新的管理员client-root
添加新的ACI,修改匿名用户使用的ACI
修改后的结果如下:
修改成上面的提示;
完毕;
Configuring clients for LDAP authentication
System-config-authentication
选择LDAP用户和认证方式;
编辑配置文件/etc/ldap.conf
Tls_checkpeer yes 使用tls加密
Tls_cacertfile /etc/openldap/cacerts/my-ca.crt tls密钥文件地址
Pam_password crypt 加密方式crypt
[root@ldap-client cacerts]# vim /etc/ldap.conf
[root@ldap-client cacerts]# cat /etc/ldap.conf | grep rootbinddn
rootbinddn uid=client-root,dc=station1,dc=example,dc=com
[root@ldap-client cacerts]#
Chmod 600 root root组和所有者
在/etc/ldap.secret中保存了rootbinddn的明文密码;
[root@ldap-client cacerts]# cat /etc/ldap.secret
root
[root@ldap-client cacerts]#
这里我这是的密码是root,就是client-root的ldap的密码;
下面进行测试
[root@ldap-client cacerts]# getent passwd | grep nisuser
nisuser3:x:1003:1003:nisuser3:/home/nisuser3:/bin/bash
nisuser1:x:1001:1001:nisuser1:/home/nisuser1:/bin/bash
nisuser2:x:1002:1002:nisuser2:/home/nisuser2:/bin/bash
[root@ldap-client cacerts]#
[root@ldap-client cacerts]#
[root@ldap-client cacerts]# getent shadow | grep nisuser
nisuser3:x:15502::99999:7:::
nisuser1:x:15502::99999:7:::
nisuser2:x:15502::99999:7:::
[root@ldap-client cacerts]#
可以看到两个的不同之处了吧;
[root@nis-client ~]# getent shadow | grep nisuser
nisuser3:*:::::::
nisuser1:*:::::::
nisuser2:*:::::::
[root@nis-client ~]# getent passwd | grep nisuser
nisuser3:x:1003:1003:nisuser3:/home/nisuser3:/bin/bash
nisuser1:x:1001:1001:nisuser1:/home/nisuser1:/bin/bash
nisuser2:x:1002:1002:nisuser2:/home/nisuser2:/bin/bash
[root@nis-client ~]#
此部分实验到此结束!也是对自己以前学习的复习!
由于中间服务器出了问题,所以复习加实验推迟了很长时间,1个星期的时间;自己感到很不舒服啊!
明天开始LECTURE 8 KERBEROS AND LDAP