新版的openldap棄用了sldap.conf配置文件,引入一種動態配置,所以盡量不要直接修改配文件
如果直接修改了配置文件可以用slaptest -u命令檢查
1、安裝openldap,可能需要epel源
yum install openldap openldap-clients openldap-servers
2、啟動openldap
systemctl start slapd
systemctl enable slapd
檢查一下是否有輸出
ldapsearch -x -b '' -s base'(objectclass=*)'
3、配置ldap超級管理員
生成密碼,等一下作為 olcRootPW 的值
slappasswd -s "pass"
創建admin.ldif 文件
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=example,dc=taovip,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}FqSgnCQY0evw7T3pZRfnKVHByAOhNSFS4
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=root,dc=example,dc=com" read by * none
導入配置
ldapmodify -Y EXTERNAL -H ldapi:/// -f admin.ldif
4、配置數據庫
openldap默認使用的數據庫是BerkeleyDB
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap:ldap /var/lib/ldap/DB_CONFIG
導入schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
5、創建默認DN
創建base.ldif 文件
dn: dc=example,dc=com o: company objectClass: top objectclass: dcObject objectclass: organization dn: cn=root,dc=example,dc=com cn: root objectClass: organizationalRole description: Directory Manage
導入配置
ldapadd -x -W -D "cn=root,dc=example,dc=com" -f base.ldif
修改/etc/openldap/ldap.conf 加入一行默認DN如果不加 ldapsearch 不指定DN是無法搜到數據
BASE dc=example,dc=com
查一下是否有剛才加的DN
ldapsearch -x -D "cn=root,dc=example,dc=com" -W
6、開啟memberOf
默認情況下openldap的用戶組屬性是Posixgroup,Posixgroup用戶組屬性和用戶沒有實際的對應關系。如果要對應起來的話,就需要單獨把用戶設置到Posixgroup中
開啟memberOf之后可以配置groupOfUniqueNames用戶組屬性,可以根據用戶組過濾用戶,這個過濾是唯一的
開啟memberof,並讓新增用戶支持memberof
創建 memberof_config.ldif
dn: cn=module{0},cn=config
cn: modulle{0}
objectClass: olcModuleList
objectclass: top
olcModuleload: memberof.la
olcModulePath: /usr/lib64/openldap
dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
創建 refint1.ldif
dn: cn=module{0},cn=config add: olcmoduleload olcmoduleload: refint
創建 refint2.ldif
dn: olcOverlay=refint,olcDatabase={2}hdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: refint olcRefintAttribute: memberof member manager owner
導入配置
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif
驗證一下配置,這個命令可以列出所有配置
slapcat -b cn=config
7、創建用戶和組
創建文件add_user.ldif
dn: cn=user,dc=example,dc=com
cn: user
sn: user
uid: user
objectClass: top
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
userPassword: {MD5}ICy5YqxZB1uWSwcVLDFSDSNLcA==
創建add_group.ldif
dn: cn=users,dc=example,dc=com
objectClass: groupofnames
cn: users
description: default group
member: cn=user,dc=taovip,dc=com
導入配置
ldapadd -x -D cn=root,dc=example,dc=com -W -f add_user.ldif
ldapadd -x -D cn=root,dc=example,dc=com -W -f add_group.ldif
8、打開openldap日志
配置rsyslog
mkdir -p /var/log/slapd touch /var/log/slapd/slapd.log chown -R ldap.ldap /var/log/slapd
echo "local4.* /var/log/slapd/slapd.log" >> /etc/rsyslog.conf systemctl restart rsyslog
注意olcLogLevel這個屬性"-1"是指開啟debug日志,請參考http://www.openldap.org/doc/admin24/slapdconf2.html
創建log.ldif
dn: cn=config changetype: modify add: olcLogLevel olcLogLevel: -1
導入配置
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f log.ldif
9、禁止匿名訪問
默認情況下匿名用戶可以獲取所有用戶信息,甚至是密碼字段,雖然密碼字段是經過加密的那也很危險
創建disable_anon.ldif文件
dn: cn=config changetype: modify add: olcDisallows olcDisallows: bind_anon dn: cn=config changetype: modify add: olcRequires olcRequires: authc dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcRequires olcRequires: authc
導入配置
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f disable_anon.ldif
10、設置ACL
拒絕所有用戶查看用戶信息,並且添加有ldap管理賬號
創建acl.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword
by anonymous auth
by dn.base="cn=ldapadmin,ou=manage,dc=taovip,dc=com" write
by * none
olcAccess: to *
by anonymous auth
by dn.base="cn=ldapadmin,ou=manage,dc=taovip,dc=com" write
by dn.base="cn=ldapread,ou=manage,dc=taovip,dc=com" read
by * none
導入配置
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f acl.ldif
刪除ACL
創建文件del_acl.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f acl.ldif
創建管理用戶
創建add_ou.ldif
dn: ou=manage,dc=example,dc=com
ou: manage
description: Directory Manage
objectClass: top
objectClass: organizationalUnit
創建add_manage_user.ldif
dn: cn=ldapadmin,ou=manage,dc=example,dc=com cn: ldapadmin sn: ldapadmin uid: ldapadmin objectClass: top objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person userPassword: {SSHA}4eDZHnxvfOOoAgSM6tDLDueCIUB9sRuDHVpVJ dn: cn=ldapread,ou=manage,dc=example,dc=com cn: ldapread sn: ldapread uid: ldapread objectClass: top objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person userPassword: {SSHA}4eDZHnxvfOOoAgSM6tDLDueCIUB9sRuDHVpVJ
導入配置
ldapadd -x -D cn=root,dc=example,dc=com -W -f add_ou.ldif
ldapadd -x -D cn=root,dc=example,dc=com -W -f add_manage_user.ldif