ldap介紹
OpenLDAP is an open-source implementation of Lightweight Directory Access Protocol developed by OpenLDAP project. LDAP is an Internet protocol that email and other programs use to look up contact information from a server. It is released under OpenLDAP public license; it is available for all major Linux distributions, AIX, Android, HP-UX, OS X, Solaris, Windows and z/OS.
It functions like a relational database in certain ways and can be used to store any information. LDAP is not limited to store the information; it is also used as a backend database for “single sign-on” where one password for a user is shared between many services.
In this tutorial, we will configure OpenLDAP for centralized login where the users use the single account to log in on multiple servers.
測試環境
| 主機名 | IP | 操作系統 | 角色 |
|---|---|---|---|
| elk02.lavenliu.com | 192.168.6.35 | CentOS 7 64位 | LDAP server |
| elk03.lavenliu.com | 192.168.6.36 | CentOS 7 64位 | LDAP client |
兩台機器的/etc/hosts文件要能夠解析對方:
[root@elk02 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.6.46 ansibile.lavenliu.com ansible
192.168.6.25 elk01.lavenliu.com elk01
192.168.6.35 elk02.lavenliu.com elk02
192.168.6.36 elk03.lavenliu.com elk03
192.168.6.165 elk04.lavenliu.com elk04
[root@elk03 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.6.46 ansibile.lavenliu.com ansible
192.168.6.25 elk01.lavenliu.com elk01
192.168.6.35 elk02.lavenliu.com elk02
192.168.6.36 elk03.lavenliu.com elk03
192.168.6.165 elk04.lavenliu.com elk04
如果我們想使用域名而非IP地址的話,那么我們就要配置DNS服務了。本文將在配置文件中使用IP地址。
安裝LDAP服務端
在服務端安裝如下軟件包:
yum -y install openldap compat-openldap openldap-clients \
openldap-servers openldap-servers-sql openldap-devel
安裝完畢,啟動LDAP服務並加入開機自啟動:
[root@elk02 ~]# systemctl start slapd.service
[root@elk02 ~]# systemctl enable slapd.service
驗證服務是否啟動成功:
[root@elk02 ~]# netstat -antup |grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2984/slapd
tcp6 0 0 :::389 :::* LISTEN 2984/slapd
設置LDAP的root密碼
Run below command to create an LDAP root password; we will use this root password throughout this article. So make a note of this and keep it aside.
[root@elk02 ~]# slappasswd
New password: 123456
Re-enter new password: 123456
{SSHA}gf3vwkGq/ykoX4qhFVuGTa3PgpzAXQsc
配置LDAP服務端
OpenLDAP servers configuration files are found in /etc/openldap/slapd.d/. To start with the configuration of LDAP, we would need to update the variables “olcSuffix” and “olcRootDN“.
- olcSuffix: Database Suffix, it is the domain name for which the LDAP server provides the information. In simple words, it should be changed to your domain
name. - olcRootDN: Root Distinguished Name (DN) entry for the user who has the unrestricted access to perform all administration activities on LDAP, like a root user.
- olcRootPW: Password for the above RootDN.
Above entries are to be updated in /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif file. Manually edit of LDAP configuration is not recommended as you will lose changes whenever you run ldapmodify command.
[root@elk02 ~]# cd /etc/openldap/slapd.d/cn=config
[root@elk02 cn=config]# vim db.ldif
[root@elk02 cn=config]# cat >> db.ldif <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=lavenliu,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=lavenliu,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}gf3vwkGq/ykoX4qhFVuGTa3PgpzAXQsc
EOF
[root@elk02 cn=config]# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
Make a changes to /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif (Do not edit manually) file to restrict the monitor access only to ldap root (ldapadm) user not to others.
# vi monitor.ldif
cat >> monitor.ldif <<EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=itzgeek,dc=local" read by * none
EOF
Once you have updated the file, send the configuration to the LDAP server.
[root@elk02 cn=config]# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
創建LDAP證書
Let’s create a self-signed certificate for our LDAP server, below command generates both certificate and private key in /etc/openldap/certs/ directory.
[root@elk02 cn=config]# openssl req -new -x509 -nodes -out /etc/openldap/certs/lavenliuldapcert.pem -keyout /etc/openldap/certs/lavenliuldapkey.pem -days 365
Generating a 2048 bit RSA private key
......................................+++
..........................................................................................+++
writing new private key to '/etc/openldap/certs/lavenliuldapkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:LavenLiu
Organizational Unit Name (eg, section) []:IT Dept
Common Name (eg, your name or your server's hostname) []:elk02.lavenliu.com
Email Address []:admin@lavenliu.com
Set the owner and group permissions to ldap.
[root@elk02 cn=config]# chown -R ldap:ldap /etc/openldap/certs/*.pem
Verify the created LDAP certificate under /etc/openldap/certs/.
[root@elk02 cn=config]# ll /etc/openldap/certs/*.pem
-rw-r--r-- 1 ldap ldap 1456 Sep 11 15:12 /etc/openldap/certs/lavenliuldapcert.pem
-rw-r--r-- 1 ldap ldap 1704 Sep 11 15:12 /etc/openldap/certs/lavenliuldapkey.pem
Create certs.ldif file to configure LDAP to use secure communication using a self-signed certificate.
# vi certs.ldif
cat >> certs.ldif <<EOF
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/lavenliuldapcert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/lavenliuldapkey.pem
EOF
Import the configurations to LDAP server.
[root@elk02 cn=config]# ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "cn=config"
Verify the configuration:
[root@elk02 cn=config]# slaptest -u
59b638fb UNKNOWN attributeDescription "CHANGETYPE" inserted.
59b638fb UNKNOWN attributeDescription "REPLACE" inserted.
59b638fb is_entry_objectclass("cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute
59b638fb is_entry_objectclass("olcDatabase={2}hdb,cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute
59b638fb is_entry_objectclass("olcDatabase={1}monitor,cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute
config file testing succeeded # 主要看這個提示
You should get the following message confirms the verification is complete.
config file testing succeeded
設置LDAP數據庫
Copy the sample database configuration file to /var/lib/ldap and update the file permissions.
[root@elk02 cn=config]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@elk02 cn=config]# chown ldap:ldap /var/lib/ldap/*
Add the cosine and nis LDAP schemas.
[root@elk02 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@elk02 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@elk02 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
Generate base.ldif file for your domain.
# vi base.ldif
cat >> base.ldif <<EOF
dn: dc=lavenliu,dc=com
dc: lavenliu
objectClass: top
objectClass: domain
dn: cn=ldapadm ,dc=lavenliu,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager
dn: ou=People,dc=lavenliu,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=lavenliu,dc=com
objectClass: organizationalUnit
ou: Group
EOF
Build the directory structure.
[root@elk02 cn=config]# ldapadd -x -W -D "cn=ldapadm,dc=lavenliu,dc=com" -f base.ldif
Enter LDAP Password: 123456
adding new entry "dc=lavenliu,dc=com"
adding new entry "cn=ldapadm ,dc=lavenliu,dc=com"
adding new entry "ou=People,dc=lavenliu,dc=com"
adding new entry "ou=Group,dc=lavenliu,dc=com"
ldapadd command will prompt you for the password of ldapadm (LDAP root user).輸出:
Enter LDAP Password:
adding new entry "dc=lavenliu,dc=com"
adding new entry "cn=ldapadm ,dc=lavenliu,dc=com"
adding new entry "ou=People,dc=lavenliu,dc=com"
adding new entry "ou=Group,dc=lavenliu,dc=com"
創建LDAP用戶
Let’s create an LDIF file for a new user called taoqi.
cat >> taoqi.ldif <<EOF
dn: uid=taoqi,ou=People,dc=lavenliu,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: taoqi
uid: taoqi
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/taoqi
loginShell: /bin/bash
gecos: Taoqi [Admin (at) LavenLiu]
userPassword: {SSHA}WEjZ/aebhtGztTrHsjhg4Hrtp1bk5FzL
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
EOF
Use the ldapadd command with the above file to create a new user called “taoqi” in OpenLDAP directory.
[root@elk02 cn=config]# ldapadd -x -W -D "cn=ldapadm,dc=lavenliu,dc=com" -f taoqi.ldif
Enter LDAP Password: 123456
adding new entry "uid=taoqi,ou=People,dc=lavenliu,dc=com"
Assign a password to the user.
[root@elk02 cn=config]# ldappasswd -s password123 -W -D "cn=ldapadm,dc=lavenliu,dc=com" -x "uid=taoqi,ou=People,dc=lavenliu,dc=com"
Enter LDAP Password:123456
選項的含義:
-sspecify the password for the username-xusername for which the password is changed-DDistinguished name to authenticate to the LDAP server.
Verify LDAP entries.
[root@elk02 cn=config]# ldapsearch -x cn=taoqi -b dc=lavenliu,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=lavenliu,dc=com> with scope subtree
# filter: cn=taoqi
# requesting: ALL
#
# taoqi, People, lavenliu.com
dn: uid=taoqi,ou=People,dc=lavenliu,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: taoqi
uid: taoqi
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/taoqi
loginShell: /bin/bash
gecos: Raj [Admin (at) LavenLiu]
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
userPassword:: e1NTSEF9VWdRK25qTEtOWEk3YUNrclMyUkVZS3F4VTRpR1FDeWc=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
To delete an entry from LDAP (Optional).
ldapdelete -W -D "cn=ldapadm,dc=lavenliu,dc=com" "uid=taoqi,ou=People,dc=lavenliu,dc=com"
添加防火牆規則
Add the LDAP service to the firewall (tcp 389).
firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload
開啟LDAP日志
Configure Rsyslog to log a LDAP events to log file /var/log/ldap.log.
vi /etc/rsyslog.conf
# Add below line to /etc/rsyslog.conf file.
echo "local4.* /var/log/ldap.log" >> /etc/rsyslog.conf
Restart the rsyslog service.
systemctl restart rsyslog
配置LDAP客戶端
Install the necessary LDAP client packages on the client machine.
[root@elk03 ~]# yum install -y openldap-clients nss-pam-ldapd
Execute the below command to add the client machine to LDAP server for single sign on. Replace “192.168.6.35” with your LDAP server’s IP address or hostname.
[root@elk03 ~]# authconfig --enableldap --enableldapauth --ldapserver=192.168.6.35 --ldapbasedn="dc=lavenliu,dc=com" --enablemkhomedir --update
getsebool: SELinux is disabled
[root@elk03 ~]# echo $?
0
Restart the LDAP client service.
[root@elk03 ~]# systemctl restart nslcd
驗證LDAP登錄
Use getent command to get the LDAP entries from the LDAP server.
[root@elk03 ~]# getent passwd taoqi
taoqi:x:9999:100:Taoqi [Admin (at) LavenLiu]:/home/taoqi:/bin/bash
[root@elk03 ~]# id taoqi
uid=9999(taoqi) gid=100(users) groups=100(users)
[root@elk03 ~]# su - taoqi
Creating directory '/home/taoqi'.
[taoqi@elk03 ~]$ pwd
/home/taoqi