Linux环境下通过OpenLDAP实现用户的统一认证和管理

测试环境:

OpenLDAP Server <-------------------------------------------->OpenLDAP Client

ip:192.168.4.178                                                                 ip:192.168.4.177

Centos 6.4                                                                             Centos 6.4

hostname:openvpn                                                              hostname:openvpn-client

一、OpenLDAP Server的安装和配置

[root@openvpn ~]# yum install -y openldap openldap-servers openldap-clients                                
[root@openvpn ~]# cd /etc/openldap/
[root@openvpn openldap]# mv slapd.d slapd.d-bak
[root@openvpn openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
创建slappasswd密码:

[root@openvpn ~]# slappasswd
New password:
Re-enter new password:
{SSHA}CoOOJ5NZCzKuWktw6t4lD76FsDgX9ItX

[root@openvpn openldap]# vi /etc/openldap/slapd.conf

suffix          "dc=test,dc=com"
rootpw          {SSHA}CoOOJ5NZCzKuWktw6t4lD76FsDgX9ItX    /将md5值粘贴到此

directory       /var/lib/ldap

[root@openvpn openldap]# slaptest -u -f /etc/openldap/slapd.conf
config file testing succeeded

[root@openvpn openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@openvpn openldap]#cd /var/lib/ldap

[root@openvpn ldap]# chown ldap.ldap DB_CONFIG*

[root@openvpn ldap]#cd

[root@openvpn ~]# service slapd start
[root@openvpn ~]#chkconfig slapd on

[root@openvpn ldap]# ldapsearch -x -b "dc=test,dc=com"
ldap_sasl_bind(SIMPLE): Can‘t contact LDAP server (-1)


解决方法:
[root@openvpn ldap]# vi /etc/sysconfig/ldap
SLAPD_LDAPI=no

[root@openvpn ldap]# vi /etc/openldap/ldap.conf
base    dc=test,dc=com
uri     ldap://192.168.4.178

[root@openvpn ldap]# service slapd restart
Stopping slapd: [  OK  ]
Starting slapd: [  OK  ]

[root@openvpn ldap]# ldapsearch -x -b "dc=test.com"
# extended LDIF
#
# LDAPv3
# base <dc=test.com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

 

创建用户ldapuser1,ldapuser2其密码分别为123456

[root@openvpn ldap]# useradd ldapuser1
[root@openvpn ldap]# echo "123456" | passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
[root@openvpn ldap]# useradd ldapuser2
[root@openvpn ldap]# echo "123456" | passwd --stdin ldapuser2
Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.

 

安装migrationtools迁移本地用户到LDAP的工具包

[root@openvpn ldap]# yum install -y migrationtools

[root@openvpn ldap]# cd /usr/share/migrationtools/
[root@openvpn migrationtools]# vi migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "test.com";

# Default base
$DEFAULT_BASE = "dc=test,dc=com";

[root@openvpn migrationtools]# ./migrate_base.pl > base.ldif

[root@openvpn migrationtools]# vi base.ldif
dn: dc=test,dc=com
dc: test
objectClass: top
objectClass: domain

dn: ou=People,dc=test,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=test,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

[root@openvpn migrationtools]# ./migrate_passwd.pl /etc/passwd ./user.ldif   /迁移用户
[root@openvpn migrationtools]# vi user.ldif
dn: uid=ldapuser1,ou=People,dc=test,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$fiweB1Cv$UrLDDL9yWi8W7djPJQosXGEb3v5VbSmyhzRdunpWHJso0hysXeus9i0c87vY2CVQSb0ySU.Uv6moqzZBB1nF//
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 502
homeDirectory: /home/ldapuser1

dn: uid=ldapuser2,ou=People,dc=test,dc=com
uid: ldapuser2
cn: ldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$RK3zu0Np$2FssBfu3XJIeKOmJzyOmZgWoXk9npkpZquGvac0HoWbeB6A1aNjX.a2mxQhPIi6mhScV.PNTdE2AIs1l758GC1
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 503
homeDirectory: /home/ldapuser2

[root@openvpn migrationtools]# ./migrate_group.pl /etc/group ./group.ldif    /迁移组
[root@openvpn migrationtools]# vi group.ldif

n: cn=ldapuser1,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword: {crypt}x
gidNumber: 502

dn: cn=ldapuser2,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword: {crypt}x
gidNumber: 503

[root@openvpn ~]# ldapadd -D "cn=openvpn,dc=test.com" -W -x -f /usr/share/migrationtools/base.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

解决方法:
[root@openvpn ~]# ldapadd -D "cn=openvpn,dc=test,dc=com" -W -x -f /usr/share/migrationtools/base.ldif
Enter LDAP Password:
adding new entry "dc=test,dc=com"

adding new entry "ou=People,dc=test,dc=com"

adding new entry "ou=Group,dc=test,dc=com"

[root@openvpn ~]# ldapadd -D "cn=openvpn,dc=test,dc=com" -W -x -f /usr/share/migrationtools/user.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=test,dc=com"

adding new entry "uid=ldapuser2,ou=People,dc=test,dc=com"

[root@openvpn ~]# ldapadd -D "cn=openvpn,dc=test,dc=com" -W -x -f /usr/share/migrationtools/group.ldif
Enter LDAP Password:
adding new entry "cn=ldapuser1,ou=Group,dc=test,dc=com"

adding new entry "cn=ldapuser2,ou=Group,dc=test,dc=com"

[root@openvpn ~]# ldapsearch -x -b "dc=test.com"    /报错
# extended LDIF
#
# LDAPv3
# base <dc=test.com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

解决方法:
[root@openvpn ~]# ldapsearch -x -b "dc=test,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# test.com
dn: dc=test,dc=com
dc: test
objectClass: top
objectClass: domain

# People, test.com
dn: ou=People,dc=test,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# Group, test.com
dn: ou=Group,dc=test,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

# ldapuser1, People, test.com
dn: uid=ldapuser1,ou=People,dc=test,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JGZpd2VCMUN2JFVyTERETDl5V2k4VzdkalBKUW9zWEdFYjN2NVZ
 iU215aHpSZHVucFdISnNvMGh5c1hldXM5aTBjODd2WTJDVlFTYjB5U1UuVXY2bW9xelpCQjFuRi8v
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 502
homeDirectory: /home/ldapuser1

# ldapuser2, People, test.com
dn: uid=ldapuser2,ou=People,dc=test,dc=com
uid: ldapuser2
cn: ldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFJLM3p1ME5wJDJGc3NCZnUzWEpJZUtPbUp6eU9tWmdXb1hrOW5
 wa3BacXVHdmFjMEhvV2JlQjZBMWFOalguYTJteFFoUElpNm1oU2NWLlBOVGRFMkFJczFsNzU4R0Mx
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 503
homeDirectory: /home/ldapuser2

# ldapuser1, Group, test.com
dn: cn=ldapuser1,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 502

# ldapuser2, Group, test.com
dn: cn=ldapuser2,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword:: e2NyeXB0fXg=
gidNumber: 503

# search result
search: 2
result: 0 Success

# numResponses: 8
# numEntries: 7

 

二、OpenLDAP Client安装和配置

[root@openvpn-client ~]# yum install openldap openldap-clients -y

[root@openvpn-client ~]# yum install -y nss-pam-ldapd pam_ldap

 

[root@openvpn-client ~]# vi /etc/openldap/ldap.conf

BASE dc=test,dc=com
URI ldap://192.168.4.178

[root@openvpn-client ~]# vi /etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:         files ldap

 

[root@openvpn-client ~]# vi /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

 

[root@openvpn-client ~]# vi /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required     pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so
auth        required      pam_deny.so

account     required     pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required     pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

 

[root@openvpn-client ~]# service nslcd restart

[root@openvpn-client ~]#chkconfig nslcd on

 

三、通过NFS实现LDAP用户/home的自动挂载

 

 

四、通过Phpldapadmin实现LDAP用户的WEB创建和管理

本文出自 “Bruce_tan” 博客,请务必保留此出处http://380281.blog.51cto.com/370281/1535659

Linux环境下通过OpenLDAP实现用户的统一认证和管理,古老的榕树,5-wow.com

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。