Linux环境下通过OpenLDAP实现用户的统一认证和管理
测试环境:
OpenLDAP Server <-------------------------------------------->OpenLDAP Client
ip:192.168.4.178 ip:192.168.4.177
Centos 6.4 Centos 6.4
hostname:openvpn hostname:openvpn-client
一、OpenLDAP Server的安装和配置
[root@openvpn ~]# yum install -y openldap openldap-servers openldap-clients
[root@openvpn ~]# cd /etc/openldap/
[root@openvpn openldap]# mv slapd.d slapd.d-bak
[root@openvpn openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
创建slappasswd密码:
[root@openvpn ~]# slappasswd
New password:
Re-enter new password:
{SSHA}CoOOJ5NZCzKuWktw6t4lD76FsDgX9ItX
[root@openvpn openldap]# vi /etc/openldap/slapd.conf
suffix "dc=test,dc=com"
rootpw {SSHA}CoOOJ5NZCzKuWktw6t4lD76FsDgX9ItX /将md5值粘贴到此
directory /var/lib/ldap
[root@openvpn openldap]# slaptest -u -f /etc/openldap/slapd.conf
config file testing succeeded
[root@openvpn openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@openvpn openldap]#cd /var/lib/ldap
[root@openvpn ldap]# chown ldap.ldap DB_CONFIG*
[root@openvpn ldap]#cd
[root@openvpn ~]# service slapd start
[root@openvpn ~]#chkconfig slapd on
[root@openvpn ldap]# ldapsearch -x -b "dc=test,dc=com"
ldap_sasl_bind(SIMPLE): Can‘t contact LDAP server (-1)
解决方法:
[root@openvpn ldap]# vi /etc/sysconfig/ldap
SLAPD_LDAPI=no
[root@openvpn ldap]# vi /etc/openldap/ldap.conf
base dc=test,dc=com
uri ldap://192.168.4.178
[root@openvpn ldap]# service slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
[root@openvpn ldap]# ldapsearch -x -b "dc=test.com"
# extended LDIF
#
# LDAPv3
# base <dc=test.com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
创建用户ldapuser1,ldapuser2其密码分别为123456
[root@openvpn ldap]# useradd ldapuser1
[root@openvpn ldap]# echo "123456" | passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
[root@openvpn ldap]# useradd ldapuser2
[root@openvpn ldap]# echo "123456" | passwd --stdin ldapuser2
Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.
安装migrationtools迁移本地用户到LDAP的工具包
[root@openvpn ldap]# yum install -y migrationtools
[root@openvpn ldap]# cd /usr/share/migrationtools/
[root@openvpn migrationtools]# vi migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "test.com";
# Default base
$DEFAULT_BASE = "dc=test,dc=com";
[root@openvpn migrationtools]# ./migrate_base.pl > base.ldif
[root@openvpn migrationtools]# vi base.ldif
dn: dc=test,dc=com
dc: test
objectClass: top
objectClass: domain
dn: ou=People,dc=test,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=test,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
[root@openvpn migrationtools]# ./migrate_passwd.pl /etc/passwd ./user.ldif /迁移用户
[root@openvpn migrationtools]# vi user.ldif
dn: uid=ldapuser1,ou=People,dc=test,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$fiweB1Cv$UrLDDL9yWi8W7djPJQosXGEb3v5VbSmyhzRdunpWHJso0hysXeus9i0c87vY2CVQSb0ySU.Uv6moqzZBB1nF//
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 502
homeDirectory: /home/ldapuser1
dn: uid=ldapuser2,ou=People,dc=test,dc=com
uid: ldapuser2
cn: ldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$RK3zu0Np$2FssBfu3XJIeKOmJzyOmZgWoXk9npkpZquGvac0HoWbeB6A1aNjX.a2mxQhPIi6mhScV.PNTdE2AIs1l758GC1
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 503
homeDirectory: /home/ldapuser2
[root@openvpn migrationtools]# ./migrate_group.pl /etc/group ./group.ldif /迁移组
[root@openvpn migrationtools]# vi group.ldif
n: cn=ldapuser1,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword: {crypt}x
gidNumber: 502
dn: cn=ldapuser2,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword: {crypt}x
gidNumber: 503
[root@openvpn ~]# ldapadd -D "cn=openvpn,dc=test.com" -W -x -f /usr/share/migrationtools/base.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
解决方法:
[root@openvpn ~]# ldapadd -D "cn=openvpn,dc=test,dc=com" -W -x -f /usr/share/migrationtools/base.ldif
Enter LDAP Password:
adding new entry "dc=test,dc=com"
adding new entry "ou=People,dc=test,dc=com"
adding new entry "ou=Group,dc=test,dc=com"
[root@openvpn ~]# ldapadd -D "cn=openvpn,dc=test,dc=com" -W -x -f /usr/share/migrationtools/user.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=test,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=test,dc=com"
[root@openvpn ~]# ldapadd -D "cn=openvpn,dc=test,dc=com" -W -x -f /usr/share/migrationtools/group.ldif
Enter LDAP Password:
adding new entry "cn=ldapuser1,ou=Group,dc=test,dc=com"
adding new entry "cn=ldapuser2,ou=Group,dc=test,dc=com"
[root@openvpn ~]# ldapsearch -x -b "dc=test.com" /报错
# extended LDIF
#
# LDAPv3
# base <dc=test.com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
解决方法:
[root@openvpn ~]# ldapsearch -x -b "dc=test,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# test.com
dn: dc=test,dc=com
dc: test
objectClass: top
objectClass: domain
# People, test.com
dn: ou=People,dc=test,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, test.com
dn: ou=Group,dc=test,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# ldapuser1, People, test.com
dn: uid=ldapuser1,ou=People,dc=test,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JGZpd2VCMUN2JFVyTERETDl5V2k4VzdkalBKUW9zWEdFYjN2NVZ
iU215aHpSZHVucFdISnNvMGh5c1hldXM5aTBjODd2WTJDVlFTYjB5U1UuVXY2bW9xelpCQjFuRi8v
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 502
homeDirectory: /home/ldapuser1
# ldapuser2, People, test.com
dn: uid=ldapuser2,ou=People,dc=test,dc=com
uid: ldapuser2
cn: ldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFJLM3p1ME5wJDJGc3NCZnUzWEpJZUtPbUp6eU9tWmdXb1hrOW5
wa3BacXVHdmFjMEhvV2JlQjZBMWFOalguYTJteFFoUElpNm1oU2NWLlBOVGRFMkFJczFsNzU4R0Mx
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 503
homeDirectory: /home/ldapuser2
# ldapuser1, Group, test.com
dn: cn=ldapuser1,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 502
# ldapuser2, Group, test.com
dn: cn=ldapuser2,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword:: e2NyeXB0fXg=
gidNumber: 503
# search result
search: 2
result: 0 Success
# numResponses: 8
# numEntries: 7
二、OpenLDAP Client安装和配置
[root@openvpn-client ~]# yum install openldap openldap-clients -y
[root@openvpn-client ~]# yum install -y nss-pam-ldapd pam_ldap
[root@openvpn-client ~]# vi /etc/openldap/ldap.conf
BASE dc=test,dc=com
URI ldap://192.168.4.178
[root@openvpn-client ~]# vi /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
[root@openvpn-client ~]# vi /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
[root@openvpn-client ~]# vi /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
[root@openvpn-client ~]# service nslcd restart
[root@openvpn-client ~]#chkconfig nslcd on
三、通过NFS实现LDAP用户/home的自动挂载
四、通过Phpldapadmin实现LDAP用户的WEB创建和管理
本文出自 “Bruce_tan” 博客,请务必保留此出处http://380281.blog.51cto.com/370281/1535659
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。