Redhat7 openldap安装步骤

最新推荐文章于 2023-08-09 17:29:35 发布

原创最新推荐文章于 2023-08-09 17:29:35 发布 · 1.3k 阅读

1 ·

CC 4.0 BY-SA版权

学习博客专栏收录该内容

22 篇文章

订阅专栏

本文档详细介绍了在Redhat7上安装openldap的步骤，包括关闭防火墙和SELinux，安装openldap及相关组件，配置slapd.ldif文件，重启并验证服务，以及客户端配置和SSSD集成。通过这些步骤，可以成功建立一个openldap服务器并实现用户身份验证。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

【防火墙关闭】
######关闭防火墙
systemctl stop firewalld.service #停止firewall
systemctl disable firewalld.service #禁止firewall开机启动
######关闭SELinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

【安装】
yum -y install openldap openldap-clients openldap-servers migrationtools openldap-devel nss- pam-ldapd bind-dyndb-ldap compat-openldap perl-LDAP krb5-server-ldap php-ldap openssl

【验证】
rpm -qa |grep openldap

【修改OpenLDAP的slapd.ldif配置文件】
cp /usr/share/openldap-servers/slapd.ldif /root/
vim /root/slapd.ldif
################################# slapd.ldif 内容如下 ##########
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
#

#olcTLSCACertificatePath: /etc/openldap/certs
#olcTLSCertificateFile: "OpenLDAP Server"
#olcTLSCertificateKeyFile: /etc/openldap/certs/password

#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
#   Require integrity protection (prevent hijacking)
#   Require 112-bit (3DES or better) encryption for updates
#   Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64

#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#

#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la

#
# Schema settings
#

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

#include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/collective.ldif

#
# Frontend settings
#

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
#   Root DSE: allow anyone to read it
#   Subschema (sub)entry DSE: allow anyone to read it
#   Other DSEs:
#       Allow self write access
#       Allow authenticated users read access
#       Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
#   by self write
#   by users read
#   by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#

#
# Configuration database
#

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" manage by * none

#
# Server status monitoring
#

dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" read by dn.base="cn=Manager,dc=wangxing,dc=com" read by * none

#
# Backend database definitions
#

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=wangxing,dc=com
olcRootDN: cn=Manager,dc=wangxing,dc=com
olcRootPW: 123456
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
olcDbIndex: uid,memberUid eq,pres,sub
olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
#dn: olcDatabase=hdb,cn=config
#objectClass: olcDatabaseConfig
#objectClass: olcHdbConfig
#olcDatabase: hdb
#olcSuffix: dc=my-domain,dc=com
#olcRootDN: cn=Manager,dc=my-domain,dc=com
#olcDbDirectory: /var/lib/ldap
#olcDbIndex: objectClass eq,pres
#olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

################################# slapd.ldif 内容 end ##########

【重新生成OpenLDAP的配置】
rm -rf /etc/openldap/slapd.d/* #删除原来的配置
slapadd -F /etc/openldap/slapd.d -n 0 -l /root/slapd.ldif #生成新配置
slaptest -u -F /etc/openldap/slapd.d #验证
chown -R ldap. /etc/openldap/slapd.d/ #修改属主

【安装OpenLDAP的数据库文件】
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG #拷贝
chown -R ldap. /var/lib/ldap/ #修改属主

【ldap启动】
systemctl enable slapd ##开机启动
systemctl start slapd ##启动
systemctl status slapd ##查看状态
systemctl stop slapd ##停止

【导入根域及管理员账号】
cd /root/
vim /root/root.ldif
########## /root/root.ldif #########
dn: dc=wangxing,dc=com
dc: wangxing
objectClass: top
objectClass: domain

dn: cn=Manager,dc=wangxing,dc=com
objectClass: organizationalRole
cn: Manager
########## /root/root.ldif end #########

##导入
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f /root/root.ldif
or
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -w 123456 -x -f /root/root.ldif

##验证
ldapsearch -h test02 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -W
ldapsearch -h 192.168.21.152 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -w 123456

【导入基础文件及用户和用户组】
vim /usr/share/migrationtools/migrate_common.ph
#########################修改域###################
# Default DNS domain
#$DEFAULT_MAIL_DOMAIN = "padl.com";
$DEFAULT_MAIL_DOMAIN = "wangxing.com";

# Default base
#$DEFAULT_BASE = "dc=padl,dc=com";
$DEFAULT_BASE = "dc=wangxing,dc=com";
#########################修改域 end ###################

/usr/share/migrationtools/migrate_base.pl > /root/base.ldif
vim /root/base.ldif
#####################导出基础文件###########
#dn: dc=wangxing,dc=com
#dc: wangxing
#objectClass: top
#objectClass: domain

dn: ou=People,dc=wangxing,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=wangxing,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

#####################导出基础文件 end###########

/usr/share/migrationtools/migrate_group.pl /etc/group > /root/group.ldif
vim /root/group.ldif
#####################导出基础用户组#############
dn: cn=root,ou=Group,dc=wangxing,dc=com
objectClass: posixGroup
objectClass: top
cn: root
userPassword: {crypt}x
gidNumber: 0

dn: cn=yangsonglin,ou=Group,dc=wangxing,dc=com
objectClass: posixGroup
objectClass: top
cn: yangsonglin
userPassword: {crypt}x
gidNumber: 1104

#####################导出基础用户组 end#############

/usr/share/migrationtools/migrate_passwd.pl /etc/passwd > /root/user.ldif
vim /root/user.ldif
#####################导出基础用户 #############
dn: uid=root,ou=People,dc=wangxing,dc=com
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$txtiODdi$.vh7v9XVnvY.FitsxEZRI6E3PZ1AwiAxaaxjCELkBqCiJfo9YbfFuxzK3UiJaqsIqyXrr5VdLFZ8AgRKr0T5a.
shadowLastChange: 17926
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root

dn: uid=yangsonglin,ou=People,dc=wangxing,dc=com
uid: yangsonglin
cn: yangsonglin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 17898
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1104
gidNumber: 1104
homeDirectory: /home/yangsonglin

#####################导出基础用户 end#############
##导入
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f /root/base.ldif
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f /root/group.ldif
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f /root/user.ldif
or
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -w 123456 -x -f /root/base.ldif
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -w 123456 -x -f /root/group.ldif
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -w 123456 -x -f /root/user.ldif
##验证
ldapsearch -h test02 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -W|grep dn
or
ldapsearch -h test02 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -w 123456|grep dn

【OpenLDAP客户端配置】
yum -y install openldap-clients
vim /etc/openldap/ldap.conf
#################################
TLS_CACERTDIR /etc/openldap/certs
URI ldap://test02
BASE dc=wangxing,dc=com
#################################
#验证
ldapsearch -D "cn=Manager,dc=wangxing,dc=com" -w 123456 |grep dn
#否则
ldapsearch -h test02 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -w 123456|grep dn

【OpenLDAP客户端SSSD配置】
##客户端节点中操作
yum -y install openldap-clients sssd authconfig nss-pam-ldapd
（在如下参数中--enableldaptls 如果OpenLDAP服务未启用TLS则将此参数修改为--disableldaptls）
authconfig --enablesssd --enablesssdauth --enablerfc2307bis --enableldap --enableldapauth --disableforcelegacy --disableldaptls --disablekrb5 --ldapserver ldap://test02 --ldapbasedn "dc=wangxing,dc=com" --update

vim /etc/sssd/sssd.conf
#############################sssd.conf (没有启动TLS ldap_id_use_start_tls = False)
[domain/default]

autofs_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=wangxing,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://test02
ldap_id_use_start_tls = False
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs

domains = default
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]

#############################sssd.conf end
#修改权限
chmod 600 /etc/sssd/sssd.conf
systemctl start sssd #启动
systemctl enable sssd #开机启动
systemctl status sssd #状态

more /etc/passwd|grep wangxing
id wangxing

【OpenLdap与SSH集成】
vim /etc/ssh/sshd_config #查看 Userpam = yes

vim /etc/pam.d/sshd
########################### pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
session required pam_mkhomedir.so #加入此行后确保登录成功后创建用户的home目录
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
############################## pam.d/sshd end ########

vim /etc/pam.d/password-auth
#######################################password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
#auth sufficient pam_sss.so forward_pass
auth sufficient pam_ldap.so try_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password sufficient pam_sss.so use_authtok
password sufficient pam_ldap.so use_authtok

password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
#session optional pam_sss.so
session optional pam_ldap.so
#######################################password-auth end ##########

vim /etc/pam.d/system-auth
######################################system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
#auth sufficient pam_sss.so forward_pass
#auth sufficient pam_ldap.so forward_pass
auth sufficient pam_ldap.so try_first_pass
auth required pam_deny.so