安装前配置
关闭防火墙
systemctl stop firewalld systemctl disable firewalld
关闭selinux
setenforce 0 sed -i "/^SELINUX/s/enforcing/disabled/" /etc/selinux/config
openldap server 安装
安装包说明
openldap: OpenLDAP服务端和客户端用的库文件 openldap-servers: 服务端程序 openldap-clients: 客户端程序 openldap-devel: 开发包,可选 openldap-servers-sql: 支持sql模块,可选 compat-openldap: OpenLDAP 兼容性库
安装软件包
注:目前 yum安装最新版,只能使用 2.4.44版本
[root@i-68nhrdjj ~]# yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm [root@i-68nhrdjj ~]# yum -y install openldap openldap-servers openldap-clients compat-openldap openldap-devel
生成加密密码
[root@i-68nhrdjj ~]# cd /etc/openldap
[root@i-68nhrdjj openldap]# rm -rf slapd.d/*
[root@i-68nhrdjj openldap]# slappasswd ##生成加密密钥
New password:
Re-enter new password:
{SSHA}EcWIfkSYzvvfmlKRV1bTnHCFU+xtM1ZQ ##保存好,后面会使用
配置 slapd.ldif
[root@i-68nhrdjj ~]# cp /usr/share/openldap-servers/slapd.ldif /etc/openldap/ [root@i-68nhrdjj ~]# find /etc/openldap/schema/ -type f -name "*.ldif" /etc/openldap/schema/collective.ldif /etc/openldap/schema/corba.ldif /etc/openldap/schema/core.ldif /etc/openldap/schema/cosine.ldif /etc/openldap/schema/duaconf.ldif /etc/openldap/schema/dyngroup.ldif /etc/openldap/schema/inetorgperson.ldif /etc/openldap/schema/java.ldif /etc/openldap/schema/misc.ldif /etc/openldap/schema/nis.ldif /etc/openldap/schema/openldap.ldif /etc/openldap/schema/pmi.ldif /etc/openldap/schema/ppolicy.ldif
- 放在如下位置
[root@i-68nhrdjj openldap]# vim /etc/openldap/slapd.ldif include: file:///etc/openldap/schema/core.ldif include: file:///etc/openldap/schema/collective.ldif include: file:///etc/openldap/schema/corba.ldif include: file:///etc/openldap/schema/cosine.ldif include: file:///etc/openldap/schema/duaconf.ldif include: file:///etc/openldap/schema/dyngroup.ldif include: file:///etc/openldap/schema/inetorgperson.ldif include: file:///etc/openldap/schema/java.ldif include: file:///etc/openldap/schema/misc.ldif include: file:///etc/openldap/schema/nis.ldif include: file:///etc/openldap/schema/openldap.ldif include: file:///etc/openldap/schema/pmi.ldif include: file:///etc/openldap/schema/ppolicy.ldif
- 配置管理员用户
[root@i-68nhrdjj openldap]# vim /etc/openldap/slapd.ldif
olcSuffix: dc=hebye,dc=com
olcRootDN: cn=admin,dc=hebye,dc=com #管理用户
olcRootPW: {SSHA}z5YYHEO0yiu6twspLjuJjFGvgqBxmT4w #添加一行,上面生成的加密密码
[root@i-68nhrdjj ~]# cd /etc/openldap/
[root@i-68nhrdjj openldap]# slapadd -n 0 -F slapd.d -l slapd.ldif
_#################### 100.00% eta none elapsed none fast!
Closing DB...
[root@i-68nhrdjj openldap]# chown -R ldap:ldap slapd.d
[root@i-68nhrdjj openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@i-68nhrdjj openldap]# chown -R ldap:ldap /var/lib/ldap
[root@i-68nhrdjj openldap]# systemctl start slapd && systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2022-07-14 10:42:39 CST; 3ms ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 2533 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 2518 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Main PID: 2537 (slapd)
CGroup: /system.slice/slapd.service
└─2537 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
Jul 14 10:42:39 i-68nhrdjj systemd[1]: Starting OpenLDAP Server Daemon...
Jul 14 10:42:39 i-68nhrdjj runuser[2521]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jul 14 10:42:39 i-68nhrdjj runuser[2521]: pam_unix(runuser:session): session closed for user ldap
Jul 14 10:42:39 i-68nhrdjj slapd[2533]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $
mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
Jul 14 10:42:39 i-68nhrdjj slapd[2533]: tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.
Jul 14 10:42:39 i-68nhrdjj slapd[2537]: slapd starting
Jul 14 10:42:39 i-68nhrdjj systemd[1]: Started OpenLDAP Server Daemon.
[root@i-68nhrdjj openldap]# systemctl enable slapd
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
Openldap配置
配置基本域
[root@i-68nhrdjj openldap]# mkdir /root/ldif [root@i-68nhrdjj openldap]# cd /root/ldif [root@i-68nhrdjj ldif]# vim config_init.ldif dn: dc=hebye,dc=com objectclass: dcObject objectclass: organization o: aishangwei dc: hebye [root@i-68nhrdjj ldif]# ldapadd -x -D "cn=admin,dc=hebye,dc=com" -W -f config_init.ldif Enter LDAP Password: adding new entry "dc=hebye,dc=com"
查询域
[root@i-68nhrdjj ldif]# ldapsearch -x -b 'dc=hebye,dc=com' '(objectClass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=hebye,dc=com> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
#
# hebye.com
dn: dc=hebye,dc=com
objectClass: dcObject
objectClass: organization
o: aishangwei
dc: hebye
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@i-68nhrdjj ldif]# ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL –Q
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}collective,cn=schema,cn=config
dn: cn={2}corba,cn=schema,cn=config
dn: cn={3}cosine,cn=schema,cn=config
dn: cn={4}duaconf,cn=schema,cn=config
dn: cn={5}dyngroup,cn=schema,cn=config
dn: cn={6}inetorgperson,cn=schema,cn=config
dn: cn={7}java,cn=schema,cn=config
dn: cn={8}misc,cn=schema,cn=config
dn: cn={9}nis,cn=schema,cn=config
dn: cn={10}openldap,cn=schema,cn=config
dn: cn={11}pmi,cn=schema,cn=config
dn: cn={12}ppolicy,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}monitor,cn=config
dn: olcDatabase={2}hdb,cn=config
[root@i-68nhrdjj ldif]# ldapsearch -h 192.168.1.3 -b "dc=hebye,dc=com" -D "cn=admin,dc=hebye,dc=com" -W |grep dn
Enter LDAP Password:
dn: dc=hebye,dc=com
取消匿名用户登录
openldap在匿名情况下是可以被访问的。而且openldap的相关信息,除了用户的密码信息之外,其他openldap的信息完全被呈现出来。
从安全的角度考虑,这种情况是不被允许的,所以我们要取消openldap的匿名访问功能。
要取消openldap的匿名访问功能,操作方法也比较简单。我们只需要把以下openldap信息导入openldap中即可,而且是无需重启openldap服务即时生效的。
cat > /root/disable_anon.ldif << EOF
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOF
[root@i-68nhrdjj ldif]# ldapadd -Y EXTERNAL -H ldapi:/// -f /root/disable_anon.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={-1}frontend,cn=config"
- 查看配置文件
[root@i-68nhrdjj ldif]# cat /etc/openldap/slapd.d/cn\=config.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 500818b7 dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap/slapd.args olcPidFile: /var/run/openldap/slapd.pid olcTLSCACertificatePath: /etc/openldap/certs olcTLSCertificateFile: "OpenLDAP Server" olcTLSCertificateKeyFile: /etc/openldap/certs/password structuralObjectClass: olcGlobal entryUUID: 2dd9da5e-9769-103c-9ecc-01387f137b99 creatorsName: cn=config createTimestamp: 20220714023407Z olcDisallows: bind_anon olcRequires: authc ##取消匿名登陆 entryCSN: 20220714025608.860841Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20220714025608Z
- 开启openldap日志功能
cat > /root/loglevel.ldif << EOF dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats EOF [root@i-68nhrdjj ldif]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/loglevel.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" cat >> /etc/rsyslog.conf << EOF local4.* /var/log/slapd.log EOF [root@i-68nhrdjj ldif]# systemctl restart rsyslog [root@i-68nhrdjj ldif]# systemctl restart slapd
- 允许普通用户修改自己的密码
cat > updatepass.ldif << EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword
by self =xw
by anonymous auth
by * none
olcAccess: to *
by self write
by users read
by * none
EOF
[root@i-68nhrdjj ldif]# ldapmodify -Y EXTERNAL -H ldapi:/// -f updatepass.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
继续阅读
评论