【LDAP学习】OpenLDAP学习笔记

作者:gnuhpc
出处:http://www.cnblogs.com/gnuhpc/

特性:

1. Centralized directory of useful information (user accounts, contacts, mail info, etc.)
  a. Provides a Directory Information Tree (DIT) - hierarchy of data (resembles DNS)
  a1. DNS provides a top-level '.', which is the root of the hierarchy
  a2. DNS provides sub-level containers. i.e. '.com', '.net', '.co.uk', etc.
  b. Objects within the directory are unique and may have attributes (fields)
Note: LDAP DIT typically resembles: domain(DC) then OUs
2. Optimized for Reads
  a. You certainly can write to LDAP objects
3. Redundant Configuration
  a. Primary, secondary, tertiary, etc. servers
  b. Writes take place on the 'primary' and changes are replicated to one or more partners
4. Namespace is similar to DNS: i.e. dc=linuxcbt,dc=internal DNS(linuxcbt.internal)
5. Supports AUTH encryption of clear-text AUTHs - LDAPS - TCP:636
6. Supports StartTLS over regular TCP:389 LDAP port - secures entire connection
7. Extensible - supports many attributes via schemas - /etc/openldap/schema
8. Data storage is independent of LDAP: default is DBM
9. Provides various tools: slap*(offline|back-end) - use when LDAP is NOT running
10. Provides various tools: ldap*(online|daily admin)
11. Separates binaries for: LDAP daemon (slapd) and replication (slurpd)

 

LDAP基本概念:

1. Distinguished Names (DNs)
a. Each LDAP object has a DN within the DIT
Note: This facilitates a hierarchy, which allows duplicate names in unique containers
2. Object Class
a. Define type of attribute
b. Instances of schema group: i.e. ou=people is an instance of Organizational Unit group
c. dc = object class for the top-level domain: i.e. dc=linuxcbt,dc=internal
3. Schemas - /etc/openldap/schema
a. Schemas define the supported: object classes and attribute
Note: Schema defines the permissible object classes and attributes
Note: Object class consists of one ore more attributes
Note: Attributes are fields
4. Attributes - Fields
a. Supports single/multiple values, depending on the schema definition
b. Attributes store values like variables in scripting/programming languages
i.e. 'dc=linuxcbt,dc=internal" defines the attribute naming the domain
i.e. 'dn: uid=linuxcbt,ou=people,dc=linuxcbt,dc=internal'
i.e. RootDN - /etc/openldap/slapd.conf - name of user allowed to write to the DIT
Note: 'RootDN' defaults to: 'cn=Manager,dc=linuxcbt,dc=internal'
5. PAM - authenticates users on behalf of calling application - supports LDAP
6. Name Service Switch (NSS) - used by applicatons to find common Unix databases: /etc/{passwd,shadow,group,hosts,services,protocols,etc}
7. Both PAM & NSS work in conjunction to authenticate using LDAP (/etc/ldap.conf)

 

OpenLDAP在SuSE的配置:

1. Explore current auth environment
a. connect to remote vanilla SUSE system (linuxcbtsuse2)
b. less /etc/nsswitch.conf (this file will be updated to use LDAP)
2. Setup LDAP Environment
a. Install 'openldap2*' RPMs
b. Requires 'db42' RPM - Berkeley DB
Note: Use package manager (YaST) to auto-resolve dependencies
c. Explore 'openldap2*' RPMs - rpm -qa | grep -i ldap
d. rpm -ql openldap2
/etc/init.d/ldap - run-script (start|stop|restart|reload) - LDAP server
/usr/sbin/rcldap - SUSE-specific run script for SLAPD
/etc/init.d/slurpd - run-script for the replication daemon
/usr/sbin/rcslurpd - SUSE-specific run scrip for SLURPD
/etc/openldap/schema - top-level schema container
/etc/openldap/slapd.conf - LDAP server config. file
/usr/sbin/slap* - offline admin commands
/var/lib/ldap - DB container
e. rpm -ql openldap2-client - contains client utilities
/etc/openldap/ldap.conf - primary config file for LDAP online clients
/usr/bin/ldap* - key LDAP online clients

f. Explore and configure /etc/openldap/* environment
g. Update /etc/openldap/slapd.conf
Update: suffix          "dc=my-domain,dc=com"
TO: suffix          "dc=linuxcbt,dc=internal"
###Super-User Info###
#rootdn          "cn=Manager,dc=my-domain,dc=com"
rootdn          "cn=Manager,dc=linuxcbt,dc=internal"
#rootpw          secret
rootpw          abc123
Note: 'Manager' from "cn=Manager,dc=linuxcbt,dc=internal" is case-insensitive
h. Ensure that PAM and NSS support is installed
Use 'YaST' to install the 2 packages
i. Ensure that LDAP clients are properly configured
yast
j. Start LDAP server - 'rcldap start'

 

重要程序及命令

/usr/bin/ldapadd - used to add objects to DIT
/usr/bin/ldapcompare - used to compare
/usr/bin/ldapdelete - used to delete
/usr/bin/ldapexop - export
/usr/bin/ldapmodify - modify|add|delete
/usr/bin/ldapmodrdn - modifies relative DN
/usr/bin/ldappasswd - changes one's password
/usr/bin/ldapsearch - used to search the Directory Information Tree (DIT)
/usr/bin/ldapwhoami - used to return the current user

 

LDAP的基本操作:搜索、创建:

###Search the DIT###
Two ways to search:
1. 'ldapsearch' - included with openldap2-client* RPM
2. LDAP Browser GUI in YaST
###LDAPSEARCH###
ldapsearch -x -b "dc=linuxcbt,dc=internal" "(objectclass=*)" - performs anonymous search for any object in the DIT
###LDAP BROWSER###
YaST -> Network Services -> LDAP Browser
Authenticate using: rootDN (Administrator DN)

###DIT Creation###
Task: Create a DIT which resembles our drawing
1. Create Root OU (Container) (DC) - using a pre-defined LDIF file - build_root_ou.ldif
a. ldapadd -D "cn=Manager,dc=linuxcbt,dc=internal" -W -x -f build_root_ou.ldif
2. Create organizational units: people, engineering, sales
a. ldapadd -D "cn=Manager,dc=linuxcbt,dc=internal" -W -x -f Add_3_OUs.ldif
3. Create some users
Note: Users are based on: objectclass: inetOrgPerson
a. ldapadd -D "cn=Manager,dc=linuxcbt,dc=internal" -W -x -f first_user_add.ldif

 

LDAP的复制模式配置:

注意所谓复制状态是Master LDAP Data copy to Slave LDAP

###Replication###
Replication model permits changes to the master server
Requires: LDAP (OpenLDAP) on all participating systems
RedHat Requirements:
1. OpenLDAP RPMs are installed - openldap*, nss_ldap*(includes PAM support)
nss_ldap RPM uses - /etc/ldap.conf
Steps to replication (regardless of distribution):
1. Stop master LDAP server 'rcldap stop' /etc/init.d/ldap stop - takes offline
2. Export the contents of the primary(master server) (DIT) to an LDIF file
  Note: When the LDAP server is NOT running, use offline(slap*) tools
  a. slapcat -b "dc=linuxcbt,dc=internal" -l linuxcbt.internal.ldif - perform on master
3. Update slapd.conf on the master(primary) server to support replication
  a.
replogfile /var/lib/ldap/slapd.replog
replica host=linuxcbtserv4.linuxcbt.internal:389
    suffix=dc=linuxcbt,dc=internal
    binddn="cn=Manager,dc=linuxcbt,dc=internal"
    credentials=abc123
    bindmethod=simple
    tls=no
4. Copy and import DIT on slave server
  a. scp linuxcbt.internal.ldif linuxcbtserv4:ldap/
  b. Update DC information in slave server's: /etc/openldap/slapd.conf
   Rootdn "cn=Manager,dc=linuxcbt,dc=internal"
   Rootpw abc123
   updatedn "cn=Manager,dc=linuxcbt,dc=internal"
   updateref ldap://linuxcbtsuse2.linuxcbt.internal
  c. slapadd -l linuxcbt.internal.ldif
  d. Ensure that DB files in: /var/lib/ldap are owned by 'ldap.ldap'
5. Update slapd.conf on the slave(secondary) server
6. Update /etc/hosts on both machines
  a. Master
  b. Slave
7. start slapd(LDAP process) on the slave(secondary/replica) server
   a. (RedHat 5) 'service ldap start' OR /etc/init.d/ldap start
  Note: Ensure that: /etc/openldap/slapd.conf is 'r' by 'ldap' group
8. start slapd(LDAP process) on the master(primary) server
   a. /etc/init.d/ldap start OR 'rcldap start'
   b. ps -ef | grep -i ldap
9. start slurpd(replication daemon) on the master(primary server)
   a. rcslurpd start (important replication process)
10. Ensure that services are set to start when the system reboots
  a. chkconfig --list ldap
  b. chkconfig ldap on
  c. chkconfig --list slurpd
  d. chkconfig slurpd on
###Confirm LDAP records on Primary and Secondary systems###
Task:
1. Use 'ldapsearch' to confirm the existence of records on both systems
  a. 'ldapsearch -x -b "dc=linuxcbt,dc=internal" "(objectclass=*)"'
  b. 'ldapsearch -x -b "dc=linuxcbt,dc=internal" "(objectclass=*)" -h linuxcbtserv4'

 

LDAP在Solaris10上的配置

Task:
1. Download and install required packages from: sunfreeware.com
  a. pkgadd -d 'package_name (gunzipped)'
Note: slurpd is currently being deprecated, but you should still understand how to configure it
Note: Config files are located beneath: /usr/local/etc/openldap
Note: 'slapd' is located in: /usr/local/libexec
2. Configure Solaris as a replica
  a. Update slapd.conf on the master server - copy 'replica' block and rename for new server
  b. Update slapd.conf on the slave server - copy changes from existing replica server and modify to match the Solaris system
  c. update: /etc/hosts on Solaris system to be able to find the master LDAP server
  d. Export current DIT:
Note: Stop LDAP server (master) first
slapcat -b "dc=linuxcbt,dc=internal" -l linuxcbt.internal.ldif - perform on master
  e. Import DIT on Solaris system
   e1. 'scp linuxcbt.internal.ldif linuxcbtsun1:ldap/'
   e2. 'slapadd -l linuxcbt.internal.ldif'
  f. Start SLAPD on Solaris
   f1. /usr/local/libexec/slapd
  g. Start slapd and slurpd

 

LDAP常用操作:添加、删除、修改、搜索

###LDAPADD###
Features:
1. Facilitates the addition of objects to the DIT
2. 'ldapadd' is a symlink to 'ldapmodify -a'
Note: 'ldapmodify' performs the same functions as 'ldapadd'
3. Default invocation reads attributes from STDIN
Tasks:
1. Add user 'LinuxCBT1' to remaining OUs
  a. 'ldapadd -D "cn=Manager,dc=linuxcbt,dc=internal" -x -W' - prompts on STDIN for value(s)
Note: If you try to add a duplicate user, the DIT will deny the entry
  b. supply LDIF info for creation of user object on STDIN
  c. execute 'CTRL-D' when complete
  d. confirm results with ldapsearch
2. Add users 'LinuxCBT3,LinuxCBT4,LinuxCBT5' to the DIT, wholesale, via STDIN from slave server
  a. 'ldapadd -D "cn=Manager,dc=linuxcbt,dc=internal" -x -W' - prompts on STDIN for value(s)
Note: The slave server auto-redirected the 'ldapadd' request to the primary server
Note: updateref ldap://linuxcbtsuse2.linuxcbt.internal - this /etc/openldap/slapd.conf entry caused the 'ldapadd' write request to be redirected to the DIT master (linuxcbtsuse2)
Note: ldapsearch -x -b "dc=linuxcbt,dc=internal" "(objectclass=*)" -h linuxcbtsuse2 - forces 'ldapsearch' to query the DIT master
3. Use LDAP Browser to view DIT and to make changes
Note: LDAP Browser is an easy way to learn the attributes supported by various schemas
4. Add 5 users to 2 OUs (Engineering & Sales) via text file
  a. ldapadd -D "cn=Manager,dc=linuxcbt,dc=internal" -x -W -h linuxcbtsuse2 -f Add_5_Users_to_Engineering_and_Sales_OUs.ldif
5. Confirm results using:
  a. ldapsearch
  b. LDAP Browser
###LDAP Delete###
Features:
1. A means to remove DIT objects
Usage:
Tasks:
1. Delete an object from the command line
a. ldapdelete -D "cn=Manager,dc=linuxcbt,dc=internal" -W -h linuxcbtsuse2 -v "DN_to_Delete"
b. ldapdelete -D "cn=Manager,dc=linuxcbt,dc=internal" -W -h linuxcbtsuse2 -v "cn=LinuxCBT5,ou=sales,dc=linuxcbt,dc=internal" -x
2. Delete objects wholesale from: ou=sales,dc=linuxcbt,dc=internal - via STDIN
Note: Delete using the 'DN' of an object
3. Delete non-existing and existing items
Note: Default behavior of LDAP online tools is to abort at the step that fails
ldapdelete -D "cn=Manager,dc=linuxcbt,dc=internal" -W -h linuxcbtsuse2 -v "cn=LinuxCBT5,ou=sales,dc=linuxcbt,dc=internal" -x -c
Note: '-c' option continues even if errors are encountered
4. Delete remaining OUs and objects via file
a. ldapdelete -D "cn=Manager,dc=linuxcbt,dc=internal" -W -h linuxcbtsuse2 -v "ou=people,dc=linuxcbt,dc=internal" -x
b. ldapdelete -D "cn=Manager,dc=linuxcbt,dc=internal" -W -h linuxcbtsuse2 -v "cn=LinuxCBT5,ou=sales,dc=linuxcbt,dc=internal" -x -c -f Delete_Remaining_Items.ldif
Note: use '-v' to enable 'ldap*' commands in verbose mode
###LDAPMODIFY###
Features:
1. Functionality found in:
  a. ldapadd
  b. ldapdelete
  c. ldapmodify
2. Manipulates objects in DIT
Tasks:
1. Rebuild the DIT - create top-level OUs and users/OUs
  a. ldapmodify -D "cn=Manager,dc=linuxcbt,dc=internal" -x -W -a -v -f Add_3_OUs.ldif
  b. ldapmodify -D "cn=Manager,dc=linuxcbt,dc=internal" -x -W -a -v -f filename.ldif -h primary_LDAP_server
2. Modify Attributes
  a. ldapmodify -D "cn=Manager,dc=linuxcbt,dc=internal" -x -W -h linuxcbtsuse2 -v -f
Note: It's easier to reference modification changes via text file, than on the command-line
3. Delete Items
  a. ldapmodify -D "cn=Manager,dc=linuxcbt,dc=internal" -x -W -v -f modify_delete*ldif
Note: Simply update 'changetype' in supplied file to: 'delete'
  b. ldapmodify -D "cn=Manager,dc=linuxcbt,dc=internal" -x -W -v -c -f Add_5_*
This will ignore errors by continuing
###LDAP SEARCH###
Features:
1. Ability to search the DIT
2. Supports Boolean Operators: &(AND), |(OR), !(NOT) - Using prefix notation
3. Supports Wildcards: *, +(internal operations)
Usage:
1. ldapsearch [options] "(attribute filteroperator value)"
Filter Operators:
1. =(string comparisons)
2. <, >, <=, >=
3. ~= (regex match for approimate results)
Value(s):
1. Absolute string: i.e. 'LinuxCBT1'
2. Wildcard: i.e. 'Linux*'
Tasks:
1. Search specifict OUs for information
  a. ldapsearch -b "dc=linuxcbt,dc=internal" -h linuxcbtsuse2 -x "(objectclass=*)" - searches the DIT for everything - returning ALL objects
  b. ldapsearch -b "ou=people,dc=linuxcbt,dc=internal" -x -h linuxcbtsuse2 "(objectclass=*)" - searches 'ou=people,dc=linuxcbt,dc=internal' specifically
2. Search the DIT for Organizational Units (OUs)
  a. ldapsearch -b "dc=linuxcbt,dc=internal" -h linuxcbtsuse2 -x "(objectclass=organizationalUnit)" - searches for OUs throughout the DIT
Note: Most attributes are case-insensitive, however, consult schema for more details
b. ldapsearch -b "dc=linuxcbt,dc=internal" -h linuxcbtsuse2 -x "(objectclass=inetOrgPerson)" - this dumps ALL users throughout the DIT
c. ldapsearch -b "ou=people,dc=linuxcbt,dc=internal" -h linuxcbtsuse2 -x "(objectclass=inetOrgPerson)"
3. Use Boolean Operators
  a. ldapsearch -b "ou=people,dc=linuxcbt,dc=internal" -h linuxcbtsuse2 -x "(&(cn=LinuxCBT1) (sn=User))" - searches ou=people,dc=linuxcbt,dc=internal for object with: 'cn=LinuxCBT1' & 'sn=User'
Note: This search is case-insensitive
  b. ldapsearch -b "ou=people,dc=linuxcbt,dc=internal" -h linuxcbtsuse2 -x "(&(cn=Linux*) (sn=User))" - wildcard search
  c. ldapsearch -b "ou=people,dc=linuxcbt,dc=internal" -h linuxcbtsuse2 -x "(|(cn=LinuxCBT1) (cn=LinuxCBT2))"
  d. ldapsearch -b "ou=people,dc=linuxcbt,dc=internal" -h linuxcbtsuse2 -x "(telephoneNumber=203-543-8979)"
  e. ldapsearch -b "ou=people,dc=linuxcbt,dc=internal" -h linuxcbtsuse2 -x "(cn~=linuxcbt)"

 

OpenLDAP的日志功能:

###Logging/Debugging###
Features:
1. Logs using SysLog (defaults to: LOCAL4)
2. Includes ldap searches as well as starts/stops/etc.
SUSE10 Configuration:
LOCAL4 -> /var/log/localmessages
Syslog-NG Config: /etc/syslog-ng/syslog-ng.conf
Debugging:
Update: /etc/sysconfig/openldap to adjust debugging default (STDOUT)
OPENLDAP_SLAPD_PARAMS="-d <integer>"
Loglevel <integer> (-1-32768)
-1 (ALL Debugging) '-d -1'
0 (No Debugging) '-d 0'
1 (Trace)
2 (packet handling)
4 (heavy trace) more verbose than loglevel 1
8 (connection management)
16 (packets sent/received)
32 (search filter processing)
64 (config file processing) (slapd.conf)
128 (ACL processing)
256 (stats log connections/operations/results)
512 (stats log entries sent)
1024 (prints the communications with the shell back-ends)
2048 (print entry parsing debugging)
Task:
1. Setup Syslog logging on RH5 box
  a. /etc/syslog.conf
local4.* /var/log/ldap.log
2. Setup Syslog logging on Solaris box
  a. /etc/syslog.conf
local4.* /var/log/ldap.log
Task:
1. Purposely misname a slapd.conf directive

 

作者:gnuhpc
出处:http://www.cnblogs.com/gnuhpc/

posted @ 2012-12-09 14:17  gnuhpc  阅读(5536)  评论(0编辑  收藏  举报