Centos cn=config配置Openldap服务器大全
多年来,本人一直在努力实践将Openldap作为公司用户认证中心,并将诸多开源服务器通过Ldap进行认证使用。不知大家有没有在应用,或者在应用中遇到些问题。这里通过我的文章分享一些我的搭建过程,希望能够帮助到有需要的人。当然由于时间、版本、场景的变化,可能有些地方不一定通用,大家可以根据实际适当修改参考使用。
不多说了,直接干货。
Centos Openldap服务器架设(一)
一、 采用Cn=config搭建服务器
1.1 软件安装
[root@dlp ~]# yum -y install openldap-servers openldap-clients
[root@dlp ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@dlp ~]# chown ldap. /var/lib/ldap/DB_CONFIG
[root@dlp ~]# systemctl start slapd
[root@dlp ~]# systemctl enable slapd
1.2 管理员密码设置
[root@dlp ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@dlp ~]# vim chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx // copy above
[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
1.3 基础Schema导入
[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
1.4 Ldap域数据生成
1.4.1 权限配置
Set your domain name on LDAP DB
[root@dlp ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@dlp ~]# vim chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=server,dc=world" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=server,dc=world
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=server,dc=world
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx //copy above
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=server,dc=world" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=server,dc=world" write by * read
[root@dlp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
1.4.2 基础域数据
[root@dlp ~]# vim basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=server,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Server
dn: cn=Manager,dc=server,dc=world
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=server,dc=world
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=server,dc=world
objectClass: organizationalUnit
ou: Group
[root@dlp ~]# ldapadd -x -D cn=Manager,dc=server,dc=world -W -f basedomain.ldif
Enter LDAP Password:
# directory manager's password
adding new entry "dc=server,dc=world"
adding new entry "cn=Manager,dc=server,dc=world"
adding new entry "ou=People,dc=server,dc=world"
adding new entry "ou=Group,dc=server,dc=world"
1.5 支持TLS连接配置
1.5.1 Generate TSL/SSL Certificate
the first thing we need to do is generate a SSL certificate
# cd /etc/pki/tls/certs
from here we are going to make an LDAP.key file
# make LDAP.key
输入:m..n.e
enter a passphrase obviously, and proceed to next step
# [root@ns2 certs]# openssl rsa -in LDAP.key -out LDAP.key(服务器端私钥)
now generate the certificate, enter the necessary info
# [root@ns2 certs]# make LDAP.csr(证书签名请求文件)
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key LDAP.key -out LDAP.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Zhejiang
Locality Name (eg, city) [Default City]:Hangzhou
Organization Name (eg, company) [Default Company Ltd]:Dunchong Technologies Co., Ltd.
Organizational Unit Name (eg, section) []:InfoDept.
Common Name (eg, your name or your server's hostname) []:NS
Email Address []:dc@dcnet.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:meinine
An optional company name []:
产生CA 证书文件(LDAP.crt),finally we generate the Key
[root@ns2 certs]# openssl x509 -in LDAP.csr -out LDAP.crt -req -signkey LDAP.key -days 36500
Signature ok
subject=/C=CN/ST=Zhejiang/L=Hangzhou/O=Dunchong Technologies Co., Ltd./OU=InfoDept./CN=NS/emailAddress=dc@dcnet.com
Getting Private key
hit enter, and apply final permissions to all files in relation to LDAP
[root@ns2 certs]# chmod 400 LDAP.*
1.5.2 Use Certificate on OpenLDAP
from here create the folder for the certs (if it does not yet exist), and copy the LDAP certs to /etc/openldap/cacerts
[root@ns2 certs]# mkdir /etc/openldap/cacerts/
[root@ns2 certs]# cp /etc/pki/tls/certs/LDAP.* /etc/openldap/cacerts/
set permissions, and the commit the change to the database
[root@ns2 certs]# chown ldap. /etc/openldap/cacerts/*
[root@ns2 certs]# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/cacerts/LDAP.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/cacerts/LDAP.key
now hit “CTRL + D” to Quit
1.5.3 修改LDAP config
now we have to edit the LDAP config
[root@ns2 certs]# vim /etc/sysconfig/ldap
set line 20, if not yet set this way, so SLAPD_LDAPS=yes
1.5.4 重启服务完成Tls配置
restart LDAP afterwards
[root@ns2 certs]# service slapd restart
That’s it, you have configured LDAP over TLS!
1.6 Ldap客户端基于Tls进行认证
1.6.1 Ldap.conf配置
Vim /etc/openldap/ldap.conf
STARTTLS yes
TLS_REQCERT never
TLS_CACERTDIR /maildir/cacerts/
1.6.2 Ldapsearch格式应用
ldapsearch -x -W -D 'uid=dharma,ou=Hunandcpeople,dc=dcnet,dc=com' -s sub -H ldaps://12.40.64.99
ldapsearch -x -W -D 'cn=Manager,dc=dcnet,dc=com' -b "ou=People,dc=dcnet,dc=com" -s sub -H ldap://localhost