Because there are multiple systems within the company, and each system has its own set of user authentication. Every time a new colleague is hired or left, the operation and maintenance partners have to add users to each system, which makes them very uncomfortable.
In order to free the operation and maintenance partners from this tedious work, and also to manage the user authentication of all systems in a unified manner, we decided to enable ldap. In this way, the user authentication of each system is all carried out through ldap, and the permissions of each system can be managed by the permissions of their respective systems.
1. Introduction to OpenLDAP
Before installing OpenLDAP, let's first introduce LDAP.
LDAP is a Lightweight Directory Access Protocol (LDAP for short), which is an implementation of an open source centralized account management architecture, and supports many system versions, and is used by many Internet companies.
LDAP provides and implements the information service of directory service. Directory service is a special database system, which has a good effect on reading, browsing and searching of data. Directory services are generally used to contain attribute-based descriptive information and support sophisticated filtering functions, but OpenLDAP directory services do not support complex transaction management or rollback strategies required for large-scale update operations of general-purpose databases.
LDAP has two standards, X.500 and LDAP. OpenLDAP is based on the X.500 standard, and removes the complex functions of X.500 and can customize additional extended functions according to self-requirements, but it also has differences from X.500, such as OpenLDAP supports TCP/IP protocols, etc. Currently, TCP/IP IP is the protocol for accessing the Internet on the Internet.
OpenLDAP can run directly on the simpler and more general TCP/IP or other reliable transport protocol layer, avoiding the overhead in the OSI session layer and presentation layer, making connection establishment and packet processing simpler and faster, for Internet and corporate network applications are more ideal.
The information in the OpenLDAP directory is stored in a tree-like hierarchy (this is very similar to DNS), the topmost or root is called the "base DN", such as "dc=mydomain,dc=org" or "o= mydomain.org", the former method is more flexible and is used in Windows AD. There are many files and directories under the root directory. In order to separate these large amounts of data logically, OpenLDAP uses OU (Organization Unit) like other directory service protocols, which can be used to represent the internal organization of the company, such as Department, etc., can also be used to represent equipment, personnel, etc. At the same time, OU can also have sub-OUs, which are used to represent more detailed classification.
Each record in OpenLDAP has a unique name DN (Distinguished Name) that is different from other records, and the part in the "leaf" position is called RDN (relative identification name of user entry). For example, in dn:cn=tom,ou=animals,dc=ilanni,dc=com, cn is RDN, and RDN must be unique in an OU.
OpenLDAP uses Berkeley DB as the backend database by default. The BerkeleyDB database mainly stores data in hashed data types, such as key-value pairs.
BerkeleyDB is a special kind of database optimized for query and read. It is mainly used for search, browse, and update query operations. Generally, it has a good effect on writing data once, querying and searching multiple times. BerkeleyDB does not support the high concurrent throughput and complex transaction operations supported by transactional databases (MySQL, MariDB, Oracle, etc.).
PS : This experiment is based on centos7, and OpenLDAP uses version 2.4.44.
2. Initialize the environment
Initialize the environment as follows:
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config && setenforce 0&& systemctl disable firewalld.service && systemctl stop firewalld.service
Better restart shutdown -r now if you can
3. Install OpenLDAP
Install OpenLDAP with the following command:
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
To check the OpenLDAP version, use the following command:
slapd -VV
Fourth, configure OpenLDAP
OpenLDAP configuration is more complicated and involves a lot of content. Next, we will introduce its related configuration step by step.
Note: Starting from OpenLDAP 2.4.23, all configuration data are stored in /etc/openldap/slapd.d/, it is recommended to no longer use slapd.conf as a configuration file.
4.1 Configure OpenLDAP administrator password
Set the OpenLDAP administrator password:
slappasswd -s helloadmin
The encrypted fields in the above picture are saved, and we will use them in the configuration file later.
4.2 Modify the olcDatabase={2}hdb.ldif file
Modify the olcDatabase={2}hdb.ldif file and add a line to the file
olcRootPW: {SSHA}OYyb90ARhaTvL9mZpD7aCRn/ipqvtStf, then modify the domain information:
olcSuffix: dc=poke_domain,dc=com
olcRootDN: cn=admin,dc=poke_domain,dc=com
Note: admin in cn=admin represents the username of the OpenLDAP administrator, and olcRootPW represents the password of the OpenLDAP administrator. Write the ciphertext saved in Section 4.1 here.
The actual modification is as follows:
vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}hdb.ldif
olcSuffix: dc=poke_domain,dc=com
olcRootDN: cn=admin,dc=poke_domain,dc=com
olcRootPW: {SSHA}OYyb90ARhaTvL9mZpD7aCRn/ipqvtStf
4.3 Modify the olcDatabase={1}monitor.ldif file
Modify the olcDatabase={1}monitor.ldif file as follows:
vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{1\}monitor.ldif
olcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,n=extern
al,cn=auth” read by dn.base=”cn=admin,dc=poke_domain,dc=com” read by * none
Note: The dn.base in this modification is to modify the relevant information of the OpenLDAP administrator.
To verify the basic configuration of OpenLDAP, use the following command:
slaptest -u
From the above figure, we can clearly see that there is no problem with the basic configuration of OpenLDAP.
To start the OpenLDAP service, use the following command:
rm -rf /var/lib/ldap
rm -rf /var/run/openldap
mkdir -p /var/lib/ldap && chown -R ldap.ldap /var/lib/ldap && chmod 700 /var/lib/ldap
mkdir -p /var/run/openldap && chown -R ldap.ldap /var/run/openldap && chmod 755 /var/run/openldap
Note: The above 4 steps avoid permission problems and cause the service to fail to start, and only execute it at the first startup
systemctl enable slapd
systemctl start slapd
systemctl status slapd
The default listening port of OpenLDAP is 389. Let's verify the status of port 389, as follows:
netstat -antup | grep 389
From the above figure, we can clearly see that port 389 is indeed listening.
4.4 Configuring the OpenLDAP database
The default database used by OpenLDAP is BerkeleyDB. Now to start configuring the OpenLDAP database, use the following command:
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap -R /var/lib/ldap
chmod 700 -R /var/lib/ldap
ll /var/lib/ldap/
Note: /var/lib/ldap/ is the default storage path of the BerkeleyDB database.
4.5 Import Basic Schema
To import the base schema, use the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
4.6 Modify the migrate_common.ph file
The migrate_common.ph file is mainly used to generate the ldif file. Modify the migrate_common.ph file as follows:
vim /usr/share/migrationtools/migrate_common.ph 71行
$DEFAULT_MAIL_DOMAIN = “poke_domain.com”;
$DEFAULT_BASE = “dc=poke_domain,dc=com”;
$EXTENDED_SCHEMA = 1;
At this point, the configuration of OpenLDAP has been completed. Let's start adding users to OpenLDAP.
5. Add users and user groups
By default OpenLDAP has no normal users, but an administrator user. The administrative user is the root we just configured earlier.
Now we add the users in the system to OpenLDAP. In order to distinguish, we now add two new users ldapuser1 and ldapuser2, and two user groups ldapgroup1 and ldapgroup2, as follows:
To add a user group, use the following command:
groupadd ldapgroup1
groupadd ldapgroup2
To add a user and set a password, use the following command:
useradd -g ldapgroup1 ldapuser1
useradd -g ldapgroup2 ldapuser2
echo '123456' | passwd --stdin ldapuser1
echo '123456' | passwd --stdin ldapuser2
Extract the user and user group just added, including the user's password and other related attributes, as follows:
grep -E "ldap[^:]" /etc/passwd > /root/users
grep -E "ldap[^:]" /etc/group > /root/groups
cat users groups
According to the generated user and user group attributes, use the migrate_passwd.pl file to generate the ldif to add users and user groups, as follows:
/usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif
/usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldif
cat users.ldif
cat groups.ldif
Note: If we want to add new users to OpenLDAP later, we can directly modify the users.ldif file.
6. Import users and user groups into the OpenLDAP database
Configure the openldap-based database as follows:
cat > /root/base.ldif << EOF
dn: dc=poke_domain,dc=com
o: poke_domain com
dc: poke_domain
objectClass: top
objectClass: dcObject
objectclass: organization
dn: cn=admin,dc=poke_domain,dc=com
cn: admin
objectClass: organizationalRole
description: Directory Manager
dn: ou=People,dc=poke_domain,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=poke_domain,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
EOF
To import the base database, use the following command:
ldapadd -x -w "helloadmin" -D "cn=admin,dc=poke_domain,dc=com" -f /root/base.ldif
To import users and user groups into the database, use the following command:
ldapadd -x -w "helloadmin" -D "cn=admin,dc=poke_domain,dc=com" -f /root/users.ldif
ldapadd -x -w "helloadmin" -D "cn=admin,dc=poke_domain,dc=com" -f /root/groups.ldif
To view the BerkeleyDB database file, use the following command:
ls -l / var / lib / ldap /
It can be clearly seen that there are more database files such as cn.bdb, sn.bdb, and ou.bdb in the BerkeleyDB database file at this time.
Seven, query OpenLDAP related information
After all users and user groups are imported, we can query OpenLDAP related information.
To query all OpenLDAP information, use the following command:
ldapsearch -x -b "dc=poke_domain,dc=com" -H ldap://127.0.0.1
To query the added OpenLDAP user information, use the following command:
ldapsearch -LLL -x -D 'cn=admin,dc=poke_domain,dc=com' -w "helloadmin" -b 'dc=poke_domain,dc=com' 'uid=ldapuser1'
To query the information of the added OpenLDAP user group, use the following command:
ldapsearch -LLL -x -D 'cn=admin,dc=poke_domain,dc=com' -w "helloadmin" -b 'dc=poke_domain,dc=com' 'cn=ldapgroup2'
Note: In the above screenshot, we can clearly see that there are currently no members in the ldapgroup1 user group.
8. Add OpenLDAP users to user groups
Although we have already imported the user and user group information into the OpenLDAP database. But in fact, there is currently no association between OpenLDAP users and user groups.
If we want to associate users and user groups in the OpenLDAP database, we need to do another separate configuration.
Now we want to add the ldapuser1 user to the ldapgroup1 user group, we need to create a new ldif file to add the user to the user group, as follows:
cat > add_user_to_groups.ldif << "EOF"
dn: cn=ldapgroup1,ou=Group,dc=poke_domain,dc=com
changetype: modify
add: memberuid
memberuid: ldapuser1
EOF
Execute the following command:
ldapadd -x -w "helloadmin" -D "cn=admin,dc=poke_domain,dc=com" -f /root/add_user_to_groups.ldif
Query the information of the added OpenLDAP user group as follows:
ldapsearch -LLL -x -D 'cn=admin,dc=poke_domain,dc=com' -w "helloadmin" -b 'dc=poke_domain,dc=com' 'cn=ldapgroup1'
From the above figure, we can clearly see that the ldapuser1 user has joined the ldapgroup1 user group.
9. Enable OpenLDAP log access function
OpenLDAP does not enable logging by default, but in actual use, we need to use OpenLDAP logs to locate problems.
Create a new log configuration ldif file as follows:
cat > /root/loglevel.ldif << "EOF"
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
EOF
Import into OpenLDAP and restart the OpenLDAP service as follows:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/loglevel.ldif
systemctl restart slapd
Modify the rsyslog configuration file and restart the rsyslog service as follows:
cat >> /etc/rsyslog.conf << "EOF"
local4.* /var/log/slapd.log
EOF
systemctl restart rsyslog
Check the OpenLDAP log as follows:
tail -f /var/log/slapd.log
10. Use the Apache Directory Studio tool to view
For the most part, our operations with OpenLDAP are under Windows. As for the client tool for connecting to OpenLDAP under Windows, I recommend Apache Directory Studio .
The installation of Apache Directory Studio is very simple, Baidu can download it from the official website.
Here's a screenshot of mine, a brief introduction, as follows:
Among them, Hostname fills in the host address of OpenLDAP, Port fills in the listening port of OpenLDAP, and base fills in the DN of OpenLDAP.
The Username in the Bind DN or user section is the administrator, and the Bind password is the administrator's password.
Note: The Bind DN or user part is not like the system we usually use to fill in a root, here we need to fill in the complete RDN.
At this point, the installation and configuration of OpenLDAP has been fully introduced.