Synchronous Scrolling:
What is LDAP
What is LDAP?
To know a concept, the easiest way is to wikipedia, of course, can Wikipedia.
LDAP stands for Lightweight Directory Access Protocol (Lightweight Directory Access Protocol) is an open, neutral, industry-standard application protocol, provides access control and maintain the directory information distributed information through the IP protocol.
Simple to understand is LADP contains a database to store the tree structure data, and a set of protocols, third-party can function with the search query data through this agreement.
It is based on the X.500 protocol used standard Lightweight Directory Access Protocol, is an open Internet standards, LADP protocol is protocol Internt cross-platform,
In conclusion LDAP directory is a database system and a set of protocols of access.
Why use LDAP
To see why, we need to understand what LDAP can solve the problem?
As we all know, when a company size, there will be numerous system work, if each system will need to register their own user name, user name and password for each system may be different. For individuals it is a frustrating thing, from the company's IT security point of view is even more troublesome.
So it is necessary unified authentication, single sign-on.
LDAP is the most suitable system for use in a single sign-in.
Because LDAP is an open, neutral, industry-standard application protocols, it supports cross-platform, data configuration is simple and features a single, high stability and query performance, use it to do authentication services to reduce duplication of development costs and docking.
LDAP basic data model
LDAP Basic data model is to organize data one dendrimer, but these names is a bit dumbfounding. To understand LDAP, at least to understand the following concepts.
LDAP is a tree data structure, all entries (or objects) are defined in a tree structure.
Tree in the entry is called the Directory Information Tree (DIT).
A complete entry in the name of uniquely identifiable, we call it as a distinguished name (DN).
A single node or path in the sub-node DN, which we call RDU.
Typically an entry (or objects) is stored in both the type objects
-
Container (container): This object itself can contain other objects. For example: root (the root element of the directory tree, it does not really exist), c (country / region), ou (organizational unit), and dc (domain). Container (container) and comparable to the file system directory.
-
(Leaf node) leaf: This object is located end nodes, can not contain other objects. For example person, InetOrgPerson, groupofNames.
Each object has contains properties that determine the value of the property of a number of rules that must be followed to the object.
Finally, we need to remember in the short LDAP
- o: organization (Organization - Company)
- ou: organization unit (OU - Department)
- c: countryName (country)
- dc: domainComponent (domain name)
- sn: suer name (real name)
- cn: common name (common name)
example:
E.g. babs entries on figure:
DN:uid=babs,ou=people,dc=example,dc=com
With respect ou = people, dc = RDN example, dc = com node: uid = babs ObjectClass: Person
This article just to mention some of the key LDAP concepts, more detailed and specific learning at your own official documents.
Set up an LDAP server
Use of the environment: OpenLDAP 2.4, Centos7.6
The first step in updating the environment
Run: yum update
The second step installation OpenLdap
Installation OPenLDAP and related installation package
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
After installation, you can start the service and set the service directly from the start state. Run the following command
systemctl start slapd
systemctl enable slapd
After starting the finish you can check whether the service is running slapd
netstat -antup | grep -i 389
可看到如下图
第三步 创建LDAP的根密码
此密码用于整个安装过程,是LADP的管理员根密码,使用slappasswd 命令生成密码
输入slappasswd后提示输入密码与确认密码,系统会输出一串SSHA加密后的字符串,请Copy出来保存在记事本中。
我设置的密码是Ricman,加密后出来的字符串是
{SSHA}KUYZ4irDCPN8seoOg1zNNVzh70jVr1c8
第四步 配置LDAP服务
这是整个过程中最难的地方,目前整个网络上能搜索到的,几乎都是过时配置方式,Ricman也是踩着坑爬出来的,希望此文能给在今后的日子,能帮助道友们少走弯路。
要怎么修改配置,OPenLdap 2.4不再推荐直接使用配置文件方式,并且极容易出错,修改的所有过程,均使用ldapmodify完成
我们可以先看一下目前配置都有哪些文件,执行命令
cd /etc/openldap/slapd.d/cn=config
ls
输出如下图,可能些人的结果不一样,但是几乎差不多,注意文件的名称,一会修改配置的时候,会使用到。
当然,你可以使用cat 来查看文件内容,可以看到原始的内容。
我们要修改的字段有:
olcSuffix – 用于保存域信息,需要更新为自己的域
olcRootDN – 根的DN(唯一识别名),根的区别名,它用于根管理员在此节点下做所有的管理
olcRootPW – LDAP 管理员的根密码,用刚刚第三步创建出来的密码设置到这里
我们在任意目录下创建 db.ldif文件。Ricman的经验最好不要在/etc/openldap/slapd.d/cn=config目录下创建,因为这目录保存着原始的配置文件,当使用slaptest -u 测试配置时会报错。我偷懒,直接在根目录下创建,运行cd ~便可切换到根目录(在根目录下创建文件是不好行为,为方便说明安装过程,就暂时使用)
修改db文件
这db文件不是数据库文件,只是ldap中配置文件中一个,可能是mdb,也可能是各种*db,Ricman安装的是hdb。
运行 vi db.ldif
在此文件中编辑的内容如下
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ricman,dc=localhost
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ricman,dc=localhost
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}KUYZ4irDCPN8seoOg1zNNVzh70jVr1c8
请注意上面内容中的olcSuffix, olcRootDN, olcRootPW这三个字段,是需要修改成自己的内容的。
特别需要注意是的olcRootPW字段,因为这个字段在刚刚查看olcDatabase={2}hdb.ldif中是不存在的,所以使用add,表示增加,如果字段已经存在,使用replace,表示进行替换内容
完成编辑后,使用ldapmodify让修改的内容生效。
ldapmodify命令可在运行环境中直接修改配置文件并且不需要重启就生效的命令,具体请看ldapmodify官方使用文档。
在db.ldif目录下运行命令
ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
输出如下图,一定要注意在有三个modifying entry才全部更新成功。
修改monitor文件
与修改db文件相似。在刚刚的db.ldif目录下运行命令
vi monitor.ldif
在此文件中输入以下内容
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=max,dc=localhost" read by * none
请自己修改db.base中的内容,这个等号后面的内容是上面db.ldif中的olcRootDN是一致的。
保存文件后同样使用ldapmodify让其生效。
ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
输出如下图
同样,要出现modifying entry才成功。如上图中Ricman在编辑文件时多写了一行,所以出错了。请注意检查自己编辑的monitor文件。
创建ldap 基础库
这里创建的是一个基础库,用于保存数据。安装ldap后会有一个example配置,需要我们复制一份配置文件并赋予它所有权限
运行以下命令
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/*
完成配置后,我们就可以向数据库中增加schemas,需要增加的有:cosine , nis,inetorgperson
schemas是什么鬼,schemas就是数据库表的定义文件,相当于关系数据库中的表定义。当然稍有区别。具体可以参考文档说明understanding-ldap-schema
执行ldapadd命令增加,命令如下
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
以上三条命令是一条一条执行,每一条输出如下图
完成以后,就可以创建base.ldif,在库中增加自己管理域下的内容,运行命令
vi base.ldif
在文件中输入以下内容
dn: dc=ricman,dc=localhost
dc: ricman
objectClass: top
objectClass: domain
dn: cn=Manager ,dc=ricman,dc=localhost
objectClass: organizationalRole
cn: Manager
description: LDAP Manager
dn: ou=People,dc=ricman,dc=localhost
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=ricman,dc=localhost
objectClass: organizationalUnit
ou: Group
同样的,需要修改为你自己的域
运行命令将此数据保存到库中去
ldapadd -x -W -D "cn=Manager,dc=ricman,dc=localhost" -f base.ldif
This command prompts for ldap password, the same password with the password created above the third step, I entered here: ricman
Output below
This completes the basic configuration
Management Ldap
Internet Download Ldap Admin, I am using window7 system, the direct use Ldap admin to manage personally think it is very interesting.
Before connecting, we need to set up the server's firewall to allow ldap exception.
Run command
firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload
Next, you can use the ldap admin to manage. Click connect-> new connect
Then set the Host, Base and the user name and password
To use the administrator user name, this example is cn = Manager, dc = ricman, dc = localhost
Password is the password created above the third step, the party used a password to ricman
Click Test Connection, you can click directly into the management interface connection is successful, as shown below
You can use the tools they need to create a user, organization
Uninstall Ldap
If you need to uninstall, you need to stop the service, then the Remove yum
systemctl STOP slapd
yum remove ompat-openldap openldap-clients openldap-servers
Of course, do not forget DB_CONFIG and configuration files, but also to remove it
rm -rf /var/lib/ldap/*
rm -rf /etc/openldap/slapd.d/*
Thus the full text of the end. If reproduced, reprinted, please indicate the source, thank you