In 2020, the latest tutorial taught you how to set up LDAP server on step by step in CentOS7

Others 2020-02-20 22:13:55 views: null

Synchronous Scrolling:

What is LDAP

What is LDAP?

To know a concept, the easiest way is to wikipedia, of course, can Wikipedia.

LDAP stands for Lightweight Directory Access Protocol (Lightweight Directory Access Protocol) is an open, neutral, industry-standard application protocol, provides access control and maintain the directory information distributed information through the IP protocol.

Simple to understand is LADP contains a database to store the tree structure data, and a set of protocols, third-party can function with the search query data through this agreement.

It is based on the X.500 protocol used standard Lightweight Directory Access Protocol, is an open Internet standards, LADP protocol is protocol Internt cross-platform,

In conclusion LDAP directory is a database system and a set of protocols of access.

Why use LDAP

To see why, we need to understand what LDAP can solve the problem?

As we all know, when a company size, there will be numerous system work, if each system will need to register their own user name, user name and password for each system may be different. For individuals it is a frustrating thing, from the company's IT security point of view is even more troublesome.

So it is necessary unified authentication, single sign-on.

LDAP is the most suitable system for use in a single sign-in.

Because LDAP is an open, neutral, industry-standard application protocols, it supports cross-platform, data configuration is simple and features a single, high stability and query performance, use it to do authentication services to reduce duplication of development costs and docking.

LDAP basic data model

LDAP Basic data model is to organize data one dendrimer, but these names is a bit dumbfounding. To understand LDAP, at least to understand the following concepts.

LDAP is a tree data structure, all entries (or objects) are defined in a tree structure.

Tree in the entry is called the Directory Information Tree (DIT).

A complete entry in the name of uniquely identifiable, we call it as a distinguished name (DN).

A single node or path in the sub-node DN, which we call RDU.

Typically an entry (or objects) is stored in both the type objects

  1. Container (container): This object itself can contain other objects. For example: root (the root element of the directory tree, it does not really exist), c (country / region), ou (organizational unit), and dc (domain). Container (container) and comparable to the file system directory.

  2. (Leaf node) leaf: This object is located end nodes, can not contain other objects. For example person, InetOrgPerson, groupofNames.

Each object has contains properties that determine the value of the property of a number of rules that must be followed to the object.

Finally, we need to remember in the short LDAP

  • o: organization (Organization - Company)
  • ou: organization unit (OU - Department)
  • c: countryName (country)
  • dc: domainComponent (domain name)
  • sn: suer name (real name)
  • cn: common name (common name)

example:


i examples
i examples

E.g. babs entries on figure:

DN:uid=babs,ou=people,dc=example,dc=com

With respect ou = people, dc = RDN example, dc = com node: uid = babs ObjectClass: Person

This article just to mention some of the key LDAP concepts, more detailed and specific learning at your own official documents.

Set up an LDAP server

Use of the environment: OpenLDAP 2.4, Centos7.6

The first step in updating the environment

Run: yum update

The second step installation OpenLdap

Installation OPenLDAP and related installation package

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

installation
installation
The installation is complete
The installation is complete

After installation, you can start the service and set the service directly from the start state. Run the following command

systemctl start slapd
systemctl enable slapd

After starting the finish you can check whether the service is running slapd

netstat -antup | grep -i 389

可看到如下图

安装成功
安装成功

第三步 创建LDAP的根密码

此密码用于整个安装过程,是LADP的管理员根密码,使用slappasswd 命令生成密码
输入slappasswd后提示输入密码与确认密码,系统会输出一串SSHA加密后的字符串,请Copy出来保存在记事本中。
我设置的密码是Ricman,加密后出来的字符串是
{SSHA}KUYZ4irDCPN8seoOg1zNNVzh70jVr1c8

设置密码
设置密码

第四步 配置LDAP服务

这是整个过程中最难的地方,目前整个网络上能搜索到的,几乎都是过时配置方式,Ricman也是踩着坑爬出来的,希望此文能给在今后的日子,能帮助道友们少走弯路。

要怎么修改配置,OPenLdap 2.4不再推荐直接使用配置文件方式,并且极容易出错,修改的所有过程,均使用ldapmodify完成

我们可以先看一下目前配置都有哪些文件,执行命令

cd /etc/openldap/slapd.d/cn=config
ls


i查看配置文件
i查看配置文件

输出如下图,可能些人的结果不一样,但是几乎差不多,注意文件的名称,一会修改配置的时候,会使用到。

当然,你可以使用cat 来查看文件内容,可以看到原始的内容。


文件内容
文件内容

我们要修改的字段有:

olcSuffix – 用于保存域信息,需要更新为自己的域

olcRootDN – 根的DN(唯一识别名),根的区别名,它用于根管理员在此节点下做所有的管理

olcRootPW – LDAP 管理员的根密码,用刚刚第三步创建出来的密码设置到这里

我们在任意目录下创建 db.ldif文件。Ricman的经验最好不要在/etc/openldap/slapd.d/cn=config目录下创建,因为这目录保存着原始的配置文件,当使用slaptest -u 测试配置时会报错。我偷懒,直接在根目录下创建,运行cd ~便可切换到根目录(在根目录下创建文件是不好行为,为方便说明安装过程,就暂时使用)

修改db文件

这db文件不是数据库文件,只是ldap中配置文件中一个,可能是mdb,也可能是各种*db,Ricman安装的是hdb。

运行 vi db.ldif

在此文件中编辑的内容如下

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ricman,dc=localhost

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ricman,dc=localhost

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}KUYZ4irDCPN8seoOg1zNNVzh70jVr1c8
内容
内容

请注意上面内容中的olcSuffix, olcRootDN, olcRootPW这三个字段,是需要修改成自己的内容的。
特别需要注意是的olcRootPW字段,因为这个字段在刚刚查看olcDatabase={2}hdb.ldif中是不存在的,所以使用add,表示增加,如果字段已经存在,使用replace,表示进行替换内容

完成编辑后,使用ldapmodify让修改的内容生效。

ldapmodify命令可在运行环境中直接修改配置文件并且不需要重启就生效的命令,具体请看ldapmodify官方使用文档。

在db.ldif目录下运行命令

ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif

输出如下图,一定要注意在有三个modifying entry才全部更新成功。


modifying entry
modifying entry

修改monitor文件

与修改db文件相似。在刚刚的db.ldif目录下运行命令

vi monitor.ldif

在此文件中输入以下内容

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=max,dc=localhost" read by * none

请自己修改db.base中的内容,这个等号后面的内容是上面db.ldif中的olcRootDN是一致的。

保存文件后同样使用ldapmodify让其生效。

ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif

输出如下图

monitor
monitor

同样,要出现modifying entry才成功。如上图中Ricman在编辑文件时多写了一行,所以出错了。请注意检查自己编辑的monitor文件。

创建ldap 基础库

这里创建的是一个基础库,用于保存数据。安装ldap后会有一个example配置,需要我们复制一份配置文件并赋予它所有权限

运行以下命令

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/*

image.png
image.png

完成配置后,我们就可以向数据库中增加schemas,需要增加的有:cosine , nis,inetorgperson

schemas是什么鬼,schemas就是数据库表的定义文件,相当于关系数据库中的表定义。当然稍有区别。具体可以参考文档说明understanding-ldap-schema

执行ldapadd命令增加,命令如下

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

以上三条命令是一条一条执行,每一条输出如下图


base DB
base DB

完成以后,就可以创建base.ldif,在库中增加自己管理域下的内容,运行命令

vi base.ldif

在文件中输入以下内容

dn: dc=ricman,dc=localhost
dc: ricman
objectClass: top
objectClass: domain

dn: cn=Manager ,dc=ricman,dc=localhost
objectClass: organizationalRole
cn: Manager
description: LDAP Manager

dn: ou=People,dc=ricman,dc=localhost
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=ricman,dc=localhost
objectClass: organizationalUnit
ou: Group

同样的,需要修改为你自己的域

运行命令将此数据保存到库中去

ldapadd -x -W -D "cn=Manager,dc=ricman,dc=localhost" -f base.ldif

This command prompts for ldap password, the same password with the password created above the third step, I entered here: ricman

Output below

更新数据
update data

This completes the basic configuration

Management Ldap

Internet Download Ldap Admin, I am using window7 system, the direct use Ldap admin to manage personally think it is very interesting.

Before connecting, we need to set up the server's firewall to allow ldap exception.

Run command

firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload

设置防火墙
Set up a firewall

Next, you can use the ldap admin to manage. Click connect-> new connect

新建立连接
The new connection is established

Then set the Host, Base and the user name and password

To use the administrator user name, this example is cn = Manager, dc = ricman, dc = localhost

Password is the password created above the third step, the party used a password to ricman


连接设置
Connection Settings

Click Test Connection, you can click directly into the management interface connection is successful, as shown below

连接成功
connection succeeded
管理工具
Management Tools

You can use the tools they need to create a user, organization

Uninstall Ldap

If you need to uninstall, you need to stop the service, then the Remove yum
systemctl STOP slapd

yum remove ompat-openldap openldap-clients openldap-servers

Of course, do not forget DB_CONFIG and configuration files, but also to remove it

rm -rf /var/lib/ldap/*
rm -rf /etc/openldap/slapd.d/*

Thus the full text of the end. If reproduced, reprinted, please indicate the source, thank you

Guess you like

Origin www.cnblogs.com/xiaoshou/p/12337620.html
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com