Centos7 LDAPクラスタのサービス構築

LDAPサービス構築

---

1. OpenLDAP ソフトウェアのインストール

インストールパッケージ:

• openLDAPクライアント
• openLDAP-開発
• オープンLDAPサーバー
• openldap-servers-sql
• compat-openldap のマスターとスレーブの依存関係
• migrationtools ユーザー変換の依存関係

パッケージのインストール

# yum -y install openldap-* compat-openldap migrationtools

2. 初期化:

データベーステンプレートの初期化

#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG  

#chown ldap. /var/lib/ldap/DB_CONFIG

サービスを開始します。

systemctl status slapd
systemctl start slapd
systemctl enable slapd
[root@ldap-master ~]# systemctl start slapd
[root@ldap-master ~]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2018-11-25 03:43:04 EST; 14s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 2629 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS) 
Process: 2614 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Main PID: 2632 (slapd)
CGroup: /system.slice/slapd.service
└─2632 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

Nov 25 03:42:41 ldap-master.7d.cn systemd[1]: Starting OpenLDAP Server Daemon...
Nov 25 03:42:41 ldap-master.7d.cn runuser[2617]: pam_unix(runuser:session): session opened for user lda...=0)
Nov 25 03:42:41 ldap-master.7d.cn runuser[2617]: pam_unix(runuser:session): session closed for user ldap
Nov 25 03:42:51 ldap-master.7d.cn slapd[2629]: @(#) $OpenLDAP: slapd 2.4.44 (May 16 2018 09:55:53) $
[email protected]:/builddir/build/...lapd
Nov 25 03:43:04 ldap-master.7d.cn slapd[2629]: tlsmc_get_pin: INFO: Please note the extracted key file...ons.
Nov 25 03:43:04 ldap-master.7d.cn slapd[2632]: hdb_db_open: warning - no DB_CONFIG file found in direc...(2).
Expect poor performance for suffix "dc=my-domain,dc=com".
Nov 25 03:43:04 ldap-master.7d.cn slapd[2632]: slapd starting
Nov 25 03:43:04 ldap-master.7d.cn systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.

PS: selinux は閉じられており、ファイアウォールも閉じられていることに注意してください。

systemctl stop firewalld
systemctl disable firewalld
getenforce
setenforce 0

3. 設定変更

パスワード情報の生成

# slappasswd -h {SSHA} -s admin##1 > slappasswd.txt
# cat slappasswd.txt 
{SSHA}j8poYhGTWORW1aqrvS/loqLd4yQ6rB9x

データファイル情報の編集

[root@master ~]# vim db.ldif 
[root@master ~]# cat db.ldif 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=local,dc=cn

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=local,dc=cn

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}j8poYhGTWORW1aqrvS/loqLd4yQ6rB9x 

インポート設定

[root@master ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"
[root@master ~]# 

基本スキーマをインポートします。

• ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

• ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

• ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

[root@master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif



SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[root@master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

基本データをインポートし、管理者などの情報を指定する

[root@master ~]# vim base.ldif 
[root@master ~]# cat base.ldif 
dn: dc=local,dc=cn
dc: local
objectClass: top
objectClass: domain

dn: cn=Manager,dc=local,dc=cn
objectClass: organizationalRole
cn: Manager
description: LDAP Manager

dn: ou=People,dc=local,dc=cn
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=local,dc=cn
objectClass: organizationalUnit
ou: Group



[root@master ~]# ldapadd -x -W -D "cn=Manager,dc=local,dc=cn" -f base.ldif 
Enter LDAP Password: 
adding new entry "dc=local,dc=cn"

adding new entry "cn=Manager,dc=local,dc=cn"

adding new entry "ou=People,dc=local,dc=cn"

adding new entry "ou=Group,dc=local,dc=cn"

4、LDAPデータ操作

テストユーザーの作成

[root@master ~]# vim test.ldif 
[root@master ~]# cat test.ldif 
dn: uid=test,ou=People,dc=local,dc=cn
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: test
uid: test
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/test
loginShell: /bin/bash
gecos: test [test (at) local]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7




[root@master ~]# ldapadd -x -W -D "cn=Manager,dc=local,dc=cn" -f test.ldif 
Enter LDAP Password: 
adding new entry "uid=test,ou=People,dc=local,dc=cn"

ユーザーパスワードの設定

[root@master ~]# ldappasswd -s password123 -W -D "cn=Manager,dc=local,dc=cn" -x "uid=test,ou=People,dc=local,dc=cn"
Enter LDAP Password:

LDAP サービスをテストする

[root@master ~]# ldapsearch -x cn=test -b dc=local,dc=cn
# extended LDIF
#
# LDAPv3
# base <dc=local,dc=cn> with scope subtree
# filter: cn=test
# requesting: ALL
#

# test, People, local.cn
dn: uid=test,ou=People,dc=local,dc=cn
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: test
uid: test
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/test
loginShell: /bin/bash
gecos: test [test (at) local]
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
userPassword:: e1NTSEF9R2IvOGppTmhsd0ZMdlB0S1NwY083YVgwZXdHU09uZFM=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

削除操作

ldapdelete -W -D "cn=Manager,dc=local,dc=cn" "uid=test,ou=People,dc=local,dc=cn"

[root@master ~]# ldapdelete -W -D "cn=Manager,dc=local,dc=cn" "uid=test,ou=People,dc=local,dc=cn"
Enter LDAP Password: 
[root@master ~]# ldapsearch -x cn=test -b dc=local,dc=cn
# extended LDIF
#
# LDAPv3
# base <dc=local,dc=cn> with scope subtree
# filter: cn=test
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

参考：

https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html/2
http://www.openldap .org/doc/admin24/quickstart.html