ITPub博客

首页 > Linux操作系统 > Linux操作系统 > Linux OpenLDAP 简明手册 -- coolwinds 2005/03/25

Linux OpenLDAP 简明手册 -- coolwinds 2005/03/25

原创 Linux操作系统 作者:coolwinds 时间:2005-03-25 16:23:55 0 删除 编辑
Linux OpenLDAP 简明手册 -- coolwinds 2005/03/25 顺便请教为何中文测试通不过?欢迎讨论,转载,修改!!![@more@]Linux OpenLDAP 简明手册 -- coolwinds 2005/03/25 顺便请教为何中文测试通不过?欢迎讨论,转载,修改!!! 安装步骤如下: 由于openldap需要Berkeley DB来存放数据,所以需先安装Berkeley DB 4.2.52,可到它的网站下载,网址见上面.运行下面的命令解压: # tar -zxvf db-4.2.52.tar.gz 解完压后,会生成一个db-4.2.52目录,进行该目录下的build_unix目录.执行以下命令进行配置安装. # ../dist/configure # make # make install 安装完成后,要把/usr/local/BerkeleyDB.4.2/lib的库路径加到/etc/ld.so.conf文件内,添加完成后执行一次ldconfig,使配置文件生效.这样编译openldap时才能找到相应的库文件. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%安装openldap%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% # tar -zxvf openldap-version.tgz 解压完成后,会生成一个openldap-version目录.进行该目录,执行以下命令进行配置安装. # env CPPFLAGS="-I /usr/local/BerkeleyDB.4.2/include" LDFLAGS="-L /usr/local/BerkeleyDB.4.2/lib" ./configure --prefix=/usr/local/openldap --enable-ldbm 注意以上配置语句,要设置资料库的include和lib路径,否则在配置到资料库相关内容时会提示Berkeley DB版本不兼容,并中断配置.如果没有--enable-ldbm选项,在make test时会提示ldbm找不到. #make depens #make #make test #make install ##########################创建顶层organizationalUnxkit#root.ldif################################### dn:dc=xkit,dc=net objectclass:dcObject objectclass:organization o:People dc:xkit dn:cn=Managerr,dc=xkit,dc=net objectclass:organizationalRole cn:Manager dn:ou=people,dc=xkit,dc=net objectclass:organizationalUnxkit ou:people ######################################################################################### 使用Migrate-Tools 转换工具将/etc/passwd 转换成ldif 文件 [root@coolwindsMigrationTools-46]#perl migrate_passwd.pl /etc/passwd passwd.ldif 例如:test.ldif (passwd.ldif 文件中的一部分) dn: uid=test,ou=People,dc=xkit,dc=net uid: test cn: 测试 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}!! shadowLastChange: 6574 shadowMax: 99999 shadowWarning: 7 loginShell: /sbin/nologin uidNumber: 506 gidNumber: 100 homeDirectory: /home/users/test gecos: 测试 然后可以: ldapadd -x -D "cn=Manager,dc=xkit,dc=net" -W -f test.ldif 或则一步到位: (perl migrate_passwd.pl /etc/passwd passwd.ldif /usr/sbin/slapadd -l passwd.ldif) ########################################################################################### 输入以下命令可查询到刚才输入的信息 # ldapsearch -x -b 'dc=xkit,dc=net' -b选项是设置目录起点,如果设置了客户端的BASE配置参数,该项可不用 如果/etc/openldap/slapd.conf配置文件设置了acl,用上面的查询命令是查询不到受保护的内容的.如userPassword and mail.要查询到这些受限内容,需要通过验证才可以: # ldapsearch -x -LLL -h localhost -b 'dc=xkit,dc=net' -D 'uid=test,dc=xkit,dc=net' -W 'uid=test' 接着提示输入密码.输入userPassword的密码回车,所有信息就都出来了. 常用命令介绍 * 删除命令ldapdelete # ldapdelete -x -D 'cn=Manager,dc=xkit,dc=net' -W 'uid=test,dc=xkit,dc=net' * 设置使用者密码,当然了,你的用户需要有userPassword项了. #ldappasswd -x -D "cn=Manager,dc=xkit,dc=net" -W "uid=test,dc=xkit,dc=net" -S New password: Re-enter new password: Enter bind password: Result: Success (0) [Note] "Enter bind password" 是 "cn=Managesr,dc=xkit,dc=net"管理员的密码. * 管理员密码更改 #slappasswd -h{MD5} /{SSHA} New password Re-enter new password {MD5}xxxdsjlksdjflksjdfoisjsn;weurtwoujfo {SSHA}83DJ4KVwqlk1uh9k2uDb8+NT1U4RgkEs 接下再拷贝到 path/to/sldap.conf 的 rootpw 即可,重启使用配置文件生效 * 通过ldapmodify修改目录内容 # ldapmodify -x -D "cn=Manager,dc=xkit,dc=net" -W -f modify.ldif 通过ldif文件修改ldap数据,ldif文件格式如下: dn: uid=test,ou=People,dc=xkit,dc=net uid: test cn: 中文测试没有通过 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}!! shadowLastChange: 6574 shadowMax: 99999 shadowWarning: 7 loginShell: /sbin/nologin uidNumber: 506 gidNumber: 100 homeDirectory: /home/users/test gecos: 中文测试没有通过 2.4. 启用sasl验证 前提是你在系统中安装了sasl认证库,并在编译openldap时支持它,默认就支持了.到http://asg.web.cmu.edu/cyrus下载. # saslpasswd2 -c test 接着配置slapd.conf文件,加入以下内容. sasl-regexp uid=(.*),cn=.*,cn=auth uid=$1,dc=xkit,dc=net 重启服务器使配置文件生效.这个配置是最大权限的配置,如果要细化请查阅相关文档.用以下命令测试. # ldapsearch -U qq -b 'uid=qq,dc=xkit,dc=net' -D 'dc=xkit,dc=net' -Y DIGEST-MD5 采用digest-md5验证,提示密码,输入saslpasswd2的密码. 禁止整个服务器的匿名访问 在slapd.conf配置文件中加入disallow bind_anon即可. ###################################/etc/openldap/ldap.conf##################################### # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $ # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world wrxkitable. #BASE dc=example, dc=net #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMxkit 12 #TIMELIMxkit 15 #DEREF never HOST 127.0.0.1 BASE dc=xkit,dc=net ###################################/etc/openldap/slapd.conf##################################### # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/corba.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid argsfile /var/run/slapd.args # Load dynamic backend modules: # modulepath /usr/sbin/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # The next three lines allow use of TLS for connections using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read xkit. # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # TLSCertificateFile /usr/share/ssl/certs/slapd.pem # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem # Sample securxkity restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # securxkity ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self wrxkite access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy is: # Allow read by all # # rootdn can always write! #ACL configure以下内容定义访问控制 access to attr=userPassworduserPassword #只能由自已修改,有效验证用户查询. by self write by anonymous auth access to attr=mail by dn="cn=Manager,dc=xkit,dc=net" write #只能由自已修改,有效验证用户查询. by self write by anonymous auth access to dn=".*,dc=xkit,dc=net" #允许所有人查询没受控制访问限制的信息. by self write by * read ####################################################################### # ldbm and/or bdb database definxkitions ####################################################################### database ldbm suffix "dc=xkit,dc=net" rootdn "cn=Manager,dc=xkit,dc=net" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret rootpw {MD5}4QrcOUm6Wau+VuBX8g+IPg== # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database # replogfile /var/lib/ldap/openldap-master-replog # replica host=ldap-1.example.com:389 tls=yes # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/83980/viewspace-793967/,如需转载,请注明出处,否则将追究法律责任。

上一篇: a funny story:-)
请登录后发表评论 登录
全部评论

注册时间:2012-10-23

  • 博文量
    253
  • 访问量
    947344