OpenLDAP服务器建设比较麻烦,一不注意就会出错,本人经过数十次尝试,总算搭起来了,现分享给大家,也方便自己日后回过头来看看。 I、OpenLDAP的安装与基本配置 1 yum -y install openldap-servers openldap-clients 2 3 slappasswd 注a)上述命令会生成一个经过SSHA算法加密的密码,保存该密文,后面要用到。 4 vi /etc/openldap/slapd.conf,确保有以下行:
include
include
include
include allow bind_v2
pidfile
argsfile access to attrs=userPassword
access to *
database
suffix
checkpoint
rootdn
rootpw
directory index
objectClass index
ou,cn,mail,surname,givenname index
uidNumber,gidNumber,loginShell index
uid,memberUid index
nisMapName,nisMapEntry II、使用migrationtools工具来创建档案 1 yum install migrationtools –y cd vi 修改如下一些内容: $DEFAULT_MAIL_DOMAIN = "kingmed.com"; $DEFAULT_BASE ="dc=kingmed,dc=com";
2 dn: dc=kingmed,dc=com objectClass: top objectClass: dcObject objectclass: organization o: kingmed.com dc: kingmed dn: cn=Manager,dc=kingmed,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: Manager userPassword: {SSHA} jQu2QPBA4BYh9PByb6fIpCi4 dn: ou=People,dc=kingmed,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=kingmed,dc=com objectClass: organizationalUnit ou: Group
3 1) GROUP=100
HOME=/nfshome INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes 2) 3) useradd echo "123456"|passwd --stdin ldapuser1 useradd echo "123456"|passwd --stdin ldapuser2 useradd echo "123456"|passwd --stdin ldapuser3
4 ./migrate_passwd.pl /etc/passwd vi ./migrate_group.pl /etc/group vi 5 slapadd -v -l
frontend.ldif slapadd -v -l user.ldif slapadd -v -l groups.ldif
6 cp /var/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
7 rm -rf /etc/openldap/slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d 另外需要注意的是:若日后变更了slapd.conf文件的内容,则处理方式如下: #rm -rf /etc/openldap/slapd.d/* #slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d #chown -R ldap:ldap /etc/openldap/slapd.d #service slapd restart
8 chown -R ldap. /etc/openldap/slapd.d chown -R ldap. /var/lib/ldap /etc/rc.d/init.d/slapd start #chkconfig slapd on 由于命令行操作不直观,所我们一般使用一些第三方工具来管理认证,如phpldapadmin。 III 、Phpldapadmin安装与使用 1 安装与配置httpd和php: yum –y install httpd php-ldap php 2 下载phpldapadmin 1)cd /var/www/html/ 2)wget http://nchc.dl./project/phpldapadmin/phpldapadmin-php5/1.2.3/phpldapadmin-1.2.3.zip 3) unzip phpldapadmin-1.2.3.zip 4) mv phpldapadmin-1.2.3 myldap 注意:如果phpldapadmin是从别的目录复制过来的并且开启了Selinux,就要先用restorecon –R /var/www/html恢复该目录下所有文件的安全上下文 3 配置phpldapadmin: cd /var/www/html/myldap/config cp config.php.example config.php 修改下列config.php选项,注意行首不要有空格:
$servers->setValue('server','base',array('dc=kingmed,dc=com'));
$servers->setValue('login','bind_id','cn=Manager,dc=kingmed,dc=com'); $servers->setValue('login','bind_pass', 'secret'); 4 开启防火墙: #iptables #iptables #iptables #service
#service 然后在浏览器中输入:http://127.0.0.1/myldap,用户名:cn=Manager,dc=kingmed,dc=com,密码为secret,效果如下图:
================== service slapd stop rm -rf /etc/openldap/slapd.d/* rm -rf /var/lib/ldap/* cp
/usr/share/openldap-servers/DB_CONFIG.example cd
================== slapadd -v -l frontend.ldif slapadd -v -l user.ldif slapadd -v -l groups.ldif slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap /var/lib/ldap chown -R ldap:ldap /etc/openldap/slapd.d service slapd
start
================== slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap /var/lib/ldap chown -R ldap:ldap /etc/openldap/slapd.d service slapd
start ldapadd -x -D cn=Manager,dc=kingmed,dc=com -W -f frontend.ldif ldapadd -x -D cn=Manager,dc=kingmed,dc=com -W -f user.ldif ldapadd -x -D cn=Manager,dc=kingmed,dc=com -W -f groups.ldif 第二章
1
2 右侧选择:use 然后,点击Next:
3 1)grep -v "#" /etc/openldap/ldap.conf URI ldap://192.168.10.23/ BASE dc=kingmed,dc=com TLS_CACERTDIR /etc/openldap/cacerts 2)grep -v "#" /etc/nslcd.conf uid nslcd gid ldap uri ldap://192.168.10.23/ base dc=kingmed,dc=com ssl no tls_cacertdir /etc/openldap/cacerts 3)grep -v "#" /etc/pam_ldap.conf base dc=kingmed,dc=com
URI ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 4)grep -v "#" /etc/nsswitch.conf
passwd:
shadow:
group:
hosts: bootparams: nisplus [NOTFOUND=return] files
ethers: netmasks: networks: protocols:
rpc: services: netgroup: publickey: automount: aliases: 5)grep -v "#" /etc/pam.d/system-auth
auth
auth
auth auth
auth account
account
account account
account password password password password
session
session
session
session session session 6)grep "USELDAP" /etc/sysconfig/authconfig USELDAPAUTH=yes USELDAP=yes
4 service nslcd start chkconfig nslcd on 5 id
ldapuser1
第三章
一 服务器端配置
1 1) 2) 3) 2 /nfshome
3 #getsebool -a | grep nfs allow_ftpd_use_nfs --> off cobbler_use_nfs --> off git_system_use_nfs --> off httpd_use_nfs --> off qemu_use_nfs --> on rsync_use_nfs --> off samba_share_nfs --> off sanlock_use_nfs --> off sge_use_nfs --> off use_nfs_home_dirs -->
on virt_use_nfs --> off xen_use_nfs --> off 如果use_nfs_home_dirs的值为off,则如下修改: #setsebool 设置完后,重启nfs服务器: #service 4 LOCKD_TCPPORT=32803 LOCKD_UDPPORT=32769 MOUNTD_PORT=892 STATD_PORT=662 如果不取消这些端口的注释,那么在客户端showmount –e IP 时会显示如下错误信息: rpc mount export: RPC: Unable to receive; errno = No route to host 这一步不是必要的,虽然客户端showmount –e 查看不到共享,但不影响nfs输出及挂载 5 vi /etc/sysconfig/iptables -A INPUT –p tcp –m state --state NEW –m tcp --dport 111 –j ACCEPT -A INPUT –p udp –m state --state NEW –m udp --dport 111 –j ACCEPT -A INPUT –p tcp –m state --state NEW –m tcp --dport 662 –j ACCEPT -A INPUT –p udp –m state --state NEW –m udp --dport 662 –j ACCEPT -A INPUT –p tcp –m state --state NEW –m tcp --dport 892 –j ACCEPT -A INPUT –p udp –m state --state NEW –m udp --dport 892 –j ACCEPT -A INPUT –p tcp –m state --state NEW –m tcp --dport 2049 –j ACCEPT -A INPUT –p udp –m state --state NEW –m udp --dport 2049 –j ACCEPT -A INPUT –p tcp –m state --state NEW –m tcp --dport 32803 –j ACCEPT -A INPUT –p udp –m state --state NEW –m udp --dport 32769 –j ACCEPT #service 6 #showmount Export list for 192.168.10.23: /nfshome * 二 客户端配置
1 (1)service rpcbind start ,chkconfig rpcbind on (2)service rpcidmapd start ,chkconfig rpcidmapd on (3)service nfslock start ,chkconfig nfslock on (4)service netfs start ,chkconfig netfs on (5)service autofs start ,chkconfig autofs on 2 vi /etc/auto.master ,在最后一行后面加入:
/nfshome vi /etc/auto.nfs,输入如下内容并保存:
* 重启下autofs服务:service autofs stop; service autofs start 3
|
|
来自: Dead n Gone > 《LDAP》