Ubuntu10.04安装配置LDAP服务器与客户端
2013-05-30 21:15
661 查看
注:以Ubuntu 10.04版本为例,LDAP服务器和客户端为同一台机器,最新openldap软件服务器端无单独的配置文件,而是将配置信息保存于数据库中。
1. LDAP服务器端安装与配置
1.1 安装LDAP服务器相关软件
sudo apt-get install slapd ldap-utils
1.2 配置LDAP服务器数据库
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
(1)创建数据库
在/var/lib/ldap/下创建create_database.ldif文件:
# Load hdb backend module
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb
# Create the hdb database and place the files under /var/lib/ldap
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=edu,dc=example,dc=org
olcRootDN: cn=admin,dc=edu,dc=example,dc=org
olcRootPW: {SSHA}5EdV7cSYlP44/gEWu+x3VKAKLN2HG4VX
olcDbConfig: {0}set_cachesize0
2097152 0
olcDbConfig: {1}set_lk_max_objects1500
olcDbConfig: {2}set_lk_max_locks1500
olcDbConfig: {3}set_lk_max_lockers1500
olcLastMod: TRUE
olcDbCheckpoint: 51230
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
导入:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /var/lib/ldap/create_database.ldif
注:create_database.ldif文件中olcRootPW参数后面的密文对应明文为"example",可用slappasswd命令获取明文对应的密文
(2)初始化数据库
在/var/lib/ldap/下创建init_database.ldif文件:
dn: dc=edu,dc=example,dc=org
objectClass: top
objectClass: dcObject
objectclass: organization
o: edu.example.org
dc: edu
#description: LDAP root
dn: ou=People,dc=edu,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=edu,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Groups
导入:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /var/lib/ldap/init_database.ldif
(3)modify the ACL to limit access to the database.
在/var/lib/ldap/下创建acls.ldif文件:
dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=edu,dc=example,dc=org"
write by anonymous auth by self write by * none
olcAccess: {1}to dn.subtree="" by*
read
olcAccess: {2}to* by dn="cn=admin,dc=edu,dc=example,dc=org" write by*
read
导入:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /var/lib/ldap/acls.ldif
(4)测试数据库
sudo ldapsearch -x -h localhost -b dc=edu,dc=example,dc=org
1.3 使用迁移工具migrationtools
(1)安装
sudo apt-get install migrationtools
(2)使用该工具迁移Linux系统中的用户和组到LDAP服务器中
cd /usr/share/migrationtools/
./migrate_group.pl /etc/group ./group.ldif
./migrate_passwd.pl /etc/passwd ./passwd.ldif
修改group.ldif中组的父域名为ou=Groups,dc=edu,dc=example,dc=org
修改passwd.ldif中用户的父域名为ou=People,dc=edu,dc=example,dc=org
ldapadd -x -W -D "cn=admin,dc=edu,dc=example,dc=org" -f ./group.ldif
ldapadd -x -W -D "cn=admin,dc=edu,dc=example,dc=org" -f ./passwd.ldif
1.4 使用ldap服务器管理工具ldapscripts
(1)安装
sudo apt-get install ldapscripts
(2)修改配置文件
# LDAP Configuration
# DEBIAN: values from /etc/pam_ldap.conf are used.
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=edu,dc=example,dc=org"
# The following file contains the raw password of the binddn
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
# DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used.
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
#BINDPWD="secret"
# DEBIAN: values from /etc/pam_ldap.conf are used.
SUFFIX="dc=edu,dc=example,dc=org"# Global suffix
GSUFFIX="ou=Groups"# Groups ou (just under $SUFFIX)
USUFFIX="ou=People"# Users ou (just under $SUFFIX)
#MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX)
# User passwords generation
# Command-line used to generate a password for added users (you may use %u for username here)
# WARNING !!!! This is evaluated, everything specified here will be run !
# Special value "<ask>" will ask for a password interactively
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'"
#PASSWORDGEN="pwgen"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
PASSWORDGEN="<ask>"
注:如红字所示,照应前面的配置,向ldapscripts.passwd写入密码的命令为:echo -n 'example' > /etc/ldapscripts/ldapscripts.passwd
(3)使用
sudo ldapaddgroup testgroup
sudo ldapadduser testuser testgroup
sudo ldapsetpasswd testuser
(4)测试
getent passwd
getent group
[b]
2. LDAP客户端安装与配置[/b]
2.1 使用apt-get安装相关服务
#sudo apt-get install libnss-ldapd libpam-ldapd
安装过程中根据安装向导输入ldap服务器IP和相应base域名信息,最后,针对nss services勾选group和passwd两项即可。
注:Ubuntu系统中LDAP客户端的配置文件为/etc/nslcd.conf和/etc/nsswitch.conf,以上配置信息都可以在该配置文件中随时修改!修改后要重启服务:service nslcd restart
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://127.0.0.1/
# The search base that will be used for all queries.
base dc=edu,dc=example,dc=org
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret
# SSL options
#ssl off
#tls_reqcert never
# The search scope.
#scope sub
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat ldap
group: compat ldap
shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
2.2 安装配置完成后,使用以下命令验证访问LDAP服务器是否成功
#getent passwd
#getent group
若不能正确显示LDAP服务器上的相关用户和组,则检查以下原因:
①LDAP服务器是否开启
②LDAP服务器防火墙是否关闭
③客户端配置的LDAP服务器IP是否正确,可否ping通
④客户端配置的base域名是否正确
⑤端口不对
⑥版本不对
-----------------------------------------------
【相关说明】
① libnss-ldap 被用于名字解析, libpam-ldap 用 pm 通过LDAP来认证用户。
【参考】
① http://labs.opinsys.com/blog/2010/01/27/setting-up-openldap-on-ubuntu-10-04-alpha2/ 服务器和客户端都在Ubuntu上的参考文档
②http://forum.ubuntu.org.cn/viewtopic.php?p=2225140
针对10.04及以后的详细安装过程(服务器和客户端)
③ http://askubuntu.com/questions/127389/how-to-configure-ubuntu-as-an-ldap-client 指出出现问题要查看日志!!
④ http://www.dasairen.com/Centos/18520711220.html 为LDAP服务手动添加日志功能
1. LDAP服务器端安装与配置
1.1 安装LDAP服务器相关软件
sudo apt-get install slapd ldap-utils
1.2 配置LDAP服务器数据库
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
(1)创建数据库
在/var/lib/ldap/下创建create_database.ldif文件:
# Load hdb backend module
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb
# Create the hdb database and place the files under /var/lib/ldap
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=edu,dc=example,dc=org
olcRootDN: cn=admin,dc=edu,dc=example,dc=org
olcRootPW: {SSHA}5EdV7cSYlP44/gEWu+x3VKAKLN2HG4VX
olcDbConfig: {0}set_cachesize0
2097152 0
olcDbConfig: {1}set_lk_max_objects1500
olcDbConfig: {2}set_lk_max_locks1500
olcDbConfig: {3}set_lk_max_lockers1500
olcLastMod: TRUE
olcDbCheckpoint: 51230
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
导入:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /var/lib/ldap/create_database.ldif
注:create_database.ldif文件中olcRootPW参数后面的密文对应明文为"example",可用slappasswd命令获取明文对应的密文
(2)初始化数据库
在/var/lib/ldap/下创建init_database.ldif文件:
dn: dc=edu,dc=example,dc=org
objectClass: top
objectClass: dcObject
objectclass: organization
o: edu.example.org
dc: edu
#description: LDAP root
dn: ou=People,dc=edu,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=edu,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Groups
导入:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /var/lib/ldap/init_database.ldif
(3)modify the ACL to limit access to the database.
在/var/lib/ldap/下创建acls.ldif文件:
dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=edu,dc=example,dc=org"
write by anonymous auth by self write by * none
olcAccess: {1}to dn.subtree="" by*
read
olcAccess: {2}to* by dn="cn=admin,dc=edu,dc=example,dc=org" write by*
read
导入:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /var/lib/ldap/acls.ldif
(4)测试数据库
sudo ldapsearch -x -h localhost -b dc=edu,dc=example,dc=org
1.3 使用迁移工具migrationtools
(1)安装
sudo apt-get install migrationtools
(2)使用该工具迁移Linux系统中的用户和组到LDAP服务器中
cd /usr/share/migrationtools/
./migrate_group.pl /etc/group ./group.ldif
./migrate_passwd.pl /etc/passwd ./passwd.ldif
修改group.ldif中组的父域名为ou=Groups,dc=edu,dc=example,dc=org
修改passwd.ldif中用户的父域名为ou=People,dc=edu,dc=example,dc=org
ldapadd -x -W -D "cn=admin,dc=edu,dc=example,dc=org" -f ./group.ldif
ldapadd -x -W -D "cn=admin,dc=edu,dc=example,dc=org" -f ./passwd.ldif
1.4 使用ldap服务器管理工具ldapscripts
(1)安装
sudo apt-get install ldapscripts
(2)修改配置文件
# LDAP Configuration
# DEBIAN: values from /etc/pam_ldap.conf are used.
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=edu,dc=example,dc=org"
# The following file contains the raw password of the binddn
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
# DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used.
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
#BINDPWD="secret"
# DEBIAN: values from /etc/pam_ldap.conf are used.
SUFFIX="dc=edu,dc=example,dc=org"# Global suffix
GSUFFIX="ou=Groups"# Groups ou (just under $SUFFIX)
USUFFIX="ou=People"# Users ou (just under $SUFFIX)
#MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX)
# User passwords generation
# Command-line used to generate a password for added users (you may use %u for username here)
# WARNING !!!! This is evaluated, everything specified here will be run !
# Special value "<ask>" will ask for a password interactively
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'"
#PASSWORDGEN="pwgen"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
PASSWORDGEN="<ask>"
注:如红字所示,照应前面的配置,向ldapscripts.passwd写入密码的命令为:echo -n 'example' > /etc/ldapscripts/ldapscripts.passwd
(3)使用
sudo ldapaddgroup testgroup
sudo ldapadduser testuser testgroup
sudo ldapsetpasswd testuser
(4)测试
getent passwd
getent group
[b]
2. LDAP客户端安装与配置[/b]
2.1 使用apt-get安装相关服务
#sudo apt-get install libnss-ldapd libpam-ldapd
安装过程中根据安装向导输入ldap服务器IP和相应base域名信息,最后,针对nss services勾选group和passwd两项即可。
注:Ubuntu系统中LDAP客户端的配置文件为/etc/nslcd.conf和/etc/nsswitch.conf,以上配置信息都可以在该配置文件中随时修改!修改后要重启服务:service nslcd restart
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://127.0.0.1/
# The search base that will be used for all queries.
base dc=edu,dc=example,dc=org
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret
# SSL options
#ssl off
#tls_reqcert never
# The search scope.
#scope sub
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat ldap
group: compat ldap
shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
2.2 安装配置完成后,使用以下命令验证访问LDAP服务器是否成功
#getent passwd
#getent group
若不能正确显示LDAP服务器上的相关用户和组,则检查以下原因:
①LDAP服务器是否开启
②LDAP服务器防火墙是否关闭
③客户端配置的LDAP服务器IP是否正确,可否ping通
④客户端配置的base域名是否正确
⑤端口不对
⑥版本不对
-----------------------------------------------
【相关说明】
① libnss-ldap 被用于名字解析, libpam-ldap 用 pm 通过LDAP来认证用户。
【参考】
① http://labs.opinsys.com/blog/2010/01/27/setting-up-openldap-on-ubuntu-10-04-alpha2/ 服务器和客户端都在Ubuntu上的参考文档
②http://forum.ubuntu.org.cn/viewtopic.php?p=2225140
针对10.04及以后的详细安装过程(服务器和客户端)
③ http://askubuntu.com/questions/127389/how-to-configure-ubuntu-as-an-ldap-client 指出出现问题要查看日志!!
④ http://www.dasairen.com/Centos/18520711220.html 为LDAP服务手动添加日志功能
相关文章推荐
- Ubuntu 12.04 Nfs 服务器和客户端的安装和配置
- ubuntu在安装LDAP服务器,在windows客户端下查看,并使用java操作LDAP
- [转载]Ubuntu安装配置 git 服务器和客户端
- ubuntu16.04下SVN服务器安装配置、以eclipse作为客户端步骤小结
- Ubuntu server 10.04安装配置lamp服务器
- ubuntu 10.04下安装LDAP服务器
- ubuntu14.04 ldap服务器安装和配置
- Ubuntu10.04安装与配置nfs服务器(转载)
- Ubuntu10.04中 安装配置JDK
- ubuntu上配置git服务器 -增加apache2安装方法
- ubuntu下SVN服务器的安装和配置
- web服务器之LNMP(1)Ubuntu中Nginx的安装与配置
- ubuntu10.04安装tftp服务器
- Ubuntu 14.04 FTP服务器--vsftpd的安装和配置
- Ubuntu 10.04 安装配置LAMP以及php开发环境 Eclipse PDT的安装
- 如何在Ubuntu 16.04上安装并配置Postfix作为只发送SMTP服务器
- Ubuntu 14.04下MySQL服务器和客户端的安装
- IOS Socket 05-XMPP开始&安装服务器openfire&安装配置客户端
- Ubuntu SSh远程管理服务器安装配置
- GitLab 服务器下客户端TortoiseGit安装配置