Shulou(Shulou.com)06/01 Report--

1. OpenLDAP installation mode

There are generally two ways to install OpenLDAP software under the environment of UNIX distribution operating system: one is to compile and install through the source code, and the other is to install it through the rpm software package that comes with the CD. The two installation methods are described below, but I still recommend using rpm installation because it is convenient and quick. Installing the OpenLDAP server requires the provision of daemons and traditional OpenLDAP management configuration tools, mainly slapd and ldap-utils suites.

My installation environment is CentOS 6.764-bit operating system. Please see the blog environment preparation before installation.

1. Install as a software package

# yum installation yum install openldap openldap-*-y # initialization configuration file cp / usr/share/openldap-servers/slapd.conf.obsolete / etc/openldap/slapd.conf# initialization database configuration file cp / usr/share/openldap-servers/DB_CONFIG.example / var/lib/ldap/DB_CONFIG# modify permissions chown-R ldap.ldap / etc/openldap chown-R ldap.ldap / var/lib/ldap

The default OpenLDAP service uses port 389. this port transmits data in clear text, and the data information is not guaranteed. Therefore, encrypted data transmission can be realized by configuring CA and combining TLS/SASL. The port used is 636. I will introduce the implementation process later.

2. Compile and install through source code

Because the compilation and installation of OpenLDAP requires database support, the back-end database of OpenLDAP software can be stored by database software such as BerkeleyDBBDB, Oracle, MySQL, MariaDB, GDBM and so on. The default OpenLDAP uses Berkeley DB database as the back-end storage engine, and OpenLDAP has certain requirements for the version of Berkey DB. For example, OpenLDAP 2.4 software version requires Berkeley DB 4.4 or above, so when compiling OpenLDAP source code package, you need to download Brekeley DB source code package first, and then compile and install it.

Berkeley DB is an open source database system developed by Sleepycat Software Company in the United States. It has high performance and embedded database programming library. It can access any type of key (key) / value (value) pairs, one key can store multiple values, and supports online data query requests with large concurrency.

I'm sorry, but this part of the installation is complicated, so I won't show it here. If anyone wants to know, you can leave me a message. Thank you.

II. OpenLDAP configuration

The system I use is CentOS 6 series, which is quite different from CentOS 5 series OpenLDAP. The old version of OpenLDAP configuration file is slapd.conf, but the new version (the new version I tested is 2.4.40) will not read the configuration file, but read the relevant information from the slapd.d directory (usually in the same directory as slapd.conf). We need to delete the data in this directory. Then regenerate the configuration data using the information we configured in slapd.conf. This may also be the main reason for the "ldap_bind: Invalid credentials (49)" error when you run ldap-related commands after you start the service. For details on how to regenerate configuration data, please see the specific experimental process.

1. Slapd.conf configuration file parameters

The following is my configuration file, and the content of # is the explanation I added. You can change it to your own domain name according to the actual situation. If you don't know what the dn,cn,dc stands for, please check my blog theory.

[root@mldap ~] # egrep-v "# | ^ $" / etc/openldap/slapd.conf# include line represents the schema file include / etc/openldap/schema/corba.schemainclude / etc/openldap/schema/core.schemainclude / etc/openldap/schema/cosine.schemainclude / etc/openldap/schema/duaconf.schemainclude / etc/openldap/schema/dyngroup.schemainclude / etc/openldap included in the current OpenLDAP service / schema/inetorgperson.schemainclude / etc/openldap/schema/java.schemainclude / etc/openldap/schema/misc.schemainclude / etc/openldap/schema/nis.schemainclude / etc/openldap/schema/openldap.schemainclude / etc/openldap/schema/ppolicy.schemainclude / etc/openldap/schema/collective.schemainclude / etc/openldap/schema/sudo.schemainclude / etc/openldap/schema/openssh-lpk-openldap .schema # OpenLDAP service allows the client version of the connection. The path where the pid file is stored when the allow bind_v2# OpenLDAP process starts. The path where the pidfile / var/run/openldap/slapd.pid# OpenLDAP parameter file is stored. Argsfile / var/run/openldap/slapd.args# transport encrypted configuration information TLSCACertificatePath / etc/openldap/certsTLSCertificateFile "\" OpenLDAP Server\ "" TLSCertificateKeyFile / etc/openldap/certs/passworddatabase configaccess to * by dn.exact= "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * nonedatabase monitoraccess to * by dn.exact= "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact= "cn=admin,dc=wzlinux Dc=com "read by * none # specifies the OpenLDAP database type. Database bdb# specifies the OpenLDAP service domain name (DN) suffix "dc=wzlinux,dc=com" checkpoint 1024 "specifies the OpenLDAP service administrator information. Rootdn "cn=admin,dc=wzlinux,dc=com" # specifies the OpenLDAP service administrator password and uses slappasswd-s your_password to obtain the encryption password rootpw {SSHA} hjqcrGsPL6H58QAS0QHBvihVS7x2HHKG# specifies the directory where the OpenLDAP database files are stored. Directory / var/lib/ldap# creates the OpenLDAP index. Index objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,sub

2. Start the service and query

Service slapd start

To query the catalog entries for LDAP, let's first introduce the ldapsearch command, which can be viewed using the man help manual.

-b: specify the node to look for

-D: specify the DN to look up

-x: use simple authentication

-W: the query is to enter a password, or use-w password

-the host address of h:OpenLDAP. You can use IP or domain name.

-H: use the URI address of the LDAP server to operate

[root@mldap] # ldapsearch-x-D "cn=admin,dc=wzlinux,dc=com"-H ldap://192.168.2.10-WEnter LDAP Password: # is the password we encrypted in slapd.conf ldap_bind: Invalid credentials (49)

We see an error, this problem is not because the password error, but because the new version of LDAP to read the database (slapd.d), and not according to our configuration file (slapd.conf) to read, so we have to delete the database configuration file, and then generate through the slapd.conf file, every time to modify the configuration file to do this.

Rm-rf / etc/openldap/slapd.d/*slaptest-f / etc/openldap/slapd.conf-F/etc/openldap/slapd.dchown-R ldap:ldap / etc/openldap/slapd.dservice slapd restart

Then make a query to see if the result is normal. We can see No such object, because we didn't add any data, so the result of the query is zero, so our configuration is normal.

[root@mldap] # ldapsearch-x-D "cn=admin,dc=wzlinux,dc=com"-h 192.168.2.10-WEnter LDAP Password: # extended LDIF## LDAPv3# base (default) with scope subtree# filter: (objectclass=*) # requesting: ALL## search resultsearch: 2result: 32 No such object# numResponses: 1

3. Add data for ldap server

There are four ways to add user data to ldap, which are as follows, and we choose the fourth method to experiment.

1) you can directly modify the data files under the slapd.d directory. The advantage is that you do not need to restart the service and take effect directly.

2) install the open source tool migrationtools to generate the ldfi file, and add it through ldapadd

3) install the ldap client, which is the easiest way

4) edit the ldfi file directly, and then add it through ldapadd.

First of all, we manually edit the base.ldif file, and it seems that there is something wrong with the format. There is a space between each item. It will be a bit of a problem to copy directly in the past. You need to delete the first space in the blank line between each item.

[root@mldap ~] # vim base.ldif dn: dc=wzlinux,dc=comobjectClass: organizationobjectClass: dcObjectdc: wzlinuxo: wzlinuxdn: ou=people,dc=wzlinux,dc=comobjectClass: topobjectClass: organizationalUnitou: peopledn: ou=group,dc=wzlinux,dc=comobjectClass: topobjectClass: organizationalUnitou: group

Import data through ldapadd, and you can see through man that most of its parameters are similar to those of ldapsearch, so we will use it directly here.

[root@mldap] # ldapadd-x-D "cn=admin,dc=wzlinux,dc=com"-w 123456a-h 192.168.2.10-f base.ldif adding new entry "dc=wzlinux,dc=com" adding new entry "ou=people,dc=wzlinux,dc=com" adding new entry "ou=group,dc=wzlinux,dc=com"

Through the feedback results, we have seen that the addition is successful. We make a query on another machine with the client installed, and we can see that our query result is the same as our base.ldif.

[root@test01] # ldapsearch-x-D "cn=admin,dc=wzlinux,dc=com"-w 123456a-h 192.168.2.10-b "dc=wzlinux,dc=com"-LLLdn: dc=wzlinux,dc=comobjectClass: organizationobjectClass: dcObjectdc: wzlinuxo: ou=people,dc=wzlinux,dc=comobjectClass: topobjectClass: organizationalUnitou: peopledn: ou=group,dc=wzlinux,dc=comobjectClass: topobjectClass: organizationalUnitou: group

Then we add a user and a group through user.ldif and group.ldif.

[root@mldap ~] # cat user.ldif group.ldif dn: uid=test1,ou=people,dc=wzlinux,dc=comobjectClass: posixAccountobjectClass: topobjectClass: inetOrgPersonobjectClass: 0givenName: test1sn: test1uid: test1homeDirectory: / home/test1loginShell: / bin/bashshadowFlag: 0shadowMin: 0shadowMax: 99999shadowWarning: 0shadowInactive: 99999shadowLastChange: 12011shadowExpire: 99999cn: test1uidNumber: 24422userPassworduid=test1,ou=people,dc=wzlinux,dc=comobjectClass: e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9dn: cn=DBA,ou=group,dc=wzlinux,dc=comobjectClass: posixGroupobjectClass: topcn: DBAmemberUid: test1gidNumber: 10673

Then add users and groups after reading it.

[root@mldap] # ldapadd-x-D "cn=admin,dc=wzlinux,dc=com"-w 123456a-h 192.168.2.10-f group.ldif adding new entry "cn=DBA,ou=group,dc=wzlinux,dc=com" [root@mldap] # ldapadd-x-D "cn=admin,dc=wzlinux,dc=com"-w 123456a-h 192.168.2.10-f user.ldif adding new entry "uid=test1,ou=people,dc=wzlinux,dc=com"

Then use the following command to see if you have successfully added it.

Ldapsearch-x-D "cn=admin,dc=wzlinux,dc=com"-w 123456a-h 192.168.2.10-b "dc=wzlinux,dc=com"-LLL

It may be troublesome to write so much for each query. We can add two lines of data to the client's configuration file, which is / etc/openldap/ldap.conf.

BASE dc=wzlinux,dc=comURI ldap://ldap.wzlinux.com # set up the hosts file in advance

4. Define user policy control through slapd.conf

By default, OpenLDAP users are not allowed to change their passwords themselves, and only administrators have permission to change them. In order to improve the security of personal accounts, users need to be able to modify and update their password information without administrator intervention. The specific steps are as follows.

1) define access control policies.

Edit the slapd.conf configuration file, locate the access line, and add the following.

Access to attrs=shadowLastChange,userPassword by self write # only allows itself to modify by * auth access to * by * read # to allow authorized users to view information

2) regenerate the database file and restart the service.

Rm-rf / etc/openldap/slapd.d/* slaptest-f / etc/openldap/slapd.conf-F / etc/openldap/slapd.d/ chown-R ldap.ldap / etc/openldap/ service slapd restart

5. Log configuration

Add the following to the configuration file / etc/openldap/slapd.conf and remember to regenerate the database file.

Loglevel 256cachesize 1000checkpoint 2048 10

Add the following to / etc/rsyslog.conf, and then restart the rsyslog service.

Local4.* / var/log/slapd.log

6. OpenLDAP log slicing configuration

The OpenLDAP log is cut through logrotate to prevent the log from being too large and not convenient for troubleshooting and performance analysis. The following is done through a custom script to cut when the log is greater than 10MB to facilitate troubleshooting. The script is as follows.

#! / bin/bash # cut OpenLDAP logs through logrotate # FILE= / var/log/slapd.log if [!-f $FILE]; then / bin/touch $FILE & & / bin/chmod 666$ FILE & & / usr/bin/chattr + a $FILE & > / dev/null cat > / etc/logrotate.d/ldap

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.