Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to install and configure OpenLDAP

2025-04-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >

Share

Shulou(Shulou.com)05/31 Report--

Editor to share with you how to install OpenLDAP configuration, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

A brief introduction to OpenLDAP

OpenLDAP is a free and open source implementation of the lightweight Directory access Protocol (Lightweight Directory Access Protocol, LDAP), distributed under its OpenLDAP license, and has been included in many popular Linux distributions.

Using lightweight Directory access Protocol (LDAP) to build a centralized authentication system can reduce management costs, enhance security, avoid the problem of data replication, and improve data consistency.

Usually, in the actual working environment, LDAP will be used to build a unified account management and authentication platform to achieve SSO single sign-on mechanism.

Second, write in front

LDAP this thing, the company is ready to achieve unified user identity authentication learned, there is no concept before, the Internet searched some basic, theoretical knowledge, it is simply too abstract. Later, when I thought about it, I probably had an understanding of the theory first, and I started to let ldap run before I said anything else. When I was doing it, if I encountered a problem and went back to consult the data, maybe I would understand it slowly.

The first time to build OpenLDAP, access to a lot of forums, blog posts, found that many are not perfect, or point to stop, in the installation and configuration problems, always waste a large part of time to wander in the major search engines to find the root of medicine, quite painful, the following is a combination of netizens and their own trying to explore the process, summed up into articles, hoping to help friends in need.

Configure the environment:

Server operating system: CentOS 6.5x86x64, RHEL/Suse should be similar

OpenLDAP version: OpenLDAP 2.4

In fact, if the various parameters of LDAP are not very strict requirements, it is recommended to use yum installation. Because the relevant dependent environment, the features are very comprehensive, for beginners, it is strongly recommended to use yum to install for the first time.

Prepare the environment:

Ensure that SELinux is turned off:

# getenforce1, temporarily shut down # setenforce 02, permanently close # vi / etc/selinux/config, change SELINUX=enforcing to SELINUX=disabled and restart the machine.

Set iptables firewall rules:

# vim / etc/sysconfig/iptables*filter:INPUT ACCEPT [0:0]: FORWARD ACCEPT [0:0]: OUTPUT ACCEPT [0:0]-An INPUT-m state-- state ESTABLISHED RELATED-j ACCEPT-An INPUT-p icmp-j ACCEPT-An INPUT-I lo-j ACCEPT-An INPUT-m state-- state NEW-m tcp-p tcp-- dport 22-j ACCEPT-An INPUT-m state-- state NEW-m tcp-p tcp-- dport 80-j ACCEPT-An INPUT-m state-- state NEW-m tcp-p tcp-dport 389-j ACCEPT- s 192.168.1.0 Maxima INPUT-m state-state NEW-m tcp-p tcp-- After reloading, dport 636-j ACCEPT-s 192.168.1.0 anywhere anywhere state NEW tcp dpt:httpACCEPT tcp 16A INPUT-j REJECT-- reject-with icmp-host-prohibited-A FORWARD-j REJECT-- reject-with icmp-host-prohibitedCOMMIT is as follows: # iptables-LACCEPT tcp-- anywhere anywhere state NEW tcp dpt:sshACCEPT tcp-- anywhere anywhere state NEW tcp dpt:httpACCEPT tcp-- 192.168.1.0 anywhere state NEW tcp dpt:ldapACCEPT tcp 16 anywhere state NEW tcp dpt:ldaps

Synchronize system time:

# ntpdate time.nist.gov III. Install OpenLDAP service

1. Yum installs the required software

# yum install-y openldap-*# yum install-y compat-openldap # this package has a lot to do with the master-slave configuration

2. Prepare the configuration file after the installation is complete

# cp / usr/share/openldap-servers/slapd.conf.obsolete / etc/openldap/slapd.conf

OpenLDAP related configuration files:

/ etc/openldap/slapd.conf master configuration file, administrator dn, password, log configuration, permissions and other settings

3. Create a LDAP administrator password

LDAP can support plaintext passwords, but we strongly recommend using encrypted passwords. Create an encrypted password through the slappasswd command, return a string of ciphertext, copy and save it first, and then use it in the LDAP configuration file.

Ps. The password I entered here is: ldap

# slappasswd New password: Re-enter new password: {SSHA} 5EkFHScR0hN0r3oRhd0aP4tyJ0ByopCd

4. Enter the / etc/openldap directory and edit the slapd.conf configuration file.

The main changes, suffix, rootdn, rootpw, rootdn are actually the administrators of openldap.

Optimization:

Checkpoint 2048 10 # sets the operation of writing the data in memory back to the data file, which means that checkpoint is performed every 2048K or 10 minutes, that is, the operation of writing to the data file.

Cachesize 1000 # sets the number of records that LDAP can cache

# cp / etc/openldap/slapd.conf / etc/openldap/slapd.conf.ori# vi / etc/openldap/slapd.conf....# enable server status monitoring (cn=monitor) database monitoraccess to * by dn.exact= "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact= "cn=Manager,dc=test Dc=com "read by * none#### database definitions##" # # database bdbsuffix "dc=test Dc=com "checkpoint 1024 15rootdn" cn=Manager,dc=test,dc=com "# Cleartext passwords, especially for the rootdn, should# be avoided. See slappasswd (8) and slapd.conf (5) for details.# Use of strong authentication encouraged.# rootpw secret# rootpw {crypt} ijFYNcSNctBYgrootpw {SSHA} 5EkFHScR0hN0r3oRhd0aP4tyJ0ByopCd. Save exit.

Of course, you can also set the plaintext password as follows:

5. BerkeleyDB configuration. Copy the DB_CONFIG file to the specified directory, otherwise an error will be reported later: warning-no DB_CONFIG file found in directory / var/lib/ldap

PS: by default, OpenLDAP uses the Berkeley database as the background data storage medium, which is already included in the OpenLDAP-Servers package. Just copy the configuration file to the relevant directory.

# cp / usr/share/openldap-servers/DB_CONFIG.example / var/lib/ldap/DB_CONFIG

6. Delete all files in the / etc/openldap/slapd.d directory, otherwise an error will be reported later when using the ldapadd command

PS: by default, there are some default configuration files in the / etc/openldap/slapd.d directory that must be deleted and then re-recommended, which is important

This is due to compatibility issues with 2.4and 2.3.Profiles, see: http://www.openldap.org/doc/admin24/appendix-common-errors.html

# rm-rf / etc/openldap/slapd.d/*

7. Configure the appropriate directory permissions

# chown-R ldap:ldap / var/lib/ldap/# chown-R ldap:ldap / etc/openldap/

8. Start the slapd service of LDAP and set it to boot.

# chkconfig slapd on# service slapd start

9. Regenerate the configuration file under slapd.d

# slaptest-f / etc/openldap/slapd.conf-F / etc/openldap/slapd.dconfig file testing succeeded and then re-grant permissions to the configuration file: # chown-R ldap:ldap / etc/openldap/slapd.d

10. Restart the slapd service of LDAP

# service slapd restart

Use netstat-tulpn to see if the service starts properly

11. Enable SSL

# vim / etc/sysconfig/ldapSLAPD_LDAPS=yes

We can see that the OpenLDAP listening port:

Default listening port: 389 (plaintext data transfer)

Encrypted listening port: 636 (encrypted data transmission)

Add the log function to OpenLDAP by adding the following

1. Edit / etc/openldap/slapd.conf

# vim / etc/openldap/slapd.confloglevel 296

2. Edit / etc/rsyslog.conf

# vim / etc/rsyslog.conflocal4.* / var/log/ldap.log

3. Restart the service

# service rsyslog restart# service slapd restart 5. Migrate user data to OpenLDAP

System users are usually saved in the / etc/passwd, / etc/shadow file, so we need to migrate user data to the openldap database. But LDAP can only recognize files in a specific format, that is, files with the suffix ldif (also text files), so you can't import them directly using / etc/passwd, / etc/shadow. The easiest way is to use the migration kit provided by padl, which is a series of scripts written by perl, migrationtools tools, which were already included in the previous openldap package, but are no longer available in redhat6.5 and need to be downloaded separately.

1. Install and configure migrationtools

# yum install-y migrationtools

2. Change to the migrationtool directory for basic configuration

# cd / usr/share/migrationtools/ edit migrate_common.ph# vi migrate_common.ph...# Default DNS domain$DEFAULT_MAIL_DOMAIN = "test.com"; # Default base$DEFAULT_BASE = "dc=test,dc=com";. Save exit. : -)

3. Generate ldif file

A. Use migrate_base.pl scripts to generate basic data structures in the directory MigrationTools

#. / migrate_base.pl > / tmp/base.ldif Import data: # #-w specify the administrator password you set in slapd.conf, or use-W Interactively enter the password # #-f to specify the path to the data file # # the password we set earlier: ldap# ldapadd-x-D "cn=Manager,dc=test,dc=com"-w ldap-f / tmp/base.ldif query the data that has been imported into the database: # ldapsearch-h-H ldap://192.168.1.35-b "dc=test,dc=com"

B. Use migrate_passwd.pl and migrate_group.pl scripts in the directory MigrationTools to convert users in / etc/passwd, / etc/group files into files in ldif format, a data structure that ldap can recognize.

#. / migrate_passwd.pl / etc/passwd / tmp/passwd.ldif#. / migrate_group.pl / etc/group / tmp/group.ldif Import data: # ldapadd-x-D "cn=Manager,dc=test,dc=com"-w ldap-f / tmp/passwd.ldif# ldapadd-x-D "cn=Manager,dc=test,dc=com"-w ldap-f / tmp/group.ldif

C. In the actual production environment, all the users in / etc/passwd and / etc/group will not be managed by ldap. We only need to let the actual users be managed by ldap, so we follow the following rules in production:

Delete all data in the ldap database:

# ldapdelete-x-D "cn=Manager,dc=test,dc=com"-w ldap-r "dc=test,dc=com"

Set up test users ldapuser01 and ldapuser02, and import these two users into ldap database

# useradd ldapuser01# useradd ldapuser02# passwd ldapuser01# passwd ldapuser02 We only import the users we need into the ldap database # grep ldap* / etc/passwd > / tmp/passwd# grep ldap* / etc/group > / tmp/group#. / migrate_base.pl > / tmp/base.ldif #. / migrate_passwd.pl / tmp/passwd > / tmp/passwd.ldif#. / migrate_group.pl / tmp/group > / tmp/group.ldif# ldapadd-x-D "cn=Manager,dc=test Dc=com "- w ldap-f / tmp/base.ldif# ldapadd-x-D" cn=Manager,dc=test,dc=com "- w ldap-f / tmp/passwd.ldif# ldapadd-x-D" cn=Manager,dc=test,dc=com "- w ldap-f / tmp/group.ldif

At this point, we import the user into the OpenLDAP database.

6. Install phpLDAPadmin

Install the EPEL repository

# rpm-ivh http://mirrors.ukfast.co.uk/sites/dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rp

Install phpLDAPadmin

# yum install-y phpldapadmin

Modify the phpldapadmin configuration file (which is automatically created) and add access permissions

# vim / etc/httpd/conf.d/phpldapadmin.conf add Allow from:: 1Allow from 192.168.1 / / change it to your own ip segment after this line

Modify php configuration file to disable automatic login and php login configuration

# vim / etc/phpldapadmin/config.php# (line 398) / / $servers- > setValue ('login','attr','uid'); # (line 530) $servers- > newServer (' ldap_pla'); $servers- > setValue ('server','name','LDAP Server'); $servers- > setValue (' server','host','127.0.0.1'); $servers- > setValue ('server','port',389); $servers- > setValue (' server','base',array ('dc=test,dc=com')) $servers- > setValue ('login','auth_type','session'); $servers- > setValue (' login','bind_id','dc=test,dc=com'); $servers- > setValue ('login','bind_pass','ldap'); $servers- > setValue (' server','tls',false)

After the configuration is complete, start apache

# chkconfig httpd on# service httpd start

Then access it through the browser: http://192.168.1.35/ldapadmin/ (this ip is replaced by your own actual ip)

One thing to note here is: Login DN: make sure it is a full DN, not a RDN.

The password is the password set by our previous slappasswd command, that is, the password of the ldap administrator rootdn (Manager), and then the login is successful.

7. Install LAM (GUI tool similar to phpLDAPadmin, optional)

Download the ldap-account-manager package, what I download here is the older version 4.6, (the latest version should be 6.0).

If there is no lamp environment # yum install-y httpd php php-ldap php-gd# unzip ldap-account-manager-4.6.RC1.zip# mv ldap-account-manager-4.6.RC1 / var/www/html/lam# chown-R apache:apache / var/www/html/lam add a line # vim / etc/httpd/conf.d/phpldapadmin.confAlias / lam / var/www/html/lam to the previous / etc/phpldapadmin/conf.php by the way

Configuration

# cd / var/www/html/lam/config# cp config.cfg_sample config.cfg# cp lam.conf_sample lam.conf# vim lam.confserverURL: ldap://192.168.1.35:389admins: cn=Manager,dc=test,dc=comtreesuffix: dc=test,dc=org replace all other dc=my-domain with: dc=yourdomain

Restart the httpd service

# service httpd restart

Then access it through the browser, http://192.168.1.35/lam, and change it to your own ip.

Then you can log in successfully through your Manager account and password.

These are all the contents of the article "how to install and configure OpenLDAP". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report