OpenLdap configuration and management 01/18 Update SLTechnology News&Howtos

OpenLdap configuration and management

2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Server-side configuration

Yum install openldap-servers

Slapd configuration

[root@public-puppet01-P-Z ~] # slappasswd-h {MD5}

New password:

Re-enter new password:

{MD5} sBICuL/nbqxH63QBPkxqrw==

1 、 / etc/openldap/slapd.conf

Include / etc/openldap/schema/corba.schema

Include / etc/openldap/schema/core.schema

Include / etc/openldap/schema/cosine.schema

Include / etc/openldap/schema/duaconf.schema

Include / etc/openldap/schema/dyngroup.schema

Include / etc/openldap/schema/inetorgperson.schema

Include / etc/openldap/schema/java.schema

Include / etc/openldap/schema/misc.schema

Include / etc/openldap/schema/nis.schema

Include / etc/openldap/schema/openldap.schema

Include / etc/openldap/schema/ppolicy.schema

Include / etc/openldap/schema/collective.schema

Allow bind_v2

Pidfile / var/run/openldap/slapd.pid

Argsfile / var/run/openldap/slapd.args

Database bdb

Suffix "dc=chanjetoms,dc=com"

Rootdn "cn=Manager,dc=chanjetoms,dc=com"

Rootpw {MD5} sBICuL/nbqxH63QBPkxqrw==

Directory / var/lib/ldap

Index objectClass eq,pres

Index ou,cn,mail,surname,givenname eq,pres,sub

Index uidNumber,gidNumber,loginShell eq,pres

Index uid,memberUid eq,pres,sub

Index nisMapName,nisMapEntry eq,pres,sub

Database monitor

Access to attrs=shadowLastChange,userPassword

By self write

By * auth

Access to *

By * read

2 、 / etc/openldap/ldap.conf

BASE dc=chanjetoms,dc=com

URI ldap://10.10.10.10

TLS_CACERTDIR / etc/openldap/cacerts

[root@dns1 openldap] # cp / usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example / var/lib/ldap/DB_CONFIG

[root@dns1 openldap] # chown ldap.ldap / var/lib/ldap/DB_CONFIG

[root@dns1 openldap] #

# enable monitoring

Database monitor

Start:

[root@common0 ~] # service slapd start

Starting slapd: [OK]

Error report:

Ldapadd ldap_bind: Invalid credentials (49)

Solution:

Rm-rf / etc/openldap/slapd.d/*

Slaptest-f / etc/openldap/slapd.conf-F / etc/openldap/slapd.d

Chown-R ldap.ldap / etc/openldap/slapd.d/

Chmod-R000 / etc/openldap/slapd.d/

Chmod-R u+rwX / etc/openldap/slapd.d/

Synchronize replication configuration

Master:

# Replicas of this database

Replogfile / var/lib/ldap/replog

Replica host=ldap.ops.com:389

Binddn= "cn=Manager,dc=oms,dc=com"

Credentials=secret

Bindmethod=simple

Slave:

Updatedn "cn=Manager,dc=oms,dc=com"

Updateref ldap://ldap.ops.com:389/

Log on master (/ usr/sbin/slapd-d 256)

2012-10-08 18:50:24 common0.ops.com slapd [13583]: conn=1000 fd=13 ACCEPT from IP=192.168.52.145:58109 (IP=0.0.0.0:389)

2012-10-08 18:50:24 common0.ops.com slapd [13583]: conn=1000 op=0 BIND dn= "" method=128

2012-10-08 18:50:24 common0.ops.com slapd [13583]: conn=1000 op=0 RESULT tag=97 err=0 text=

2012-10-08 18:50:24 common0.ops.com slapd [13583]: conn=1000 op=1 SRCH base= "dc=oms,dc=com" scope=2 deref=0 filter= "(objectClass=*)"

2012-10-08 18:50:24 common0.ops.com slapd [13583]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=4 text=

2012-10-08 18:50:24 common0.ops.com slapd [13583]: conn=1000 op=2 UNBIND

2012-10-08 18:50:24 common0.ops.com slapd [13583]: conn=1000 fd=13 closed

* *

Client configuration

Setup

The / lib64/libnss_ldap.so.2 file was not found.

This file is required for LDAP support to work properly.

Install the nss-pam-ldapd package that provides this file.

# yum install nss-pam-ldapd

# vim / etc/nsswitch.conf

# / etc/nsswitch.conf

# An example Name Service Switch config file. This file should be

# sorted with the most-used services at the beginning.

# The entry'[NOTFOUND=return] 'means that the search for an

# entry should stop if the search in the previous entry turned

# up nothing. Note that if the search failed due to some other reason

# (like no NIS server responding) then the search continues with the

# next entry.

# Valid entries include:

# nisplus Use NIS+ (NIS version 3)

# nis Use NIS (NIS version 2), also called YP

# dns Use DNS (Domain Name Service)

# files Use the local files

# db Use the local database (.db) files

# compat Use NIS on compat mode

# hesiod Use Hesiod for user lookups

# [NOTFOUND=return] Stop searching if not found so far

# To use db, put the "db" in front of "files" for entries you want to be

# looked up first in the databases

# Example:

# passwd: db files nisplus nis

# shadow: db files nisplus nis

# group: db files nisplus nis

Passwd: files ldap

Shadow: files ldap

Group: files ldap

# hosts: db files nisplus nis dns

Hosts: files dns

# Example-obey only what nisplus tells us...

# services: nisplus [NOTFOUND=return] files

# networks: nisplus [NOTFOUND=return] files

# protocols: nisplus [NOTFOUND=return] files

# rpc: nisplus [NOTFOUND=return] files

# ethers: nisplus [NOTFOUND=return] files

# netmasks: nisplus [NOTFOUND=return] files

Bootparams: nisplus [NOTFOUND=return] files

Ethers: files

Netmasks: files

Networks: files

Protocols: files

Rpc: files

Services: files

Netgroup: nisplus

Publickey: nisplus

Automount: files nisplus

Aliases: files nisplus

# vim / etc/sysconfig/authconfig

USEMKHOMEDIR=yes

USEPAMACCESS=no

CACHECREDENTIALS=yes

USESSSDAUTH=no

USESHADOW=yes

USEWINBIND=no

USESSSD=no

PASSWDALGORITHM=md5

FORCELEGACY=no

USEFPRINTD=no

USEHESIOD=no

FORCESMARTCARD=no

USELDAPAUTH=yes

USELDAP=yes

USECRACKLIB=yes

USEWINBINDAUTH=no

USESMARTCARD=no

USELOCAUTHORIZE=yes

USENIS=no

USEKERBEROS=no

USESYSNETAUTH=no

USESMBAUTH=no

USEDB=no

USEPASSWDQC=no

# vim / etc/openldap/ldap.conf

BASE dc=oms,dc=com

URI ldap://ldap-master.ops.com, ldap://ldap-slave.ops.com

# vim / etc/pam_ldap.conf

BASE dc=oms,dc=com

URI ldap://ldap-master.ops.com, ldap://ldap-slave.ops.com

Pam_check_host_attr yes

# vim / etc/pam.d/system-auth

#% PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

Auth required pam_env.so

Auth sufficient pam_unix.so nullok try_first_pass

Auth requisite pam_succeed_if.so uid > = 500quiet

Auth sufficient pam_ldap.so use_first_pass

Auth required pam_deny.so

Account required pam_unix.so broken_shadow

Account sufficient pam_localuser.so

Account sufficient pam_succeed_if.so uid < 500 quiet

Account [default=bad success=ok user_unknown=ignore] pam_ldap.so

Account required pam_permit.so

Password requisite pam_cracklib.so try_first_pass retry=3 type=

Password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

Password sufficient pam_ldap.so use_authtok

Password required pam_deny.so

Session optional pam_keyinit.so revoke

Session required pam_limits.so

Session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022

Session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

Session required pam_unix.so

Session optional pam_ldap.so

# nslcd.conf does not need to be configured. Caching services are provided by nscd, not nslcd.

# vim / etc/nslcd.conf

Uid nslcd

Gid ldap

Uri ldap://ldap-master.ops.com ldap://ldap-slave.ops.com

Base dc=oms,dc=com

Ssl no

Tls_cacertdir / etc/openldap/cacerts

/ etc/pam.d/system-auth-ac # set "use MD5 password" in setup

/ etc/pam.d/password-auth # is configured before you can log in using LDAP

Error message:

[root@wade28 openldap] # service slapd restart

Stopping slapd: [OK]

Checking configuration files for slapd: [WARNING]

Bdb_db_open: warning-no DB_CONFIG file found in directory / var/lib/ldap: (2)

Expect poor performance for suffix "dc=my-domain,dc=com".

Config file testing succeeded

Starting slapd: [OK]

Solution:

This error does not affect the ldap authentication service; if you must fix it, execute the following command

[root@wade28 openldap] # cp / usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example / var/lib/ldap/DB_CONFIG

Chown-R ldap / var/lib/ldap

OR:

/ usr/share/openldap-servers/DB_CONFIG.example

*********************

Installation package dependencies:

[root@h2] # rpm-ivh openldap-servers-2.3.43-12.el5.i386.rpm

Error: Failed dependencies:

Libltdl.so.3 is needed by openldap-servers-2.3.43-12.el5.i386

Openldap = 2.3.43-12.el5 is needed by openldap-servers-2.3.43-12.el5.i386

Solution:

[root@h2] # rpm-ivh libtool-ltdl-devel-1.5.22-7.el5_4.i386.rpm libtool-ltdl-1.5.22-7.el5_4.i386.rpm

Preparing... # [100%]

1:libtool-ltdl # # [50%]

2:libtool-ltdl-devel # # [100%]

* *

[root@xiangjingdev40_v_o openldap] # slaptest-f slapd.conf-F slapd.d/

Bdb_db_open: warning-no DB_CONFIG file found in directory / var/lib/ldap: (2)

Expect poor performance for suffix "dc=chanjetoms,dc=com".

Bdb_db_open: database "dc=chanjetoms,dc=com": db_open (/ var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).

Backend_startup_one (type=bdb, suffix= "dc=chanjetoms,dc=com"): bi_db_open failed! (2)

Slap_startup failed (test would succeed using the-u switch)

Solution:

Chown ldap.ldap / var/lib/ldap

/ etc/init.d/sldapd start

Ls-lh / var/lib/ldap/ check whether the db file is generated

[root@www ldap] # slaptest-f / etc/openldap/slapd.conf

Config file testing succeeded

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.