Linux环境下通过OpenLDAP实现用户的统一认证和管理

测试环境:

OpenLDAP Server <-------------------------------------------->OpenLDAP Client

ip:192.168.4.178                                                                 ip:192.168.4.177

Centos 6.4                                                                             Centos 6.4

hostname:openvpn                                                              hostname:openvpn-client

一、OpenLDAP Server的安装和配置

[[email protected] ~]# yum install -y openldap openldap-servers openldap-clients                                
[[email protected] ~]# cd /etc/openldap/
[[email protected] openldap]# mv slapd.d slapd.d-bak
[[email protected] openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
创建slappasswd密码:

[[email protected] ~]# slappasswd
New password:
Re-enter new password:
{SSHA}CoOOJ5NZCzKuWktw6t4lD76FsDgX9ItX

[[email protected] openldap]# vi /etc/openldap/slapd.conf

suffix          "dc=test,dc=com"
rootpw          {SSHA}CoOOJ5NZCzKuWktw6t4lD76FsDgX9ItX    /将md5值粘贴到此

directory       /var/lib/ldap

[[email protected] openldap]# slaptest -u -f /etc/openldap/slapd.conf
config file testing succeeded

[[email protected] openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[[email protected] openldap]#cd /var/lib/ldap

[[email protected] ldap]# chown ldap.ldap DB_CONFIG*

[[email protected] ldap]#cd

[[email protected] ~]# service slapd start
[[email protected] ~]#chkconfig slapd on

[[email protected] ldap]# ldapsearch -x -b "dc=test,dc=com"
ldap_sasl_bind(SIMPLE): Can‘t contact LDAP server (-1)

解决方法:
[[email protected]openvpn ldap]# vi /etc/sysconfig/ldap
SLAPD_LDAPI=no

[[email protected] ldap]# vi /etc/openldap/ldap.conf
base    dc=test,dc=com
uri     ldap://192.168.4.178

[[email protected] ldap]# service slapd restart
Stopping slapd: [  OK  ]
Starting slapd: [  OK  ]

[[email protected] ldap]# ldapsearch -x -b "dc=test.com"
# extended LDIF
#
# LDAPv3
# base <dc=test.com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

创建用户ldapuser1,ldapuser2其密码分别为123456

[[email protected] ldap]# useradd ldapuser1
[[email protected] ldap]# echo "123456" | passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
[[email protected] ldap]# useradd ldapuser2
[[email protected] ldap]# echo "123456" | passwd --stdin ldapuser2
Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.

安装migrationtools迁移本地用户到LDAP的工具包

[[email protected] ldap]# yum install -y migrationtools

[[email protected] ldap]# cd /usr/share/migrationtools/
[[email protected] migrationtools]# vi migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "test.com";

# Default base
$DEFAULT_BASE = "dc=test,dc=com";

[[email protected] migrationtools]# ./migrate_base.pl > base.ldif

[[email protected] migrationtools]# vi base.ldif
dn: dc=test,dc=com
dc: test
objectClass: top
objectClass: domain

dn: ou=People,dc=test,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=test,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

[[email protected] migrationtools]# ./migrate_passwd.pl /etc/passwd ./user.ldif   /迁移用户
[[email protected] migrationtools]# vi user.ldif
dn: uid=ldapuser1,ou=People,dc=test,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$fiweB1Cv$UrLDDL9yWi8W7djPJQosXGEb3v5VbSmyhzRdunpWHJso0hysXeus9i0c87vY2CVQSb0ySU.Uv6moqzZBB1nF//
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 502
homeDirectory: /home/ldapuser1

dn: uid=ldapuser2,ou=People,dc=test,dc=com
uid: ldapuser2
cn: ldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$RK3zu0Np$2FssBfu3XJIeKOmJzyOmZgWoXk9npkpZquGvac0HoWbeB6A1aNjX.a2mxQhPIi6mhScV.PNTdE2AIs1l758GC1
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 503
homeDirectory: /home/ldapuser2

[[email protected] migrationtools]# ./migrate_group.pl /etc/group ./group.ldif    /迁移组
[[email protected] migrationtools]# vi group.ldif

n: cn=ldapuser1,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword: {crypt}x
gidNumber: 502

dn: cn=ldapuser2,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword: {crypt}x
gidNumber: 503

[[email protected] ~]# ldapadd -D "cn=openvpn,dc=test.com" -W -x -f /usr/share/migrationtools/base.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

解决方法:
[[email protected] ~]# ldapadd -D "cn=openvpn,dc=test,dc=com" -W -x -f /usr/share/migrationtools/base.ldif
Enter LDAP Password:
adding new entry "dc=test,dc=com"

adding new entry "ou=People,dc=test,dc=com"

adding new entry "ou=Group,dc=test,dc=com"

[[email protected] ~]# ldapadd -D "cn=openvpn,dc=test,dc=com" -W -x -f /usr/share/migrationtools/user.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=test,dc=com"

adding new entry "uid=ldapuser2,ou=People,dc=test,dc=com"

[[email protected] ~]# ldapadd -D "cn=openvpn,dc=test,dc=com" -W -x -f /usr/share/migrationtools/group.ldif
Enter LDAP Password:
adding new entry "cn=ldapuser1,ou=Group,dc=test,dc=com"

adding new entry "cn=ldapuser2,ou=Group,dc=test,dc=com"

[[email protected] ~]# ldapsearch -x -b "dc=test.com"    /报错
# extended LDIF
#
# LDAPv3
# base <dc=test.com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

解决方法:
[[email protected] ~]# ldapsearch -x -b "dc=test,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# test.com
dn: dc=test,dc=com
dc: test
objectClass: top
objectClass: domain

# People, test.com
dn: ou=People,dc=test,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# Group, test.com
dn: ou=Group,dc=test,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

# ldapuser1, People, test.com
dn: uid=ldapuser1,ou=People,dc=test,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JGZpd2VCMUN2JFVyTERETDl5V2k4VzdkalBKUW9zWEdFYjN2NVZ
 iU215aHpSZHVucFdISnNvMGh5c1hldXM5aTBjODd2WTJDVlFTYjB5U1UuVXY2bW9xelpCQjFuRi8v
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 502
homeDirectory: /home/ldapuser1

# ldapuser2, People, test.com
dn: uid=ldapuser2,ou=People,dc=test,dc=com
uid: ldapuser2
cn: ldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFJLM3p1ME5wJDJGc3NCZnUzWEpJZUtPbUp6eU9tWmdXb1hrOW5
 wa3BacXVHdmFjMEhvV2JlQjZBMWFOalguYTJteFFoUElpNm1oU2NWLlBOVGRFMkFJczFsNzU4R0Mx
shadowLastChange: 15674
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 503
homeDirectory: /home/ldapuser2

# ldapuser1, Group, test.com
dn: cn=ldapuser1,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 502

# ldapuser2, Group, test.com
dn: cn=ldapuser2,ou=Group,dc=test,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword:: e2NyeXB0fXg=
gidNumber: 503

# search result
search: 2
result: 0 Success

# numResponses: 8
# numEntries: 7

二、OpenLDAP Client安装和配置

[[email protected] ~]# yum install openldap openldap-clients -y

[[email protected] ~]# yum install -y nss-pam-ldapd pam_ldap

[[email protected] ~]# vi /etc/openldap/ldap.conf

BASE dc=test,dc=com
URI ldap://192.168.4.178

[[email protected] ~]# vi /etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:         files ldap

[[email protected] ~]# vi /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

[[email protected] ~]# vi /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required     pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so
auth        required      pam_deny.so

account     required     pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required     pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

[[email protected] ~]# service nslcd restart

[[email protected] ~]#chkconfig nslcd on

三、通过NFS实现LDAP用户/home的自动挂载

四、通过Phpldapadmin实现LDAP用户的WEB创建和管理

Linux环境下通过OpenLDAP实现用户的统一认证和管理

时间: 2024-11-03 22:22:38

Linux环境下通过OpenLDAP实现用户的统一认证和管理的相关文章

Linux环境下非root用户安装Python及相关库

以前在使用python的时候,都是使用root用户安装好的全局python,现在,因为root用户安装的Python版本太低,同时自己没有root权限去对全局Python升级,所以要在非root用户下安装自己指定的Python.因此,就重新整理了一份如何在Linux环境下使用非root用户安装python及其相关的库,以备不时之需. 安装python python版本库https://www.python.org/ftp/python/,此处我选择2.7.5版本的,在安装python的时候,使用

(1)Jenkins Linux环境下的简单搭建

(1)Jenkins Linux环境下的简单搭建 Jenkins是一个开源软件项目,旨在提供一个开放易用的软件平台,使软件的持续集成变成可能. ----百度百科 这是一款基于Java开发的工具.种种原因,最近刚开始接触,决定研究一下.Jenkins的搭建方法不止一种,一下就是个人总结的其中一种,文章内容比较浅显,不足之处,欢迎指正. 首先,所需要准备的工具JDK.Maven.资料上显示JDK版本最好高于1.7,并没有研究1.7以下版本,所谓"没有实际调研,就没有发言权",在此就不做过多

mosquitto在Linux环境下的部署/安装/使用/测试

mosquitto在Linux环境下的部署 看了有三四天的的源码,(当然没怎么好好看了),突然发现对mosquitto的源码有了一点点感觉,于是在第五天决定在Linux环境下部署mosquitto. 使用传统源码安装步骤: 步骤1:http://mosquitto.org/files/source/官网下载源码,放到Linux环境中.解压后,找到主要配置文件config.mk,其中包含mosquitto的安装选项,需要注意的是,默认情况下mosquitto的安装需要OpenSSL(一个强大的安全

Linux环境下使用JFS文件系统

Linux环境下使用JFS文件系统 JFS是IBM公司为linux系统开发的一个日志文件系统.从IBM的实力及它对Linux的态度来看,JFS应该是未来日志文件系统中最具实力的一个文件系统. JFS提供了基于日志的字节级文件系统,该文件系统是为面向事务的高性能系统而开发的.JFS 能够在几秒或几 分钟内就把文件系统恢复到一致状态.JFS能够保证数据在任何意外宕机的情况下,不会造成磁盘数据的丢失与损坏. 一.JFS文件系统特点 1.存储空间更大 JFS 支持的最小文件系统是 16M 字节.最大文件

Linux环境下安装Tigase XMPP Server

Tigase是一种XMPP服务器,可以作为采用XMPP协议的各种IM(Instant Messeging)工具(如Pandion.Spark等)的服务器. 在Linux环境下安装Tigase的步骤如下: (1)下载安装文件 到https://projects.tigase.org/projects/tigase-server/files下载安装文件,我下载的是tigase-server-5.2.0-b3447-dist.tar.gz. (2)解压缩 创建一个文件夹,将tigase-server-

weblogic新建域-linux环境下

[[email protected] bin]#/oracle/middleware/wlserver_12.1/common/bin [[email protected] bin]# ./config.sh -mode=console <---------------------------------------------------------------------------------- Fusion Middleware 配置向导 ------------------------

深度分析LINUX环境下如何配置multi-path

首先介绍一下什么是多路径(multi-path)?先说说多路径功能产生的背景,在多路径功能出现之前,主机上的硬盘是直接挂接到一个总线(PCI)上,路径是一对一的关系,也就是一条路径指向一个硬盘或是存储设备,这样的一对一关系对于操作系统而言,处理相对简单,但是缺少了可靠性.当出现了光纤通道网络(Fibre Channle)也就是通常所说的SAN网络时,或者由iSCSI组成的IPSAN环境时,由于主机和存储之间通过光纤通道交换机或者多块网卡及IP来连接时,构成了多对多关系的IO通道,也就是说一台主机

【转载】linux环境下tcpdump源代码分析

linux环境下tcpdump源代码分析 原文时间 2013-10-11 13:13:02   原文链接   主题 Tcpdump 作者:韩大卫 @ 吉林师范大学 tcpdump.c 是tcpdump 工具的main.c, 本文旨对tcpdump的框架有简单了解,只展示linux平台使用的一部分核心代码. Tcpdump 的使用目的就是打印出指定条件的报文,即使有再多的正则表达式作为过滤条件.所以只要懂得tcpdump -nXXi eth0 的实现原理即可. 进入main之前,先看一些头文件 n

Linux环境下DB2 v9.7安装记录

本文用于说明在Linux环境下DB2 v9.7的安装步骤: 环境说明: 硬件环境:Lenovo E440, i7, 12GB, 500GB:虚拟设备:VMWare WorkStation 11 + RHEL5.6 X64:安装产品:IBM DB2 v9.7: 一.准备工作 首先,将DB2 v9.7的安装介质上传至服务器,并进行解压: 目前,手头的DB2 v9.7的安装介质是“v9.7fp6_linuxx64_server.tar.gz”,使用如下命令解压: tar -zxvf v9.7fp6_l