如何設定 ldap 登入服務 – OpenLDAP Linux authentication howto

OpenLDAP 登入服務器

上文提到如何安裝 OpenLDAP 服務器, 今次將會提到如何在 ubuntu上把 OpenLDAP 服務器設定成一個登入服務器. 這樣你就可以使用同一組資料登入多個不同的服務器.

先作服務器端設定

安裝轉換工具 migration tools
sudo apt-get install migrationtools
更改 migration_common.ph 設定檔, 位置在 /usr/share/perl5
sudo vi /usr/share/perl5/migration_common.ph
根據服務器端的設計更改以下兩行
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = “example.com”;
# Default base
$DEFAULT_BASE = “dc=example,dc=com”;
開始轉移登入資料 (把 /tmp 改成你的理想位置)
export ETC_SHADOW=/etc/shadow #把shadow 跟passwd 一同載入
./migrate_base.pl > /tmp/base.ldif
./migrate_group.pl /etc/group /tmp/group.ldif
./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif
./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
用以下命令分別載入到 ldap 服務器
ldapadd -D “cn=admin,dc=domain,dc=com” -W -f /tmp/base.ldif
ldapadd -D “cn=admin,dc=domain,dc=com” -W -f /tmp/group.ldif
ldapadd -D “cn=admin,dc=domain,dc=com” -W -f /tmp/passwd.ldif
ldapadd -D “cn=admin,dc=domain,dc=com” -W -f /tmp/hosts.ldif
以 apt-get install 安裝認證需要的元件
Modules require for authentication
libnss-ldap – NSS module for using LDAP as a naming service
libpam-ldap – Pluggable Authentication Module allowing LDAP interfaces
libnss-ldapd – NSS module for using LDAP as a naming service
perdition-ldap – Library to allow perdition to access LDAP based popmaps
libpam-cracklib
在 pam library做小許 bug fix
ln -s pam_unix.so pam_pwdb.so
這樣, 服務器端的設定就完成了

再做客戶端的設定

Vi /etc/ldap.conf
host ldap.example.com
uri ldap://<服務器ip位置>:389/
base ou=People,dc=example,dc=com
nss_initgroups_ignoreusers backup,bin,daemon,dhcp,games,gnats,irc,klog,libuuid,list,lp,mail,man,munin,mysql,news,openldap,proxy,root,sshd,sync,sys,syslog,uucp,www-data
vi /etc/nsswitch.conf # 登入方法設定
passwd: ldap compat
shadow: ldap compat
group: ldap compat
vi /etc/pam.d/common-account #設定 account 認證方法
account sufficient pam_ldap.so
account required pam_unix.so try_first_pass
vi /etc/pam.d/common-auth # 設定登入認證方法
auth sufficient pam_ldap.so
auth requisite pam_unix.so nullok_secure try_first_pass
auth optional pam_smbpass.so migrate missingok
vi /etc/pam.d/common-password #設定密碼管理
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass
password optional pam_smbpass.so nullok use_authtok use_first_pass missingok

測試設定

getent passwd | grep
會發現參數出現兩次
這樣客戶端就能使用中央使用者管理

如何建立 OpenLDAP server

如何建立 OpenLDAP server

LDAP 全名是 Lightweight Directory Access Protocol, 是一種目錄訪問協議, 在TCP/IP之上定義了一個相對簡單的升級和搜索目錄的協議。. 常見的用途有電話薄, 登入服務, 域名服務等. LDAP
今次所介紹的是 OpenLDAP 服務器的安裝方法
先安裝服務器所需軟件

sudo apt-get install slapd ldap-utils
重新設定 openldap 軟件

Dpkg-reconfigure slapd
omit openldap server configuration? no
dns domain name? example.com
organization name? yourCompany
database backend to use? bdb
do you want the database to be removed when slapd is purged? yes
may be the question: move old database? yes
administrator password?
confirm password?
allow LDAPv2 protocol? no
如果需要手動修改 slapd.conf, 可到 /etc/ldap/slapd.conf

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
#
# Features to permit
allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
“/etc/ldap/slapd.conf” 139 lines, 4760 characters
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel none
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu’s that is used
# for indexing.
tool-threads 1
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# ‘backend’ directive occurs
backend bdb
#######################################################################
# Specific Backend Directives for ‘other’:
# Backend specific directives apply to this backend until another
# ‘backend’ directive occurs
#backend
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# ‘database’ directive occurs
database bdb
# The base of your directory in database #1
suffix “dc=example,dc=com”
修改 /etc/ldap/ldap.conf (示範如下)

#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=example,dc=com
URI ldap://localhost:389
SIZELIMIT 12
TIMELIMIT 15
DEREF never
開始 slapd 服務器

/etc/init.d/slapd restart
測試
netstat -lvt | grep ldap
tcp 0 0 *:ldap *:* LISTEN
tcp6 0 0 [::]:ldap [::]:* LISTEN
其實 OpenLDAP 服務器的安裝方法並不複雜. 困難反而在於 client 客戶端的設定之上. 下篇文章, 將會介紹如何用 LDAP 設置 Linux 上的使用者登入系統.