OpenLdap配置与管理
服务器端配置
yum install openldap-servers
slapd配置
[root@public-puppet01-P-Z ~]# slappasswd -h {MD5}
New password:
Re-enter new password:
{MD5}sBICuL/nbqxH63QBPkxqrw==
1、/etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=chanjetoms,dc=com"
rootdn "cn=Manager,dc=chanjetoms,dc=com"
rootpw {MD5}sBICuL/nbqxH63QBPkxqrw==
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
database monitor
access to attrs=shadowLastChange,userPassword
by self write
by * auth
access to *
by * read
2、/etc/openldap/ldap.conf
BASE dc=chanjetoms,dc=com
URI ldap://10.10.10.10
TLS_CACERTDIR /etc/openldap/cacerts
[root@dns1 openldap]# cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@dns1 openldap]# chown ldap.ldap /var/lib/ldap/DB_CONFIG
[root@dns1 openldap]#
# enable monitoring
database monitor
启动:
[root@common0 ~]# service slapd start
正在启动 slapd: [确定]
报错:
ldapadd ldap_bind: Invalid credentials (49)
解决方法:
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap/slapd.d/
chmod -R 000 /etc/openldap/slapd.d/
chmod -R u+rwX /etc/openldap/slapd.d/
同步复制配置
Master:
#Replicas of this database
replogfile /var/lib/ldap/replog
replica host=ldap.ops.com:389
binddn="cn=Manager,dc=oms,dc=com"
credentials=secret
bindmethod=simple
Slave:
updatedn "cn=Manager,dc=oms,dc=com"
updateref ldap://ldap.ops.com:389/
master上日志(/usr/sbin/slapd -d 256)
2012-10-08 18:50:24 common0.ops.com slapd[13583]: conn=1000 fd=13 ACCEPT from IP=192.168.52.145:58109 (IP=0.0.0.0:389)
2012-10-08 18:50:24 common0.ops.com slapd[13583]: conn=1000 op=0 BIND dn="" method=128
2012-10-08 18:50:24 common0.ops.com slapd[13583]: conn=1000 op=0 RESULT tag=97 err=0 text=
2012-10-08 18:50:24 common0.ops.com slapd[13583]: conn=1000 op=1 SRCH base="dc=oms,dc=com" scope=2 deref=0 filter="(objectClass=*)"
2012-10-08 18:50:24 common0.ops.com slapd[13583]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=4 text=
2012-10-08 18:50:24 common0.ops.com slapd[13583]: conn=1000 op=2 UNBIND
2012-10-08 18:50:24 common0.ops.com slapd[13583]: conn=1000 fd=13 closed
******************************
客户端配置
setup
没有找到 /lib64/libnss_ldap.so.2 文件。
LDAP支持需要这个文件方可正常工作。
安装提供该文件的 nss-pam-ldapd 软件包。
# yum install nss-pam-ldapd
# vim /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
# vim /etc/sysconfig/authconfig
USEMKHOMEDIR=yes
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USESSSD=no
PASSWDALGORITHM=md5
FORCELEGACY=no
USEFPRINTD=no
USEHESIOD=no
FORCESMARTCARD=no
USELDAPAUTH=yes
USELDAP=yes
USECRACKLIB=yes
USEWINBINDAUTH=no
USESMARTCARD=no
USELOCAUTHORIZE=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=no
USESMBAUTH=no
USEDB=no
USEPASSWDQC=no
# vim /etc/openldap/ldap.conf
BASE dc=oms,dc=com
URI ldap://ldap-master.ops.com, ldap://ldap-slave.ops.com
# vim /etc/pam_ldap.conf
BASE dc=oms,dc=com
URI ldap://ldap-master.ops.com, ldap://ldap-slave.ops.com
pam_check_host_attr yes
# vim /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
#nslcd.conf不用配置,缓存服务由nscd提供,而不是nslcd。
# vim /etc/nslcd.conf
uid nslcd
gid ldap
uri ldap://ldap-master.ops.com ldap://ldap-slave.ops.com
base dc=oms,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts
/etc/pam.d/system-auth-ac #设置setup中的"使用MD5密码"
/etc/pam.d/password-auth #配置后才能使用LDAP登录
--------------------
错误信息:
[root@wade28 openldap]# service slapd restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: [WARNING]
bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=my-domain,dc=com".
config file testing succeeded
Starting slapd: [ OK ]
解决方法:
该错误不影响ldap验证服务;若一定要解决,执行以下命令即可
[root@wade28 openldap]# cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap /var/lib/ldap
OR:
/usr/share/openldap-servers/DB_CONFIG.example
*********************
安装包依赖:
[root@h2 ~]# rpm -ivh openldap-servers-2.3.43-12.el5.i386.rpm
error: Failed dependencies:
libltdl.so.3 is needed by openldap-servers-2.3.43-12.el5.i386
openldap = 2.3.43-12.el5 is needed by openldap-servers-2.3.43-12.el5.i386
解决方法:
[root@h2 ~]# rpm -ivh libtool-ltdl-devel-1.5.22-7.el5_4.i386.rpm libtool-ltdl-1.5.22-7.el5_4.i386.rpm
Preparing... ########################################### [100%]
1:libtool-ltdl ########################################### [ 50%]
2:libtool-ltdl-devel ########################################### [100%]
***********************************
[root@xiangjingdev40_v_o openldap]# slaptest -f slapd.conf -F slapd.d/
bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=chanjetoms,dc=com".
bdb_db_open: database "dc=chanjetoms,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
backend_startup_one (type=bdb, suffix="dc=chanjetoms,dc=com"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)
解决方法:
chown ldap.ldap /var/lib/ldap
/etc/init.d/sldapd start
ls -lh /var/lib/ldap/ // 查看db文件是否生成
[root@www ldap]# slaptest -f /etc/openldap/slapd.conf
config file testing succeeded