OpenLdap安装配置

原创
2018/10/08 09:48
阅读数 3.9K

环境准备

系统:centos7两台
软件版本:openldap-2.4.4
配置文件: /etc/openldap/sldap.conf

说明:ldap双主配置
lab-01    ldap.test.com     IP: 10.0.0.11
lab-02    ldap2.test.com    IP: 10.0.0.12

环境初始化

1.配置防火墙

firewall-cmd --zone=public --add-port=389/tcp --permanent
firewall-cmd --zone=public --add-port=636/tcp --permanent
firewall-cmd --reload

2.关闭, 禁用selinux

setenforce 0
sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config

3.配置软件安装源

rm -f /etc/yum.repos.d/*
curl -so /etc/yum.repos.d/epel-7.repo http://mirrors.aliyun.com/repo/epel-7.repo
curl -so /etc/yum.repos.d/Centos-7.repo http://mirrors.aliyun.com/repo/Centos-7.repo
sed -i '/aliyuncs.com/d' /etc/yum.repos.d/Centos-7.repo /etc/yum.repos.d/epel-7.repo 

4.配置时间同步

yum -y install ntpdate
/usr/sbin/ntpdate ntp6.aliyun.com ;hwclock -w
echo -e "*/3 * * * * /usr/sbin/ntpdate ntp6.aliyun.com  >/dev/null 2>&1 && /usr/sbin/hwclock -w" > /tmp/crontab
crontab /tmp/crontab

lab-01 安装配置

1.设置主机名(若不配置主机名或者配置错误会导致后面服务无法启动)

# lab-01
hostnamectl set-hostname ldap.test.com

2.配置hosts解析

cat <<EOF   >>/etc/hosts

# add ldap server
10.0.0.11    ldap.test.com
10.0.0.12    ldap2.test.com
EOF

安装OpenLdap

1.安装OpenLdap与相关软件包

yum install -y openldap openldap-devel openldap-servers openldap-clients openldap-devel compat-openldap

创建CA证书

1.CA中心生成自身私钥

cd /etc/pki/CA
(umask 077;openssl genrsa -out private/cakey.pem 2048)

2.CA签发自身公钥

openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 \
  -subj "/C=CN/ST=HuBei/L=WuHan/O=test/OU=test.com/CN=*.test.com/emailAddress=544025211@qq.com"
touch serial index.txt
echo "01" > serial

3.查看生成的根证书信息

openssl x509 -noout -text -in /etc/pki/CA/cacert.pem

创建ldap证书

1.OpenLdap服务端生成证书

mkdir /etc/openldap/ssl
cd /etc/openldap/ssl
(umask 077;openssl genrsa -out ldapkey.pem 1024)

2.OpenLdap服务端向CA申请证书签署请求

openssl req -new -key ldapkey.pem -out ldap.csr -days 3650 \
  -subj "/C=CN/ST=HuBei/L=WuHan/O=test/OU=test.com/CN=*.test.com/emailAddress=544025211@qq.com"

3.CA核实并签发证书

openssl ca -in /etc/openldap/ssl/ldap.csr -out /etc/openldap/ssl/ldapcert.pem -days 3650

4.设置证书权限

cp /etc/pki/CA/cacert.pem /etc/openldap/ssl/
chown -R ldap.ldap /etc/openldap/ssl/*
chmod -R 0400 /etc/openldap/ssl/*

配置OpenLdap

1.复制数据库配置文件

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

2.设置配置文件,数据目录权限

chown -R ldap.ldap /etc/openldap/
chown -R ldap.ldap /var/lib/ldap/

3.启动服务,配置服务跟随系统启动

systemctl start slapd
systemctl enable slapd

4.生成管理员密码

pass=linux
slappasswd -s $pass -n > /etc/openldap/passwd
cat /etc/openldap/passwd
ldap_pass="$(cat /etc/openldap/passwd)"

5.创建slapd 配置文件

cat<<EOF  >/etc/openldap/slapd.conf
include     /etc/openldap/schema/corba.schema
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/duaconf.schema
include     /etc/openldap/schema/dyngroup.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/java.schema
include     /etc/openldap/schema/misc.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/openldap.schema
include     /etc/openldap/schema/ppolicy.schema
include     /etc/openldap/schema/collective.schema

allow       bind_v2
pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

modulepath  /usr/lib64/openldap
moduleload  ppolicy.la

TLSCACertificateFile  /etc/openldap/ssl/cacert.pem
TLSCertificateFile  /etc/openldap/ssl/ldapcert.pem
TLSCertificateKeyFile  /etc/openldap/ssl/ldapkey.pem
TLSVerifyClient never

access to attrs=shadowLastChange,userPassword
      by self write
      by * auth

access to *
      by * read

database config
access to *
    by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
    by * none

database monitor
access to *
    by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=admin,dc=test,dc=com" read
        by * none

database    hdb
suffix      "dc=test,dc=com"
checkpoint  1024 15
rootdn      "cn=admin,dc=test,dc=com"
rootpw      $ldap_pass
directory   /var/lib/ldap

index    objectClass                       eq,pres
index    ou,cn,mail,surname,givenname      eq,pres,sub
index    uidNumber,gidNumber,loginShell    eq,pres
index    uid,memberUid                     eq,pres,sub
index    nisMapName,nisMapEntry            eq,pres,sub
loglevel    4095

# 主同步1 (若为配置单机版本则无需以下配置)
moduleload syncprov.la
modulepath /usr/lib64/openldap

index   entryCSN,entryUUID    eq

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

serverID  1

syncrepl  rid=001
    provider=ldaps://ldap2.test.com
    bindmethod=simple
    binddn="cn=admin,dc=test,dc=com"
    credentials=linux
    searchbase="dc=test,dc=com"
    schemachecking=on
    type=refreshAndPersist
    retry="5 5 300 5"
    starttls=yes

mirrormode on
EOF

6.配置监听服务

sed -i 's/SLAPD_URLS/#SLAPD_URLS/' /etc/sysconfig/slapd
cat <<EOF   >>/etc/sysconfig/slapd

# OpenLDAP Ldaps
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=yes
EOF

7.生成新的配置(依据slapd.conf配置项生成新的配置)

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

8.设置目录权限, 重启服务

chown -R ldap.ldap /etc/openldap/slapd.d
chown -R ldap.ldap /var/lib/ldap/
systemctl restart slapd

9.配置日志

cat <<EOF   >>/etc/rsyslog.conf

# ldap log
local4.*    /var/log/slapd/slapd.log
EOF

systemctl restart rsyslog

测试添加用户, 组

1.创建本地测试用户

for user in ldapuser{1..5} feng{1..5}; do
    useradd $user
    echo redhat | passwd --stdin $user
done

2.使用工具生成ldif文件

# 安装工具
yum install -y migrationtools

# 替换域信息
sed -i "71,74 s/padl/test/g" /usr/share/migrationtools/migrate_common.ph
sed -i "71,74 s/com/com/g" /usr/share/migrationtools/migrate_common.ph
sed -i 's/EXTENDED_SCHEMA = 0/EXTENDED_SCHEMA = 1/' /usr/share/migrationtools/migrate_common.ph

# 生成基础架构,根据密码文件生成用户信息,根据组文件生成组信息
/usr/share/migrationtools/migrate_base.pl > ~/base.ldif
/usr/share/migrationtools/migrate_passwd.pl  /etc/passwd > ~/passwd.ldif
/usr/share/migrationtools/migrate_group.pl  /etc/group > ~/group.ldif

3.导入数据导入至OpenLdap目录树

ldapadd -x -w $pass -D "cn=admin,dc=test,dc=com" -f ~/base.ldif
ldapadd -x -w $pass -D "cn=admin,dc=test,dc=com" -f ~/passwd.ldif
ldapadd -x -w $pass -D "cn=admin,dc=test,dc=com" -f ~/group.ldif

测试验证

1.搜索导入的用户

ldapsearch -x cn=ldapuser1 -b dc=test,dc=com
for user in ldapuser{1..5} feng{1..5}; do
    echo "---------- id $user ----------"
    ldapsearch -x cn=$user -b dc=test,dc=com
    sleep 1
    echo
done

2.验证OpenLdap服务端证书的合法性

openssl verify -CAfile /etc/openldap/ssl/cacert.pem /etc/openldap/ssl/ldapcert.pem

3.验证当前套接字是否能通过CA的验证

openssl s_client -connect ldap.test.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem

启动http服务(提供证书给客户端下载)

1.防火墙

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload

2.启动 http 提供 tls证书下载

cd /etc/openldap/ssl
python -m SimpleHTTPServer 80

lab-02 安装配置

1.设置主机名(若不配置主机名或者配置错误会导致后面服务无法启动)

# lab-02
hostnamectl set-hostname ldap2.test.com

2.配置hosts解析

cat <<EOF   >>/etc/hosts

# add ldap server
10.0.0.11    ldap.test.com
10.0.0.12    ldap2.test.com
EOF

安装OpenLdap

1.安装OpenLdap与相关软件包

yum install -y openldap openldap-devel openldap-servers openldap-clients openldap-devel compat-openldap

配置OpenLdap

1.下载lab-01 证书文件

mkdir /etc/openldap/ssl/
scp ldap.test.com:/etc/openldap/ssl/* /etc/openldap/ssl/

2.设置凭证权限

chown -R ldap.ldap /etc/openldap/ssl/*
chmod -R 0400 /etc/openldap/ssl/*

3.复制数据库配置文件

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

4.设置配置文件,数据目录权限

chown -R ldap.ldap /etc/openldap/
chown -R ldap.ldap /var/lib/ldap/

5.启动服务,跟随系统启动

systemctl start slapd
systemctl enable slapd

6.生成密码管理账号密码

pass=linux
slappasswd -s $pass -n > /etc/openldap/passwd
cat /etc/openldap/passwd
ldap_pass="$(cat /etc/openldap/passwd)"

7.创建slapd 配置文件

cat<<EOF  >/etc/openldap/slapd.conf
include     /etc/openldap/schema/corba.schema
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/duaconf.schema
include     /etc/openldap/schema/dyngroup.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/java.schema
include     /etc/openldap/schema/misc.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/openldap.schema
include     /etc/openldap/schema/ppolicy.schema
include     /etc/openldap/schema/collective.schema

allow       bind_v2
pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

modulepath  /usr/lib64/openldap
moduleload  ppolicy.la

TLSCACertificateFile  /etc/openldap/ssl/cacert.pem
TLSCertificateFile  /etc/openldap/ssl/ldapcert.pem
TLSCertificateKeyFile  /etc/openldap/ssl/ldapkey.pem
TLSVerifyClient never

access to attrs=shadowLastChange,userPassword
      by self write
      by * auth

access to *
      by * read

database config
access to *
    by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
    by * none

database monitor
access to *
    by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=admin,dc=test,dc=com" read
        by * none

database    hdb
suffix      "dc=test,dc=com"
checkpoint  1024 15
rootdn      "cn=admin,dc=test,dc=com"
rootpw      $ldap_pass
directory   /var/lib/ldap

index    objectClass                       eq,pres
index    ou,cn,mail,surname,givenname      eq,pres,sub
index    uidNumber,gidNumber,loginShell    eq,pres
index    uid,memberUid                     eq,pres,sub
index    nisMapName,nisMapEntry            eq,pres,sub
loglevel    4095

# 主同步2 (若为配置单机版本则无需以下配置)
moduleload syncprov.la
modulepath /usr/lib64/openldap

index entryCSN,entryUUID                eq

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

serverID  2

syncrepl  rid=001
    provider=ldaps://ldap.test.com
    bindmethod=simple
    binddn="cn=admin,dc=test,dc=com"
    credentials=$pass
    searchbase="dc=test,dc=com"
    schemachecking=on
    type=refreshAndPersist
    retry="5 5 300 5"
    starttls=yes

mirrormode on
EOF

8.配置监听服务

sed -i 's/SLAPD_URLS/#SLAPD_URLS/' /etc/sysconfig/slapd
cat <<EOF   >>/etc/sysconfig/slapd

# OpenLDAP Ldaps
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=yes
EOF

9.生成新的配置(依据slapd.conf配置项生成新的配置)

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

10.设置目录权限, 重启服务

chown -R ldap.ldap /etc/openldap/slapd.d
chown -R ldap.ldap /var/lib/ldap/
systemctl restart slapd

11.配置日志

cat <<EOF   >>/etc/rsyslog.conf

# ldap log
local4.*    /var/log/slapd/slapd.log
EOF

systemctl restart rsyslog

测试验证

1.搜索导入的用户

ldapsearch -x cn=ldapuser1 -b dc=test,dc=com
for user in ldapuser{1..5} feng{1..5}; do
    echo "---------- id $user ----------"
    ldapsearch -x cn=$user -b dc=test,dc=com
    sleep 1
    echo
done

2.验证OpenLdap服务端证书的合法性

openssl verify -CAfile /etc/openldap/ssl/cacert.pem /etc/openldap/ssl/ldapcert.pem

3.确认当前套接字是否能通过CA的验证

openssl s_client -connect ldap2.test.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem

4.验证同步

# 删除本地openldap数据库,重启服务查看同步日志
tail -f /var/log/slapd/slapd.log
rm -f /var/lib/ldap/*; systemctl restart slapd;sleep 2; ls /var/lib/ldap/

客户端配置

1.配置hosts解析

cat <<EOF   >>/etc/hosts

# add ldap server
10.0.0.11    ldap.test.com
10.0.0.12    ldap2.test.com
EOF

2.安装验证模块

yum install -y sssd krb5-workstation

3.配置单服务器验证

# 服务器开启http服务给客户端下载证书
authconfig \
  --enableldap \
  --enableldaptls \
  --enableldapauth \
  --enablemkhomedir \
  --ldapserver='ldaps://ldap.test.com' \
  --ldapbasedn="dc=test,dc=com" \
  --ldaploadcacert=http://ldap.test.com/cacert.pem \
  --update

3.1配置双服务器验证

authconfig \
  --enableldap \
  --enableldaptls \
  --enableldapauth \
  --enablemkhomedir \
  --ldapserver='ldaps://ldap.test.com,ldaps://ldap2.test.com' \
  --ldapbasedn="dc=test,dc=com" \
  --ldaploadcacert=http://ldap.test.com/cacert.pem \
  --update

4.验证

id ldapuser1
ssh ldapuser1@127.0.0.1

使用脚本

1.创建配置

cat <<EOF  >./ldap.info
NODE1_IP=10.0.0.11
NODE1_HOSTNAME=ldap.test.com
NODE1_ROOTPASS=redhat

NODE2_IP=10.0.0.12
NODE2_HOSTNAME=ldap2.test.com
NODE2_ROOTPASS=redhat

ADMIN_PASS=linux
EOF

2.执行安装

bash -c "$(curl https://gitee.com/yx571304/my_oschina/raw/master/openldap/install.sh)"

3.提供客户端证书下载

cd /etc/openldap/ssl
python -m SimpleHTTPServer 80

安装web管理

1.安装PHP环境

yum install -y httpd php php-ldap php-gd bzip2
systemctl start httpd
systemctl enable httpd

2.安装ldap-account-manager

curl -OL  http://prdownloads.sourceforge.net/lam/ldap-account-manager-5.7.tar.bz2 --progress
tar xvf ldap-account-manager-5.7.tar.bz2
cd ldap-account-manager-5.7
chown apache.apache * -R
./configure --with-httpd-user=apache --with-httpd-group=apache --with-web-root=/var/www/html/
make install

# 链接lam配置文件的默认模板
mkdir /var/www/html/config/profiles
ln -s /var/www/html/config/templates/profiles/ /var/www/html/config/profiles/lam

3.打开浏览器配置ldap-account-manager

http://IP/

# 生成配置文件
    # 点击右上角  LAM configuration (lam配置)
    # 点击第二项  Edit server profiles  (编辑服务器配置文件)
    # 点击 Manage server profiles (管理服务器设置)
    # 依次输入 Profile name (配置文名称) lam
    # Profile password  修改此配置文件的密码  test.com
    # Reenter password  再次输入密码         test.com
    # Template   模板   unix
    # 点击 Add   Master password  输入管理密码  lam (此处的密码为config.cfg中的加密字符串) 点击OK

# 修改配置文件
# General settings
    # Server settings
        Server address        ldap://ldap.test.com
        Tree suffix           dc=test,dc=com

    # Language settings
        Default language
        Time zone           Asia/Shanghai

    # Security settings
        Login method        Fixed list
        List of valid users cn=admin,dc=test,dc=com
        # 点击底部 Slave

# Account types
    # Active account types
        # Users User accounts (e.g. Unix, Samba and Kolab)
            LDAP suffix    ou=People,dc=test,dc=com

        # Groups Group accounts (e.g. Unix and Samba)
            LDAP suffix    ou=group,dc=test,dc=com

# 点击底部SAVE

# 输入admin 管理员的密码 linux 登录 (ldap服务器配置的密码)
# 选择 工具 → 配置文件编辑器 → 用户 点击右侧的编辑 修改 RDN标志 uid
# 点击底部 保存
# ldap-account-manager 配置OK

# 配置 ldaps 方式连接
# 点击右上角 退出
# 点击右上角 LAM配置
# 编辑通用设置 输入默认管理密码 lam
# 通用设置
    # SSL 数字证书	使用系统的数字证书
    ldaps://ldap.test.com 点击 从服务器导入
    # 点击右下角保存

# 点击右上角 LAM 配置
# 点击 编辑服务器配置文件 输入lam 配置文件的密码 test.com
# 通用设置
    服务器地址 ldaps://ldap.test.com,ldaps://ldap2.test.com
    # 点击右下角保存

# 重启 http服务
systemctl restart httpd
展开阅读全文
加载中

作者的其它热门文章

打赏
0
0 收藏
分享
打赏
0 评论
0 收藏
0
分享
返回顶部
顶部