2016年5月8日 星期日

在 CentOS7/RHEL7 上安裝設定 LDAP Server(一)

快速設定流程:
  1. 安裝 LDAP Server 套件:
    #yum install -y openldap openldap-clients openldap-servers migrationtools
    
  2. 先取得加密後的密碼:
    #slappasswd -s redhat -n > /etc/openldap/passwd
    
  3. 製作加密通訊用的金鑰組:
    #openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 3650
    Generating a 2048 bit RSA private key
    .....+++
    ..............+++
    writing new private key to '/etc/openldap/certs/priv.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:  ##輸入國別
    State or Province Name (full name) []: ##輸入省名
    Locality Name (eg, city) [Default City]: ##輸入城市名
    Organization Name (eg, company) [Default Company Ltd]: ##輸入組織名
    Organizational Unit Name (eg, section) []: ##輸入組織名
    Common Name (eg, your name or your server's hostname) []:instructor.example.com
    Email Address []: ##輸入 email 帳號
    
  4. 修改 /etc/openldap/certs 權限:
    # cd /etc/openldap/certs
    # chown ldap:ldap *
    # chmod 600 priv.pem
    
  5. 將 LDAP 資料庫範例檔,直接複製過來,方便架設與安裝:
    #cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    #chown ldap /var/lib/ldap/DB_CONFIG
    
  6. 產生資料庫檔(不用管出現的錯誤):
    #slaptest
    
  7. 設定 /var/lib/ldap/ 目錄內,相關檔案權限:
    ## chown ldap:ldap /var/lib/ldap/*
    
  8. 防火牆設定(389/686 port):
    #firewall-cmd --permanent --add-service=ldap
    #firewall-cmd --permanent --add-service=ldaps
    #firewall-cmd --reload
    
  9. 啟動 slapd 服務:
    #systemctl enable slapd.service
    #systemctl start slapd.service
    
  10. 檢查啟動狀況:
    #ss -nlp | grep slapd
    
  11. 將 ldif 檔案導入系統中,例如: cosine 以及 nis 兩個 schemas:
    #cd /etc/openldap/schema
    #ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
    #ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
    
  12. 編寫 changes.ldif 檔案:
    #vim /etc/openldap/changes.ldif
    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    replace: olcSuffix
    olcSuffix: dc=example,dc=com
    
    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    replace: olcRootDN
    olcRootDN: cn=Manager,dc=example,dc=com
    
    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    replace: olcRootPW
    olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
    
    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/openldap/certs/cert.pem
    
    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateKeyFile
    olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
    
    dn: cn=config
    changetype: modify
    replace: olcLogLevel
    olcLogLevel: -1
    
    dn: olcDatabase={1}monitor,cn=config
    changetype: modify
    replace: olcAccess
    olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
    
  13. 導入 changes.ldif 檔案到 LDAP Server 中:
    #ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
    
  14. 可開始建立所須網域的 ldif 檔案:
    #vim /etc/openldap/base.ldif
    dn: dc=example,dc=com
    dc: example
    objectClass: top
    objectClass: domain
    
    dn: ou=People,dc=example,dc=com
    ou: People
    objectClass: top
    objectClass: organizationalUnit
    
    dn: ou=Group,dc=example,dc=com
    ou: Group
    objectClass: top
    objectClass: organizationalUnit
    
  15. 導入 base.ldif 檔案到 LDAP Server 中:
    #ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
    
  16. 增加兩個系統使用者帳號來測試一下:
    # mkdir /home/guests
    # useradd -d /home/guests/ldapuser01 ldapuser01
    # passwd ldapuser01
    # useradd -d /home/guests/ldapuser02 ldapuser02
    # passwd ldapuser02
    
  17. 編寫 migrate_common.ph內容,將系統上的使用者,導入到 LDAP Server 中:
    #vim /usr/share/migrationtools/migrate_common.ph
    $DEFAULT_MAIL_DOMAIN = "example.com";
    $DEFAULT_BASE = "dc=example,dc=com";
    
  18. 在LDAP Server 中,建立目前的使用者與群組:
    # grep ":10[0-9][0-9]" /etc/passwd > passwd
    # ./migrate_passwd.pl passwd users.ldif
    # ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
    # grep ":10[0-9][0-9]" /etc/group > group
    # ./migrate_group.pl group groups.ldif
    # ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif
    
  19. 測試目前的使用者 ldapuser01:
    # ldapsearch -x cn=ldapuser01 -b dc=example,dc=com
    
  20. 可加入系統記錄服務:
    #vim /etc/rsyslog.conf
    local4.* /var/log/ldap.log
    
    (重新啟動系統記錄服務:)
    #systemctl restart rsyslog
    
參考資料網址:
  1. https://www.certdepot.net/rhel7-configure-ldap-directory-service-user-connection/
  2. http://www.server-world.info/en/note?os=CentOS_7&p=openldap
  3. http://jamyy.us.to/blog/2014/09/6704.html
  4. http://yu-li-liang.blogspot.tw/2014/04/linux-centos-ldap-server-24.html
  5. http://crashedbboy.blogspot.tw/2015/08/centos-7-open-ldap.html