LDAP Linux
| Введение | |
| Перед установкой | |
| Установка | |
| Первичная настройка | |
| Проверить статус сервиса | |
| Запустить сервис | |
| Похожие статьи |
Введение
LDAP (англ. Lightweight Directory Access Protocol — «легковесный протокол доступа к каталогам»)
— протокол прикладного уровня для доступа к службе каталогов X.500, разработанный IETF
как облегчённый вариант разработанного ITU-T протокола DAP.
LDAP — относительно простой протокол, использующий TCP/IP и позволяющий производить операции
аутентификации (bind), поиска (search) и сравнения (compare), а также операции добавления,
изменения или удаления записей.
Обычно LDAP-сервер принимает входящие соединения на порт
389
по протоколам TCP или UDP.
Для LDAP-сеансов, инкапсулированных в SSL (LDAPS), обычно используется порт
636
.
Всякая запись в каталоге LDAP состоит из одного или нескольких атрибутов и обладает уникальным
именем (DN — англ. Distinguished Name).
Уникальное имя может выглядеть, например, следующим образом:
«cn=Иван Петров,ou=Сотрудники,dc=andrei,dc=com»
Уникальное имя состоит из одного или нескольких относительных уникальных имён
(RDN — англ. Relative Distinguished Name), разделённых запятой.
Относительное уникальное имя имеет вид ИмяАтрибута=значение. На одном уровне каталога не
может существовать двух записей с одинаковыми относительными уникальными именами.
В силу такой структуры уникального имени записи в каталоге LDAP можно легко представить
в виде дерева.
Запись может состоять только из тех атрибутов, которые определены в описании класса записи
(object class), которые, в свою очередь, объединены в схемы (schema).
В схеме определено, какие атрибуты являются для данного класса обязательными, а какие —
необязательными.
Также схема определяет тип и правила сравнения атрибутов. Каждый атрибут записи может
хранить несколько значений.
LDIF: LDAP Data Interchange Format
DIT: Data Information Tree
c: country
dc: domain component
dn: distinguished name
l: location
ou: organizationalUnit
Перед установкой
Нужно убедиться, что у хоста есть FQDN
Выполните
hostname
Если в результате вы видите только
localhost.localdomain
Задаёте полное имя вручную
hostnamectl --static set-hostname ldap.andrei.com
hostname -f
ldap.andrei.com
su -
echo "192.168.56.207 ldap.andrei.com" >> /etc/hosts
cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.56.207 ldap.andrei.com
ping ldap.andrei.com
PING ldap.andrei.com (192.168.56.207) 56(84) bytes of data. 64 bytes from ldap.andrei.com (192.168.56.207): icmp_seq=1 ttl=64 time=0.089 ms 64 bytes from ldap.andrei.com (192.168.56.207): icmp_seq=2 ttl=64 time=0.192 ms 64 bytes from ldap.andrei.com (192.168.56.207): icmp_seq=3 ttl=64 time=0.072 ms
netstat -ltn
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp6 0 0 :::111 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN
firewall-cmd --permanent --add-service=ldap
success
firewall-cmd --reload
success
Установка
yum install -y openldap openldap-clients openldap-servers migrationtools.noarch
Loaded plugins: fastestmirror, langpacks Determining fastest mirrors * base: mirror.hosthink.net * extras: mirror.hosthink.net * updates: centos.mirror.far.fi base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/4): base/7/x86_64/group_gz | 153 kB 00:00:01 (2/4): extras/7/x86_64/primary_db | 247 kB 00:00:01 (3/4): base/7/x86_64/primary_db | 6.1 MB 00:00:03 (4/4): updates/7/x86_64/primary_db | 16 MB 00:00:04 Resolving Dependencies --> Running transaction check ---> Package migrationtools.noarch 0:47-15.el7 will be installed ---> Package openldap.x86_64 0:2.4.44-22.el7 will be updated ---> Package openldap.x86_64 0:2.4.44-25.el7_9 will be an update ---> Package openldap-clients.x86_64 0:2.4.44-25.el7_9 will be installed ---> Package openldap-servers.x86_64 0:2.4.44-25.el7_9 will be installed --> Processing Dependency: libltdl.so.7()(64bit) for package: openldap-servers-2.4.44-25.el7_9.x86_64 --> Running transaction check ---> Package libtool-ltdl.x86_64 0:2.4.2-22.el7_3 will be installed --> Finished Dependency Resolution Dependencies Resolved =================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================== Installing: migrationtools noarch 47-15.el7 base 26 k openldap-clients x86_64 2.4.44-25.el7_9 updates 191 k openldap-servers x86_64 2.4.44-25.el7_9 updates 2.2 M Updating: openldap x86_64 2.4.44-25.el7_9 updates 356 k Installing for dependencies: libtool-ltdl x86_64 2.4.2-22.el7_3 base 49 k Transaction Summary =================================================================================================================================== Install 3 Packages (+1 Dependent package) Upgrade 1 Package Total download size: 2.8 M Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. warning: /var/cache/yum/x86_64/7/base/packages/libtool-ltdl-2.4.2-22.el7_3.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY Public key for libtool-ltdl-2.4.2-22.el7_3.x86_64.rpm is not installed (1/5): libtool-ltdl-2.4.2-22.el7_3.x86_64.rpm | 49 kB 00:00:01 (2/5): migrationtools-47-15.el7.noarch.rpm | 26 kB 00:00:01 Public key for openldap-2.4.44-25.el7_9.x86_64.rpm is not installed (3/5): openldap-2.4.44-25.el7_9.x86_64.rpm | 356 kB 00:00:01 (4/5): openldap-clients-2.4.44-25.el7_9.x86_64.rpm | 191 kB 00:00:01 (5/5): openldap-servers-2.4.44-25.el7_9.x86_64.rpm | 2.2 MB 00:00:00 ----------------------------------------------------------------------------------------------------------------------------------- Total 1.0 MB/s | 2.8 MB 00:00:02 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 Importing GPG key 0xF4A80EB5: Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>" Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5 Package : centos-release-7-9.2009.0.el7.centos.x86_64 (@anaconda) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : openldap-2.4.44-25.el7_9.x86_64 1/6 Installing : libtool-ltdl-2.4.2-22.el7_3.x86_64 2/6 Installing : openldap-servers-2.4.44-25.el7_9.x86_64 3/6 Installing : migrationtools-47-15.el7.noarch 4/6 Installing : openldap-clients-2.4.44-25.el7_9.x86_64 5/6 Cleanup : openldap-2.4.44-22.el7.x86_64 6/6 Verifying : openldap-2.4.44-25.el7_9.x86_64 1/6 Verifying : libtool-ltdl-2.4.2-22.el7_3.x86_64 2/6 Verifying : migrationtools-47-15.el7.noarch 3/6 Verifying : openldap-clients-2.4.44-25.el7_9.x86_64 4/6 Verifying : openldap-servers-2.4.44-25.el7_9.x86_64 5/6 Verifying : openldap-2.4.44-22.el7.x86_64 6/6 Installed: migrationtools.noarch 0:47-15.el7 openldap-clients.x86_64 0:2.4.44-25.el7_9 openldap-servers.x86_64 0:2.4.44-25.el7_9 Dependency Installed: libtool-ltdl.x86_64 0:2.4.2-22.el7_3 Updated: openldap.x86_64 0:2.4.44-25.el7_9 Complete!
Первичная настройка
cp /usr/share/openldap-servers/DB_CONFIG.andrei /var/lib/ldap/DB_CONFIG
ls -l /var/lib/ldap/
total 4 -rw-r--r--. 1 root root 845 Jun 13 18:09 DB_CONFIG
slaptest
62a7532f hdb_db_open: database "dc=my-domain,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2). 62a7532f backend_startup_one (type=hdb, suffix="dc=my-domain,dc=com"): bi_db_open failed! (2) slap_startup failed (test would succeed using the -u switch)
ls -l /var/lib/ldap/
total 18968 -rw-r--r--. 1 root root 2048 Jun 13 18:09 alock -rw-------. 1 root root 2326528 Jun 13 18:09 __db.001 -rw-------. 1 root root 17448960 Jun 13 18:09 __db.002 -rw-------. 1 root root 1884160 Jun 13 18:09 __db.003 -rw-r--r--. 1 root root 845 Jun 13 18:09 DB_CONFIG
chown ldap.ldap /var/lib/ldap/*
systemctl start slapd
systemctl enable slapd
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
systemctl status -l slapd
● slapd.service - OpenLDAP Server Daemon Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2022-06-13 18:10:48 EEST; 25s ago Docs: man:slapd man:slapd-config man:slapd-hdb man:slapd-mdb file:///usr/share/doc/openldap-servers/guide.html Main PID: 2735 (slapd) CGroup: /system.slice/slapd.service └─2735 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// Jun 13 18:10:43 ldap.andrei.com systemd[1]: Starting OpenLDAP Server Daemon... Jun 13 18:10:43 ldap.andrei.com runuser[2713]: pam_unix(runuser:session): session opened for user ldap by (uid=0) Jun 13 18:10:44 ldap.andrei.com runuser[2724]: pam_unix(runuser:session): session opened for user ldap by (uid=0) Jun 13 18:10:44 ldap.andrei.com runuser[2726]: pam_unix(runuser:session): session opened for user ldap by (uid=0) Jun 13 18:10:44 ldap.andrei.com runuser[2728]: pam_unix(runuser:session): session opened for user ldap by (uid=0) Jun 13 18:10:44 ldap.andrei.com runuser[2730]: pam_unix(runuser:session): session opened for user ldap by (uid=0) Jun 13 18:10:44 ldap.andrei.com slapd[2733]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $ mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd Jun 13 18:10:47 ldap.andrei.com slapd[2733]: tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions. Jun 13 18:10:48 ldap.andrei.com slapd[2735]: slapd starting Jun 13 18:10:48 ldap.andrei.com systemd[1]: Started OpenLDAP Server Daemon.
netstat -ltn
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp6 0 0 :::389 :::* LISTEN tcp6 0 0 :::111 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN
cd /etc/openldap/schema
ls
collective.ldif core.ldif duaconf.ldif inetorgperson.ldif misc.ldif openldap.ldif ppolicy.ldif collective.schema core.schema duaconf.schema inetorgperson.schema misc.schema openldap.schema ppolicy.schema corba.ldif cosine.ldif dyngroup.ldif java.ldif nis.ldif pmi.ldif corba.schema cosine.schema dyngroup.schema java.schema nis.schema pmi.schema
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config"
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config"
cd
slappasswd -s MySecret -n > rootpwd
cat rootpwd
{SSHA}z77aYYbvyLAatE+LsdG2FZZmqS2KCpC9
vi config.ldif
dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=andrei,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=andrei,dc=com dn:olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPw: {SSHA}z77aYYbvyLAatE+LsdG2FZZmqS2KCpC9 dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: 0 dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=andrei,dc=c om" read by * none
ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "cn=config" ldapmodify: modify operation type is missing at line 22, entry "olcDatabase={1}monitor,cn=config"
vi structure.ldif
dn: dc=andrei,dc=com dc: andrei objectClass: top objectClass: domain dn: ou=people,dc=andrei,dc=com ou: people objectClass: top objectClass: organizationalUnit dn: ou=group,dc=andrei,dc=com ou: group objectClass: top objectClass: organizationalUnit
ldapadd -x -W -D "cn=Manager,dc=andrei,dc=com" -f structure.ldif
Enter LDAP Password: adding new entry "dc=andrei,dc=com" adding new entry "ou=people,dc=andrei,dc=com" adding new entry "ou=group,dc=andrei,dc=com"
ldapsearch -x -W -D "cn=Manager,dc=andrei,dc=com" -b "dc=andrei,dc=com" -s sub "(objectclass=organizationalUnit)"
Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=andrei,dc=com> with scope subtree # filter: (objectclass=organizationalUnit) # requesting: ALL # # people, andrei.com dn: ou=people,dc=andrei,dc=com ou: people objectClass: top objectClass: organizationalUnit # group, andrei.com dn: ou=group,dc=andrei,dc=com ou: group objectClass: top objectClass: organizationalUnit # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
vi structure.ldif
dn: dc=andrei,dc=com dc: andrei objectClass: top objectClass: domain dn: ou=people,dc=andrei,dc=com ou: people objectClass: top objectClass: organizationalUnit dn: ou=group,dc=andrei,dc=com ou: group objectClass: top objectClass: organizationalUnit
ldapadd -x -W -D "cn=Manager,dc=andrei,dc=com" -f group.ldif
Enter LDAP Password: adding new entry "cn=ldapusers,ou=group,dc=andrei,dc=com"
cd /usr/share/migrationtools/
ls
migrate_aliases.pl migrate_all_offline.sh migrate_hosts.pl migrate_protocols.pl migrate_all_netinfo_offline.sh migrate_all_online.sh migrate_netgroup_byhost.pl migrate_rpc.pl migrate_all_netinfo_online.sh migrate_automount.pl migrate_netgroup_byuser.pl migrate_services.pl migrate_all_nis_offline.sh migrate_base.pl migrate_netgroup.pl migrate_slapd_conf.pl migrate_all_nis_online.sh migrate_common.ph migrate_networks.pl migrate_all_nisplus_offline.sh migrate_fstab.pl migrate_passwd.pl migrate_all_nisplus_online.sh migrate_group.pl migrate_profile.pl
vi migrate_common.ph
… # Default DNS domain $DEFAULT_MAIL_DOMAIN = "andrei.com"; # Default base $DEFAULT_BASE = "dc=andrei,dc=com";
cd
grep ndr /etc/passwd
ndr:x:1000:1000:ndr:/home/ndr:/bin/bash
grep ndr /etc/passwd > passwd
cat passwd
ndr:x:1000:1000:ndr:/home/ndr:/bin/bash
/usr/share/migrationtools/migrate_passwd.pl passwd user.ldif
vi user.ldif
Заменим ndr на новое имя пользователя, например aredel
dn: uid=aredel,ou=People,dc=andrei,dc=com uid: aredel cn: aredel objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$6$ptpyoEV6hwRWXkeF$IvRoNi61/F.m48N.hb.EyWu72H8eQiHnm7XoaYmuHg6/yhnXNKrPUCiHwP7RFl1dNQGOer0mCpb1gHB1MYPCF. shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 4000 gidNumber: 4000 homeDirectory: /home/aredel gecos: aredel bloggs
ldapadd -x -W -D "cn=Manager,dc=andrei,dc=com" -f user.ldif
Enter LDAP Password: adding new entry "uid=aredel,ou=People,dc=andrei,dc=com"
Проверить статус
С помощью service
service slapd status
* slapd is running
С помощью systemctl
systemctl status slapd
● slapd.service - OpenLDAP Server Daemon Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2022-06-14 09:27:21 EEST; 22min ago Docs: man:slapd man:slapd-config man:slapd-hdb man:slapd-mdb file:///usr/share/doc/openldap-servers/guide.html Main PID: 1627 (slapd) CGroup: /system.slice/slapd.service └─1627 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// Jun 14 09:27:20 ldap.andrei.com runuser[1403]: pam_unix(runuser:session): session closed for user ldap Jun 14 09:27:20 ldap.andrei.com runuser[1410]: pam_unix(runuser:session): session opened for user ldap by (uid=0) Jun 14 09:27:20 ldap.andrei.com runuser[1410]: pam_unix(runuser:session): session closed for user ldap Jun 14 09:27:20 ldap.andrei.com runuser[1420]: pam_unix(runuser:session): session opened for user ldap by (uid=0) Jun 14 09:27:20 ldap.andrei.com runuser[1420]: pam_unix(runuser:session): session closed for user ldap Jun 14 09:27:20 ldap.andrei.com runuser[1426]: pam_unix(runuser:session): session opened for user ldap by (uid=0) Jun 14 09:27:20 ldap.andrei.com runuser[1426]: pam_unix(runuser:session): session closed for user ldap Jun 14 09:27:20 ldap.andrei.com runuser[1432]: pam_unix(runuser:session): session opened for user ldap by (uid=0) Jun 14 09:27:20 ldap.andrei.com slapd[1442]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $ mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/op...s/slapd Jun 14 09:27:21 ldap.andrei.com systemd[1]: Started OpenLDAP Server Daemon. Hint: Some lines were ellipsized, use -l to show in full.
Включить сервис
service slapd start
* slapd is running
Конфигурационные файлы пользователей имеют расширение ldif и находятся в директории
/etc/ldap/slapd.d
| Linux | |
| LDAP | |
| Apache Directory Studio |