|
|
Linux OpenLDAP 简明手册 -- coolwinds 2005/03/25
顺便请教为何中文测试不能通过?欢迎修改,转载,讨论!!
安装步骤如下:
由于openldap需要Berkeley DB来存放数据,所以需先安装Berkeley DB 4.2.52,可到它的网站下载,网址见上面.运行下面的命令解压:
# tar -zxvf db-4.2.52.tar.gz
解完压后,会生成一个db-4.2.52目录,进行该目录下的build_unix目录.执行以下命令进行配置安装.
# ../dist/configure
# make
# make install
安装完成后,要把/usr/local/BerkeleyDB.4.2/lib的库路径加到/etc/ld.so.conf文件内,添加完成后执行一次ldconfig,使配置文件生效.这样编译openldap时才能找到相应的库文件.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%安装openldap%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
# tar -zxvf openldap-version.tgz
解压完成后,会生成一个openldap-version目录.进行该目录,执行以下命令进行配置安装.
# env CPPFLAGS="-I /usr/local/BerkeleyDB.4.2/include" LDFLAGS="-L /usr/local/BerkeleyDB.4.2/lib" ./configure --prefix=/usr/local/openldap --enable-ldbm
注意以上配置语句,要设置资料库的include和lib路径,否则在配置到资料库相关内容时会提示Berkeley DB版本不兼容,并中断配置.如果没有--enable-ldbm选项,在make test时会提示ldbm找不到.
#make depens
#make
#make test
#make install
##########################创建顶层organizationalUnxkit#root.ldif###################################
dn:dc=xkit,dc=net
objectclass:dcObject
objectclass rganization
o eople
dc:xkit
dn:cn=Managerr,dc=xkit,dc=net
objectclassrganizationalRole
cn:Manager
dnu=people,dc=xkit,dc=net
objectclassrganizationalUnxkit
ou:people
#########################################################################################
使用Migrate-Tools 转换工具将/etc/passwd 转换成ldif 文件
[root@coolwindsMigrationTools-46]#perl migrate_passwd.pl /etc/passwd passwd.ldif
例如:test.ldif (passwd.ldif 文件中的一部分)
dn: uid=test,ou=People,dc=xkit,dc=net
uid: test
cn: 测试
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 6574
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 506
gidNumber: 100
homeDirectory: /home/users/test
gecos: 测试
然后可以:
ldapadd -x -D "cn=Manager,dc=xkit,dc=net" -W -f test.ldif
或则一步到位:
(perl migrate_passwd.pl /etc/passwd passwd.ldif /usr/sbin/slapadd -l passwd.ldif)
###########################################################################################
输入以下命令可查询到刚才输入的信息
# ldapsearch -x -b 'dc=xkit,dc=net'
-b选项是设置目录起点,如果设置了客户端的BASE配置参数,该项可不用
如果/etc/openldap/slapd.conf配置文件设置了acl,用上面的查询命令是查询不到受保护的内容的.如userPassword and mail.要查询到这些受限内容,需要通过验证才可以:
# ldapsearch -x -LLL -h localhost -b 'dc=xkit,dc=net' -D 'uid=test,dc=xkit,dc=net' -W 'uid=test'
接着提示输入密码.输入userPassword的密码回车,所有信息就都出来了.
常用命令介绍
* 删除命令ldapdelete
# ldapdelete -x -D 'cn=Manager,dc=xkit,dc=net' -W 'uid=test,dc=xkit,dc=net'
* 设置使用者密码,当然了,你的用户需要有userPassword项了.
#ldappasswd -x -D "cn=Manager,dc=xkit,dc=net" -W "uid=test,dc=xkit,dc=net" -S
New password:
Re-enter new password:
Enter bind password:
Result: Success (0)
[Note]
"Enter bind password" 是 "cn=Managesr,dc=xkit,dc=net"管理员的密码.
* 管理员密码更改
#slappasswd -h{MD5} /{SSHA}
New password
Re-enter new password
{MD5}xxxdsjlksdjflksjdfoisjsn;weurtwoujfo
{SSHA}83DJ4KVwqlk1uh9k2uDb8+NT1U4RgkEs
接下再拷贝到 path/to/sldap.conf 的 rootpw 即可,重启使用配置文件生效
* 通过ldapmodify修改目录内容
# ldapmodify -x -D "cn=Manager,dc=xkit,dc=net" -W -f modify.ldif
通过ldif文件修改ldap数据,ldif文件格式如下:
dn: uid=test,ou=People,dc=xkit,dc=net
uid: test
cn: 中文测试没有通过
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 6574
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 506
gidNumber: 100
homeDirectory: /home/users/test
gecos: 中文测试没有通过
2.4. 启用sasl验证
前提是你在系统中安装了sasl认证库,并在编译openldap时支持它,默认就支持了.到http://asg.web.cmu.edu/cyrus下载.
# saslpasswd2 -c test
接着配置slapd.conf文件,加入以下内容.
sasl-regexp
uid=(.*),cn=.*,cn=auth
uid=$1,dc=xkit,dc=net
重启服务器使配置文件生效.这个配置是最大权限的配置,如果要细化请查阅相关文档.用以下命令测试.
# ldapsearch -U qq -b 'uid=qq,dc=xkit,dc=net' -D 'dc=xkit,dc=net' -Y DIGEST-MD5
采用digest-md5验证,提示密码,输入saslpasswd2的密码.
禁止整个服务器的匿名访问
在slapd.conf配置文件中加入disallow bind_anon即可.
###################################/etc/openldap/ldap.conf#####################################
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world wrxkitable.
#BASE dc=example, dc=net
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMxkit 12
#TIMELIMxkit 15
#DEREF never
HOST 127.0.0.1
BASE dc=xkit,dc=net
###################################/etc/openldap/slapd.conf#####################################
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read xkit.
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# Sample securxkity restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# securxkity ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self wrxkite access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy is:
# Allow read by all
#
# rootdn can always write!
#ACL configure以下内容定义访问控制
access to attr=userPassworduserPassword
#只能由自已修改,有效验证用户查询.
by self write
by anonymous auth
access to attr=mail
by dn="cn=Manager,dc=xkit,dc=net" write
#只能由自已修改,有效验证用户查询.
by self write
by anonymous auth
access to dn=".*,dc=xkit,dc=net"
#允许所有人查询没受控制访问限制的信息.
by self write
by * read
#######################################################################
# ldbm and/or bdb database definxkitions
#######################################################################
database ldbm
suffix "dc=xkit,dc=net"
rootdn "cn=Manager,dc=xkit,dc=net"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw {MD5}4QrcOUm6Wau+VuBX8g+IPg==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
# replogfile /var/lib/ldap/openldap-master-replog
# replica host=ldap-1.example.com:389 tls=yes
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
:ask :ask :ask |
|
IP卡
狗仔卡
发表于 2005-3-25 16:27:39
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主