使用 OpenLDAP 集中管理用户帐号
使用轻量级目录访问协议(LDAP)构建集中的身份验证系统可以减少管理成本,增强安全性,避免数据复制的问题,并提高数据的一致性。随着 Linux® 的不断成熟,已经出现了很多工具用来简化用户帐号信息到 LDAP 目录的迁移。还开发了一些工具用来在客户机和目录服务器之间启用加密通信配置,并通过复制提供容错性。本文将向您展示如何配置服务器和客户机在 Red Hat Linux 上使用 OpenLDAP。
attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
DESC 'An integer uniquely identifying a user in an administrative domain'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY
DESC 'Abstraction of an account with POSIX attributes'
MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
MAY ( userPassword $ loginShell $ gecos $ description ) )
角色 | 主机名 | IP 地址 |
OpenLDAP 主服务器 | dhcp64-233.ibm.com | 9.47.64.233 |
OpenLDAP 从服务器 | dhcp64-253.ibm.com | 9.47.64.253 |
OpenLDAP 客户机 | dhcp64-251.ibm.com | 9.47.64.251 |
access to attrs=shadowLastChange,userPassword
by self write
by * auth
access to *
by * read
# chkconfig --levels 235 ldap on
# service ldap start
Starting slapd: [ OK ]
# ps -ef | grep slap
ldap 13521 1 0 Oct24 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldap:/// ldaps:///
# migrate_base.pl > base.ldif
# cat base.ldif
dn: dc=ibm,dc=com
dc: ibm
objectClass: top
objectClass: domain
dn: ou=People,dc=ibm,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=ibm,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# ldapadd -x -D "cn=Manager,dc=ibm,dc=com" -W -f base.ldif
# grep ldapuser /etc/group > group.in
# ./migrate_group.pl group.in > group.ldif
# cat group.ldif
dn: cn=ldapuser,ou=Group,dc=ibm,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser
userPassword: {crypt}x
gidNumber: 500
# ldapadd -x -D "cn=Manager,dc=ibm,dc=com" -W -f group.ldif
# grep ldapuser /etc/passwd > passwd.in
# ./migrate_passwd.pl passwd.in > passwd.ldif
# cat passwd.ldif
dn: uid=ldapuser,ou=People,dc=ibm,dc=com
uid: ldapuser
cn: ldapuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt$1$TeOlOcMc$cpQaa0WpLSFRC1HIHW5bt1
shadowLastChange: 13048
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/ldapuser
gecos: ldapuser
# ldapadd -x -D "cn=Manager,dc=ibm,dc=com" -W -f passwd.ldif
# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# ibm.com
dn: dc=ibm,dc=com
dc: ibm
objectClass: top
objectClass: domain
# People, ibm.com
dn: ou=People,dc=ibm,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, ibm.com
dn: ou=Group,dc=ibm,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# ldapuser, Group, ibm.com
dn: cn=ldapuser,ou=Group,dc=ibm,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser
gidNumber: 500
# ldapuser, People, ibm.com
dn: uid=ldapuser,ou=People,dc=ibm,dc=com
uid: ldapuser
cn: ldapuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/ldapuser
gecos: test2
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
# service ldap stop
#Replicas of this database
replogfile /var/lib/ldap/replog
replica host=dhcp64-253.ibm.com:389
binddn="cn=Manager,dc=ibm,dc=com"
credentials=secret
bindmethod=simple
# ldapsearch -x > database.ldif
# ldapadd -x -D "cn=Manager,dc=ibm,dc=com" -W -f database.ldif
# cat user_mod
dn: uid=ldapuser,ou=People,dc=ibm,dc=com
changetype: modify
replace: gecos
gecos: test2
# tail -f /var/lib/ldap/replog &
# ldapmodify -x -r -f /home/ldapuser/user_mod -D'cn=Manager,dc=ibm,dc=com' -W
Enter LDAP Password:
modifying entry "uid=ldapuser,ou=People,dc=ibm,dc=com"
replica: dhcp64-253.ibm.com:389
time: 1130111686
dn: uid=ldapuser,ou=People,dc=ibm,dc=com
changetype: modify
replace: gecos
gecos: test2
-
replace: entryCSN
entryCSN: 20051023235446Z#000001#00#000000
-
replace: modifiersName
modifiersName: cn=Manager,dc=ibm,dc=com
-
replace: modifyTimestamp
modifyTimestamp: 20051023235446Z
-
# cd /usr/share/ssl/misc
# ./CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.........++++++
......++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated into
your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Oregon
Locality Name (eg, city) [Newbury]:Beaverton
Organization Name (eg, company) [My Company Ltd]:IBM
Organizational Unit Name (eg, section) []:its
Common Name (eg, your name or your server's hostname) []:dhcp64-233.ibm.com
Email Address []:root@dhcp64-233.ibm.com
# openssl req -new -nodes -subj
'/CN=dhcp64-233.ibm.com/O=IBM/C=US/ST=Oregon/L=Beaverton'
-keyout slapd-key.pem -out slapd-req.pem -days 365
Generating a 1024 bit RSA private key
...............++++++
.....................................++++++
writing new private key to 'slapd-key.pem'
-----
# openssl ca -out slapd-cert.pem -infiles slapd-req.pem
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 25 02:50:05 2005 GMT
Not After : Oct 25 02:50:05 2006 GMT
Subject:
countryName = US
stateOrProvinceName = Oregon
organizationName = IBM
commonName = dhcp64-233.ibm.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
11:A2:FB:59:42:A4:B3:26:73:1D:6D:F5:4D:2F:80:F0:FA:10:38:F5
X509v3 Authority Key Identifier:
keyid:F7:6A:25:F5:76:BE:20:E7:8D:0F:51:EF:D8:86:7B:AF:2C:74:2F:80
DirName:/C=US/ST=Oregon/L=Beaverton/O=IBM/OU=its/CN=dhcp64-233.ibm.com
/emailAddress=root@dhcp64-233.ibm.com
serial:00
Certificate is to be certified until Oct 25 02:50:05 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# cp -p slapd-key.pem /etc/openldap/slapdkey.pem
# cp -p slapd-cert.pem /etc/openldap/slapdcert.pem
# chown ldap:ldap /etc/openldap/slapdcert.pem
# chmod 644 /etc/openldap/slapdcert.pem
# chown ldap:ldap /etc/openldap/slapdkey.pem
# chmod 400 /etc/openldap/slapdkey.pem
# mkdir /etc/openldap/cacerts/
# cp /usr/share/ssl/misc/demoCA/cacert.pem /etc/openldap/cacerts/cacert.pem
# chown ldap:ldap /etc/openldap/cacerts cacert.pem
# chmod 644 /etc/openldap/cacerts cacert.pem
#
# See slapd.conf (5) for details on configuration options.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
loglevel 256
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
# The next three lines allow use of TLS for encrypting connections.
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/slapdkey.pem
# access control policy:
# Restrict password access to change by owner and authentication.
# Allow read access by everyone to all other attributes.
access to attrs=shadowLastChange,userPassword
by self write
by * auth
access to *
by * read
#######################################################################
# database definition
#######################################################################
database bdb
suffix "dc=ibm,dc=com"
rootdn "cn=Manager,dc=ibm,dc=com"
rootpw {MD5}ijFYNcSNctBYg
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
#Replicas of this database
replica host=dhcp64-253.ibm.com:389
binddn="cn=Manager,dc=ibm,dc=com"
credentials=secret
bindmethod=simple
replogfile /var/lib/ldap/replog
#
# LDAP Defaults
#
# See ldap.conf(5) for details
HOST 127.0.0.1
BASE dc=ibm,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
a
# @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# [url]http://www.padl.com[/url]
#
# Your LDAP server.
# Multiple hosts may be specified, each separated by a
# space.
host dhcp64-233.ibm.com dhcp64-233.ibm.com
# The distinguished name of the search base.
base dc=ibm,dc=com
# OpenLDAP SSL mechanism, start_tls mechanism uses the normal LDAP port 389
ssl start_tls
#Require and verify server certificate
tls_checkpeer yes
# CA certificates for server certificate verification
tls_cacertfile /etc/openldap/cacerts/cacert.pem
pam_password md5
本文转载于:[url]http://tech.ddvip.com/2008-11/122654066191943.html[/url]
转载于:https://blog.51cto.com/lanlfeng/119401
使用 OpenLDAP 集中管理用户帐号相关推荐
- 使用command-privilege给H3C、华为设备的用户帐号授权
一.H3C设备的权限默认分为0-3这四种级别 数值越小,用户的级别越低 (1)访问权限0 级 : ping.tracert.telnet 等网络诊断小程序,不可以dis current (2)监控权限 ...
- vsftpd虚拟用户帐号
vsftpd虚拟用户帐号的设置步骤: 1.建立虚拟用户口令库文件 2.生成vsftpd的认证文件 3.建立虚拟用户所需的PAM配置文件 4.建立虚拟用户所要访问的目录并设置相应权限 ...
- 在AD中批量添加多个用户帐号
问题: 如何批量的创建帐号? 解决方案: 在利用CSVDE.EXE或LDIFDE.EXE来批量创建用户帐号 实验环境: Windows 2003 如果我们要想批量的创建帐号的话,我们可以首先利用文字编 ...
- mysql 同一帐号多次登录_freeradius2.1.3 防止用户帐号重复登录
freeradius2.1.3 防止用户帐号重复登录 一.修改 etc/raddb/sites-enabled 目录中的default 及inner-tunnel 这两个文件中的 # Session ...
- 在 phpMyAdmin 里添加新用户帐号
为了数据库的安全性,尽量不用 root 来连接网站的数据库,以前用 cPanel 面板时,这个不是问题,添加帐号很简单,现在 VPS 不提供任何面板,只能用phpmyadmin 来创建新用户帐号了,这 ...
- mysql fulsh_MYSQL教程:MySQL用户帐号管理_MySQL
MySQL用户帐号管理主要用grant(授权)和revoke(撤权)两个SQL指令来管理.这两个指令实质是通过操作user(连接权限和全局权限).db(数据库级权限).tables_priv(数据表级 ...
- 如何创建隐藏用户帐号
创建隐藏用户 要想控制远端的计算机,那我想就少不了隐藏用户帐号的问题了,其实创建隐藏用户帐号还是比较简单的,现在我就把创建隐藏用户帐号告诉大家.<?xml:n ...
- 【AD】取消普通域用户帐号加域权限授权特定普通域用户加域权限
通常来说,没有做什么特别的设定的话,都是手动加域,且使用的是管理员帐号,这种情况下是有风险的,容易被人记忆密码.所以,如果可以设置一个普通用户帐号,专门用来执行加域操作,就会降低此类风险.其实默认情况 ...
- 有没有计算机用户号,刚做的系统怎么有账户-用户帐号系统设计的原则有哪些?...
用户帐号系统设计的原则有哪些? http://developer.okta.com 直接用人家的SDK 啊哈 刚买的电脑创建了一个微软账户,我的微软账户需要验证身份,但我收不到验证码怎么办,现在啥也干 ...
最新文章
- python3精要(59)-转换
- RFID会议签到系统总结(二十一)――服务端的通讯
- Leetcode 数据结构与算法题解大全——目录(推荐收藏,持续更新)
- 论文浅尝 | 直译优于翻译?混合语言的知识库问答方法研究
- 那个男人 ,他带着Vue3来了~
- Asp.Net SignalR 集群会遇到的问题
- 详细教您如何把wav转换成mp3格式
- sqlite3返回码
- java正则表达式控制半角字符串输入
- 火剪剪辑系统,火剪矩阵系统,火剪系统源码框架
- 【转载】ASP.Net请求处理机制初步探索之旅 - Part 3 管道
- 尝试用visio画个等边三角形
- win10操作系统创建局域网共享文件夹
- Scala中Either两个子类Left/Right
- python 福利吧_段友福利:Python爬取段友之家贴吧图片和小视频
- 【ThreeJS基础教程】0.在学习使用ThreeJS之前
- wps office word 插入图片显示异常 只显示一个长条
- PLSQL Developer新手使用教程(图文教程)(转载)
- 最新发布 Debian 系统的详细安装过程
- 百度网盘资源下载加速教学