ubuntu 12.04 安装openldap(不开启加密验证)

其他 2018-05-25 05:11:20 阅读次数: 0

背景:公司已经有了openldap的client+server系统,我需要对系统进行备份。保证可用性。

系统环境:ubuntu 12.04 

安装准备:berkeley-db 和openldap 版本一定要匹配或者都用最新版本,否则安装openldap的时候会出现很多麻烦问题。本文采用的是老版本。berkeley-db:4.7.25(已安装系统上查看版本方法cat /usr/local/BerkeleyDB安装目录/include/db.h |grep "DB_VERSION_STRING")   openldap:2.4.40  (已安装系统上查看版本方法/usr/local/libexec/slapd  -V)

以上文件对应版本下载链接:

http://download.oracle.com/berkeley-db/db-4.7.25.tar.gz

ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.40.tgz

server安装过程:

mkdir /usr/local/openldap_install
cd /usr/local/openldap_install
wget http://download.oracle.com/berkeley-db/db-4.7.25.tar.gz
wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.40.tgz
tar -zxvf db-4.7.25.tar.gz
cd db-4.7.25/
cd build_unix/
../dist/configure
make  -j9
make  install

安装BerkeleyDB安装后需要将对应so文件加入系统环境,否则无法安装openldap

找到BerkeleyDB安装目录的对应lib目录,并将该路径添加到/etc/ld.so.conf
echo "/usr/local/BerkeleyDB.4.7/lib" >>/etc/ld.so.conf
ldconfig -v  #将BerkeleyDB的so文件加载到系统环境中。
然后安装openldap
cd /usr/local/openldap_install
tar -zxvf openldap-2.4.40.tgz
#以下注意命令中BerkeleyDB的安装路径
./configure  CPPFLAGS="-I/usr/local/BerkeleyDB.4.7/include -D_GNU_SOURCE" LDFLAGS="-L/usr/local/BerkeleyDB.4.7/lib"
make depend
make -j9
make install

说明,默认安装后服务端全部安装在了/usr/local/目录下。

/usr/local/BerkeleyDB.4.7   BerkeleyDB目录

/usr/local/etc/openldap  openldap 安装目录

扫描二维码关注公众号,回复: 1018136 查看本文章

/usr/local/libexec  openldap 的slapd 二进制执行文件目录

/usr/local/var/openldap-data  openldap的数据库目录

启动服务前,修改/usr/local/etc/openldap/slapd.conf配置

include         /usr/local/etc/openldap/schema/corba.schema
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/duaconf.schema
include         /usr/local/etc/openldap/schema/dyngroup.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/java.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema
include         /usr/local/etc/openldap/schema/pmi.schema
include         /usr/local/etc/openldap/schema/collective.schema

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

#此处内容还需进一步确认功能作用,此次用不到。
TLSCACertificateFile  /usr/local/etc/certs/cacert.pem
TLSCertificateFile    /usr/local/etc/certs/new-server.crt
TLSCertificateKeyFile /usr/local/etc/certs/new-server.key
TLSVerifyClient never

access to attrs=shadowLastChange,userPassword
      by self write
      by * auth
access to *
      by self write
      by * read

database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none

database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=Manager,dc=my-domain,dc=com" read
        by * none
############
database        bdb
suffix          "dc=bokecc,dc=com"
checkpoint      1024 15
rootdn          "cn=root,dc=my-domain,dc=com"

rootpw          secret

directory       /usr/local/var/openldap-data

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

loglevel 256
logfile /usr/local/var/slapd.log

服务端启动方法:

/usr/local/libexec/slapd -h ldap://1.1.1.1 -f /usr/local/etc/openldap/slapd.conf

启动后,没有问题。后续将通过

client安装过程:

client和server安装在同一台服务器上。

二、安装配置方式:

1.apt安装
apt-get install ldap-utils libpam-ldap libnss-ldap nslcd
安装过程中提示填写ldap相关信息:ldap server 地址,base dc等.信息保存在/etc/ldap.conf中,可通过dpkg-reconfigure ldap-auth-config重新配置,其中: 
ldap服务uri格式 ldap://ldapServerIP/
search base:dc=my,dc=com,dc=com
root ldap account:cn=admin,dc=my,dc=com,dc=cn      Make local root Database admin:    no
2.修改nsswitch.conf文件
/etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap

#hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

3.认证方式中添加ldap:
auth-client-config -t nss -p lac_ldap
直接执行以上命令即可 

4.认证通过后自动创建用户家目录: 
/etc/pam.d/common-session,追加内容:  
session required pam_mkhomedir.so skel=/etc/skel umask=0022

5.配置开启ldap认证方式
pam-auth-update

6.可在本机通过passwd更改用户密码(可选)
/etc/pam.d/common-password,除去其中的use_authtok参数

7.重启相关服务
update-rc.d nslcd enable
/etc/init.d/nslcd restart

参见http://askubuntu.com/questions/127389/how-to-configure-ubuntu-as-an-ldap-client

二、脚本配置方式(出处:http://blog.csdn.net/qk1992919/article/details/51262424)

待修改:

如果需配置的机器很多,采用手工配置方式不太合适,可在待配置机器上运行如下shell脚本进行自动化配置: 
C代码  
#!/bin/bash  
  
#--------------------------------------------------------------------------------  
  
#Ldap server地址及base DN  
LDAP_SERVER_IP=192.168.1.100  
BASE_DN='dc=my,dc=com,dc=cn'  
  
#--------------------------------------------------------------------------------  
  
#创建preseed文件-软件安装自应答  
touch debconf-ldap-preseed.txt  
echo "ldap-auth-config    ldap-auth-config/ldapns/ldap-server    string    ldap://$LDAP_SERVER_IP" >> debconf-ldap-preseed.txt  
echo "ldap-auth-config    ldap-auth-config/ldapns/base-dn    string    $BASE_DN" >> debconf-ldap-preseed.txt  
echo "ldap-auth-config    ldap-auth-config/ldapns/ldap_version    select    3" >> debconf-ldap-preseed.txt  
echo "ldap-auth-config    ldap-auth-config/dbrootlogin    boolean    false" >> debconf-ldap-preseed.txt  
echo "ldap-auth-config    ldap-auth-config/dblogin    boolean    false" >> debconf-ldap-preseed.txt  
echo "nslcd   nslcd/ldap-uris string  ldap://$LDAP_SERVER_IP" >> debconf-ldap-preseed.txt  
echo "nslcd   nslcd/ldap-base string  $BASE_DN" >> debconf-ldap-preseed.txt  
  
cat debconf-ldap-preseed.txt | debconf-set-selections  
  
#安装ldap client相关软件  
apt-get install -y ldap-utils libpam-ldap libnss-ldap nslcd  
  
#认证方式中添加ldap  
auth-client-config -t nss -p lac_ldap  
  
#认证登录后自动创建用户家目录  
echo "session required pam_mkhomedir.so skel=/etc/skel umask=0022" >> /etc/pam.d/common-session  
  
#自启动服务  
update-rc.d nslcd enable  
  
#可以在Host上通过passwd更改用户密码  
cp /etc/pam.d/common-password /etc/pam.d/common-password.bak  
sed -i 's/use_authtok//' /etc/pam.d/common-password  
  
#使配置生效  
/etc/init.d/nslcd restart



猜你喜欢

转载自blog.csdn.net/jinyuxiaoqiang/article/details/79552061
今日推荐
周排行
AIZU 2224 Save your cats(并查集)
HTTP响应头状态码详解
Python socket编程(2)
MaxCompute Studio使用心得系列7—作业对比
Supervisor安装使用
LeetCode 164. Maximum Gap
mysql面试题: 一张表里面有ID自增主键,当insert了17条记录之后,删除了第15,16,17条记录,再把mysql重启,再insert一条记录,这条记录的ID是18还是15
nutch1.2 DeleteDuplicates IndexMerger 详解
OC - @property与setter,getter方法
SpringBoot @Transactional的rollbackFor属性
每日归档
更多
2024-09-19(0)
2024-09-18(0)
2024-09-17(0)
2024-09-16(0)
2024-09-15(0)
2024-09-14(0)
2024-09-13(0)
2024-09-12(0)
2024-09-11(0)
2024-09-10(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022