文章目录
1,安装配置openldap
a, 配置simple auth
yum install openldap-servers openldap-clients -y
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
#设置ldap的管理员密码
sed -i '122irootpw 123456' /etc/openldap/slapd.conf
sed -i 's@my-domain@cdh@g' /etc/openldap/slapd.conf
mv /etc/openldap/slapd.d/ /tmp/slapd.d.$(date +"%F_%T")
rm -rf /var/lib/ldap/*
#启动服务
service slapd start
#配置日志文件
sed -i '/local7/alocal4.* /var/log/slapd.log' /etc/rsyslog.conf
service rsyslog restart
b, ldap增删改查
ldap存储的逻辑结构如下图:
- DN:Distinguished Name, 每条entry对应一个dn
- DC:Domain Component
- CN:Common Name
- OU:Organizational Unit
添加用户
######################## 增:添加用户 ##################
#方式 1, 使用工具来导入系统用户信息到 ldap中
#yum install migrationtools -y
#sed -i 's@$DEFAULT_MAIL_DOMAIN = ".*"@$DEFAULT_MAIL_DOMAIN = "cdh.com"@' /usr/share/migrationtools/migrate_common.ph
#sed -i 's@$DEFAULT_BASE = "dc=.*,dc=.*"@$DEFAULT_BASE = "dc=cdh,dc=com"@' /usr/share/migrationtools/migrate_common.ph
#
#添加一个系统登录用户,来获取模板
#useradd ldap1
#echo -e 'ldap1\nldap1' |passwd ldap1
#获取组织和用户模板
#/usr/share/migrationtools/migrate_base.pl |head -5 > ou.ldif
#/usr/share/migrationtools/migrate_base.pl |grep People -A3 >> ou.ldif
#tail -n 1 /etc/passwd > people
#/usr/share/migrationtools/migrate_passwd.pl people people.ldif
#删除该系统用户
#userdel ldap1
#
#导入entry:
# -x Use simple authentication instead of SASL
# -w ldap的管理员密码 -D binddn
# -f Read the entry modification information from file
#ldapadd -x -w 123456 -D "cn=Manager,dc=cdh,dc=com" -f ou.ldif
#ldapadd -x -w 123456 -D "cn=Manager,dc=cdh,dc=com" -f people.ldif
#方式 2 ,自定义添加entry属性
#定义顶级域
cat > domain.ldif <<EOF
dn: dc=cdh,dc=com
objectClass: top
objectClass: domain
EOF
#添加 entry
ldapadd -x -w 123456 -D "cn=Manager,dc=cdh,dc=com" -f domain.ldif
#定义组织和用户
cat > users.ldif <<EOF
#定义组织
dn: ou=People,dc=cdh,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
#定义组织下的用户
dn: uid=ldap1,ou=People,dc=cdh,dc=com
uid: ldap1
objectClass: top
objectClass: account
objectClass: shadowAccount
userPassword: ldap1
EOF
#添加 entry
ldapadd -x -w 123456 -D "cn=Manager,dc=cdh,dc=com" -f users.ldif
#测试账号连接
#[root@test-c6 ~]# ldapwhoami -x -D 'uid=ldap1,ou=People,dc=cdh,dc=com' -w ldap1
#dn:uid=ldap1,ou=People,dc=cdh,dc=com
删除/修改用户
#删除 entry: 先删子节点,再删父节点
#需要指定dn
ldapdelete -x -w 123456 -D 'cn=Manager,dc=cdh,dc=com' uid=ldap1,ou=People,dc=cdh,dc=com
#修改 entry:
cat > people.ldif.modify <<EOF
dn: uid=ldap1,ou=People,dc=cdh,dc=com
changetype: modify
replace: userPassword
userPassword: test123
EOF
ldapmodify -x -w 123456 -D 'cn=Manager,dc=cdh,dc=com' -f people.ldif.modify
#测试账号连接
#[root@test-c6 ~]# ldapwhoami -x -D 'uid=ldap1,ou=People,dc=cdh,dc=com' -w test123
#dn:uid=ldap1,ou=People,dc=cdh,dc=com
查看用户
# -s Specify the scope of the search: {base|one|sub|children}
# -b Use searchbase as the starting point
ldapsearch -x -s base -b '' namingContexts #默认过滤条件是'(objectclass=*)'
#查看 entry 简要信息 : ldapsearch 参数.. [filter attrs...]objectClass=*
# -x Use simple authentication instead of SASL.
# -L results displayed in LDAP Data Interchange Format,越多L越少信息
# -b Use searchbase as the starting point
# -H ldap:/// 连接的url
#查看entry 详细信息
ldapsearch -x -b 'dc=cdh,dc=com' #默认过滤条件是'(objectclass=*)'
测试用户登录: ldapadmin工具
c, 配置ssl 加密通信
快速生成证书:https://blog.csdn.net/eyeofeagle/article/details/103759058
sed -i 's@SLAPD_LDAPS=no@SLAPD_LDAPS=yes@' /etc/sysconfig/ldap
sed -i 's@^TLS@#TLS@' /etc/openldap/slapd.conf
#把证书复制到: /etc/openldap/ssl/
sed -i -e '68i TLSCACertificateFile /etc/openldap/ssl/cacert.pem ' \
-e '68i TLSCertificateFile /etc/openldap/ssl/httpd.crt ' \
-e '68i TLSCertificateKeyFile /etc/openldap/ssl/httpd.key ' \
-e '68i TLSVerifyClient never ' \
/etc/openldap/slapd.conf
#重启slapd,验证ssl连接
[wang@c6 ~]# ss -nltp |grep sla
LISTEN 0 128 :::636 :::* users:(("slapd",5171,10))
LISTEN 0 128 *:636 *:* users:(("slapd",5171,9))
LISTEN 0 128 :::389 :::* users:(("slapd",5171,8))
LISTEN 0 128 *:389 *:* users:(("slapd",5171,7))
[wang@c6 vagrant]# ldapsearch -x -b dc=cdh,dc=com -LLL -H ldap:///
dn: dc=cdh,dc=com
dn: ou=People,dc=cdh,dc=com
dn: uid=ldap1,ou=People,dc=cdh,dc=com
[vagrant@c6 ~]$ openssl s_client -connect localhost:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3225 bytes and written 397 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA
...
Timeout : 300 (sec)
Verify return code: 0 (ok)
2,配置hiverserver2登录验证
a, 修改hiveserver2使用ldap验证
保存后,重启配置以生效
b, 测试beeline: 用户名密码登录
- beeline -u jdbc:hive2://localhost:10000 -n ldap1 -p ldap1