个人工具

UbuntuHelp:9.10/OpenLDAPServer

来自Ubuntu中文

跳转至: 导航, 搜索

Introduction

The OpenLDAP depends greatly upon the version of Ubuntu you are using. This document focuses on Ubuntu 9.10. Documentation for other versions can be found below.

Acknowledgements

This is based on this thread post by apalacheno.

Overview

LDAP is a way to make certain kinds of information available across a network. In this example, the information is user logins- their passwords, user IDs, and various details. If you NFS export /home on a large, protected machine to the local network, then use LDAP on that machine to decide who logs in, then all the machines on the local net become special. It's like every user has an account on all machines...and all their data is always there. This is not only convenient, but can protect your data; when a machine dies, it won't take your hard work with it. This is remote authentication, or sometimes "Single Sign On" or just "SSO". Kerberos is actually a better means to do this, but it's also more complicated. When you're ready, check SingleSignOn that describes it. LDAP means Lightweight Directory Access Protocol, a simplified version of X500 protocol. Wikipedia

The big picture

All information is stored in the "Directory Information Tree" or DIT. You have to decide upon a 'root' for that tree, then design it's branches. Here's our simple tree:

  • "dc=example,dc=com" (your root)
  • "People" node where your users will be stored
  • "Groups" node where your groups will be stored

The packages will ask you for the 'root' while installing. It can be "mydomain.net" or "fred.local", but make it something clear and concise. LDAP separates the two parts; "fred.local" becomes dc=fred,dc=local. The "dc" means "domain component". Then we teach the clients how to use this DIT to allow or deny access.

Installation

Install SLAPD

First, install the ldap server daemon (slapd) on the server.

sudo aptitude install slapd ldap-utils

Create Schema

Now add a few schema (only core.schema is provided by default):

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Minimum Configuration

Set up the initial cn=config database.

vi db.ldif 
# DATABASE SETUP

# Load modules for database type
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb

# Create directory database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=home,dc=com
olcRootDN: cn=admin,dc=home,dc=com
olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=home,d
 c=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=home,dc=com" write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq


# DEFAULTS MODIFICATION
# Some of the defaults need to be modified in order to allow
# remote access to the LDAP config. Otherwise only root
# will have administrative access.

dn: cn=config
changetype: modify
delete: olcAuthzRegexp

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

The following example configuration contains the following which may not reflect your installation : The following examples uses password 1234 gives {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW. Use slappasswd to generate an administrative password for your installation. The root distinguished name dn is dc=home,dc=com The administrative user is cn=admin,dc=home,dc=com Be aware: from now on this user has all privileges on your LDAP-server! Create an administrative LDAP by applying the configuration with the following command: Code:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif 

Validate configuration:

  • Use ldapsearch to view the tree, entering the admin password set during installation or reconfiguration:
  ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb
  ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W
 
  • The output above is the current configuration options for the hdb backend database. Which in this case containes the dc=example,dc=com suffix.

Minimum Directory Information Tree

Now set up a minimal LDAP DIT (Directory Information Tree). Open another temporary file:

vi base.ldif

Insert the following. Once again the dn has to be changed to reflect your environment.

# Tree root
dn: dc=home,dc=com
objectClass: dcObject
objectclass: organization
o: home.com
dc: home
description: Tree root

# LDAP admin

dn: cn=admin,dc=home,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: 1234
description: LDAP administrator

# LDAP Groups

dn:ou=people,dc=home,dc=com
objectClass: organizationalUnit
ou: people

dn:ou=groups,dc=home,dc=com
objectClass: organizationalUnit
ou: groups

and apply it:

ldapadd -x -D cn=admin,dc=home,dc=com -W -f base.ldif

Validate LDAP DIT:

  • Query your LDAP DIT : this time as anonymous user - hence no password is shown for your cn=admin,dc=home,dc=com):
 ldapsearch -xLLL -b dc=home,dc=com
 

Administration

Links