UbuntuHelp:9.10/OpenLDAPServer
来自Ubuntu中文
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
目录
Introduction
The OpenLDAP depends greatly upon the version of Ubuntu you are using. This document focuses on Ubuntu 9.10. Documentation for other versions can be found below.
Acknowledgements
This is based on [thread] post by [| apalacheno].
Overview
LDAP is a way to make certain kinds of information available across a network. In this example, the information is user logins- their passwords, user IDs, and various details. If you NFS export /home on a large, protected machine to the local network, then use LDAP on that machine to decide who logs in, then all the machines on the local net become special. It's like every user has an account on all machines...and all their data is always there. This is not only convenient, but can protect your data; when a machine dies, it won't take your hard work with it. This is remote authentication, or sometimes "Single Sign On" or just "SSO". Kerberos is actually a better means to do this, but it's also more complicated. When you're ready, check SingleSignOn that describes it. LDAP means Lightweight Directory Access Protocol, a simplified version of X500 protocol. [[1]]
The big picture
All information is stored in the "Directory Information Tree" or DIT. You have to decide upon a 'root' for that tree, then design it's branches. Here's our simple tree:
- "dc=example,dc=com" (your root)
- "People" node where your users will be stored
- "Groups" node where your groups will be stored
The packages will ask you for the 'root' while installing. It can be "mydomain.net" or "fred.local", but make it something clear and concise. LDAP separates the two parts; "fred.local" becomes dc=fred,dc=local. The "dc" means "domain component". Then we teach the clients how to use this DIT to allow or deny access.
Installation
Install SLAPD
First, install the ldap server daemon (slapd) on the server.
sudo aptitude install slapd ldap-utils
Create Schema
Now add a few schema (only core.schema is provided by default):
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
Minimum Configuration
Set up the initial cn=config database.
vi db.ldif
# DATABASE SETUP # Load modules for database type dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb # Create directory database dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=home,dc=com olcRootDN: cn=admin,dc=home,dc=com olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=home,d c=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,dc=home,dc=com" write by * read olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: uid pres,eq olcDbIndex: cn,sn,mail pres,eq,approx,sub olcDbIndex: objectClass eq # DEFAULTS MODIFICATION # Some of the defaults need to be modified in order to allow # remote access to the LDAP config. Otherwise only root # will have administrative access. dn: cn=config changetype: modify delete: olcAuthzRegexp dn: olcDatabase={-1}frontend,cn=config changetype: modify delete: olcAccess dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW dn: olcDatabase={0}config,cn=config changetype: modify delete: olcAccess
The following example configuration contains the following which may not reflect your installation : The following examples uses password 1234 gives {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW. Use slappasswd to generate an administrative password for your installation. The root distinguished name dn is dc=home,dc=com The administrative user is cn=admin,dc=home,dc=com Be aware: from now on this user has all privileges on your LDAP-server! Create an administrative LDAP by applying the configuration with the following command: Code:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif
Validate configuration:
- Use ldapsearch to view the tree, entering the admin password set during installation or reconfiguration:
ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W
- The output above is the current configuration options for the hdb backend database. Which in this case containes the dc=example,dc=com suffix.
Minimum Directory Information Tree
Now set up a minimal LDAP DIT (Directory Information Tree). Open another temporary file:
vi base.ldif
Insert the following. Once again the dn has to be changed to reflect your environment.
# Tree root dn: dc=home,dc=com objectClass: dcObject objectclass: organization o: home.com dc: home description: Tree root # LDAP admin dn: cn=admin,dc=home,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin userPassword: 1234 description: LDAP administrator # LDAP Groups dn:ou=people,dc=home,dc=com objectClass: organizationalUnit ou: people dn:ou=groups,dc=home,dc=com objectClass: organizationalUnit ou: groups
and apply it:
ldapadd -x -D cn=admin,dc=home,dc=com -W -f base.ldif
Validate LDAP DIT:
- Query your LDAP DIT : this time as anonymous user - hence no password is shown for your cn=admin,dc=home,dc=com):
ldapsearch -xLLL -b dc=home,dc=com