OpenLDAPServer

来自Ubuntu中文
跳到导航跳到搜索
可打印版本不再受到支持且可能有渲染错误。请更新您的浏览器书签并改用浏览器默认打印功能。

原文出处:Ubuntu官方Wiki

原文作者:

授权许可:创作共用协议

翻译人员:FireHare

校对人员:Young

适用版本:

文章状态:等待校正




Introduction(介绍)

LDAP (轻量级目录访问协议), 他是简单的X500协议版本l。访问 on Wikipedia得到更多信息。
LDAP 的意思是轻量级目录访问协议,它是 X500 协议的简化版。您可以在 Wikipedia 中找到更多的细节。

To describe quickly, all informations are stored in a tree. You have to determine by yourself the directory arborescence (the Directory Information Tree: the DIT). We will begin with a basic tree with two nodes above the root :
为了能快速描述清楚,所有的信息都被保存在一棵树中,您需要自己决定目录分支(目录信息树:DIT)。我们从一棵根上有两个节点的基本树开始:

  • "People" node where your users will be stored
    "People" 节点保存您的用户
  • "Groups" node where your groups will be stored
    "Groups" 节点保存您的用户组

You have to first determine what the root of your LDAP will be. By default, your tree will be determined by your internet domain. If your domain is example.com (we will use it in the above example), your root will be dc=example,dc=com.
您首先必须决定您的 LDAP 根是什么。缺省状态下,您的树将由您的域名决定。如果您的域是 example.com (我们将在上面的示例中使用它),您的根将是dc=example,dc=com

Installation(安装)

First of all, install the ldap server daemon (slapd) on the server ; install the following packages: slapd and ldap-utils (see InstallingSoftware).
首先,在服务器上安装 ldap 服务守护进程(slapd);安装下列软件包:slapdldap-utils (参见 InstallingSoftware)。

译者注:如果这样安装的话,在开始 slapd 程序时会有“ Starting OpenLDAP: (db4.2_recover not found), slapd.”提示出现,如果想屏蔽掉这个提示,可以安装 db4.2-util 软件包。

Enter your domain as asked and the password that you want for the directory administrator.
当询问时输入您的域和目录管理员的密码。

Only few changes will be operated on the default configuration. First set the root password in the configuration file (instead of in the directory) by editing the file /etc/ldap/slapd.conf.
在缺省配置上只需做一些修改。编辑配置文件 /etc/ldap/slapd.conf 首先设置根用户密码。

Don't use a cleartext password however. To generate an encrypted password first use slappasswd yourpasswd
然而不要使用纯文本密码。先要用 slappasswd yourpasswd 生成加密密码

$ slappasswd
New password:
Re-enter password:
{SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m

This example shows what happens when using the string "secret" as the password. (By nature of the SSHA encryption scheme, your result will vary.)
这个例子显示使用 "secret" 作为密码时发生了什么。(由于SSHA加密模式的特性,您的结果将会不同)

Now edit /etc/ldap/slapd.conf and copy paste the generated string.
现在编辑 /etc/ldap/slapd.conf 并复制粘贴生成的字符。

# Make sure you edit or add these directives after the first 'database' directive.
suffix          "dc=example,dc=com"
directory       "/var/lib/ldap"
rootdn          "cn=admin,dc=example,dc=com"
rootpw          {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m

Populating LDAP(迁移到 LDAP)

The directory has been created at the installation, now it is time to populate. It will be populated with a "classical" entry that will be compatible with directory (for example for a shared directory), with classical accounts (for a web application) and with Unix accounts (posix).
目录已经在安装时被创建了,现在是迁移(数据)的时候了。它将植入适用目录的(如共享目录)、适用标准账号(Web应用程序)以及适用 Unix 账号(posix)的“传统”条目。

LDAP directory can be fed with a ldif file (ldif means ldap directory interchange format). Generate this example text file init.ldif somewhere on your system:
LDAP 目录可以通过 ldif 文件导入(ldif 意思是 ldap 目录交换格式)。在您的系统中生成 init.ldif 文本文件:

dn: dc=example,dc=com
objectClass: dcObject
objectClass: organizationalUnit
dc: example
ou: Example Dot Com

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: uid=lionel,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: lionel
sn: Porcheron
givenName: Lionel
cn: Lionel Porcheron
displayName: Lionel Porcheron
uidNumber: 1000
gidNumber: 10000
gecos: Lionel Porcheron
loginShell: /bin/bash
homeDirectory: /home/lionel
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: [email protected]
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: LP

dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
gidNumber: 10000

In the example above, the directory structure, a user and group have been setup. In other example you might see the objectClass: top added in every entry, but that is default behaviour so you don't have to add it explicitely.
在上述示例中,目录结构、用户和用户组被设置。在其他示例中您也许还可以看到 objectClass: top 加在每个条目中,但那是缺省行为,因此您不必显式添加它。

Now, add your entries to the LDAP :
现在,添加您的条目到 LDAP 中:

  • stop LDAP daemon: sudo /etc/init.d/slapd stop
    停止 LDAP 守护进程:sudo /etc/init.d/slapd stop
  • delete the content that was automaticaly added at installation: sudo rm -rf /var/lib/ldap/*
    删除在安装时自动添加的内容:sudo rm -rf /var/lib/ldap/*
  • add the content sudo slapadd -l init.ldif
    添加内容 sudo slapadd -l init.ldif

We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search in the LDAP directory :
我们可以通过 ldap-utils 软件包中的工具来检查已添加内容是否正确。要执行在 LDAP 目录中的搜索:

ldapsearch -xLLL -b "dc=example,dc=com" uid=lionel sn givenName cn
dn: uid=lionel,ou=people,dc=example,dc=com
cn: Lionel Porcheron
sn: Porcheron
givenName: Lionel

Just a quick explanation :
快速说明:

  • -x is because we do not use SASL authentication method (by default)
    -x 是因为我们不使用 SASL 认证方式
  • -LLL disable printing LDIF informations
    -LLL 是不打印 LDIF 信息

Put your LDAP server to use(使用您的 LDAP 服务器)

Now that it is up and running you can:
现在服务已经启动并运行,您可以:

  • authenticate your users on the directory as explained in UbuntuHelp:LDAPClientAuthentication
    象在 UbuntuHelp:LDAPClientAuthentication 中所写一样在目录中认证您的用户
  • authenticate your users in a web application.
    在 web 应用程序中认证您的用户
  • use it as a shared address directory for your mail agent.
    为您的邮件代理使用它作为一个共享的地址目录

Use of LDAP are infinite !
LDAP 的用途是无限的!

性能限制了用途

LDAP replication(LDAP 的复制)

LDAP service often quickly becomes a highly critical service in an information system: all is depending of LDAP: autentication, authorization, mail system, etc. It can be a good idea to setup a redundant system. It is easy to setup, here is a quick howto.
LDAP 服务通常在信息系统中会很快成为一个非常关键的服务:所有的应用都依赖LDAP,如验证、授权、邮件系统等。设置一个冗余系统是个不错的想法,它很容易设置,这里是一个快速指南。

Introduction(介绍)

With OpenLDAP 2.2 (on Breezy and Dapper), replication is based on a master-slave relation.
使用 OpenLDAP 2.2 (在 Breezy 和 Dapper 中),复制是基于主从关系的。

IconsPage?action=AttachFile&do=get&target=IconWarning3.png You will have to remember that modifications should ALWAYS be done on the master ! If you modifies the slave, modifications will get lost.
您将必须记住修改总是在主服务器上执行!如果您修改了从属服务器,所做修改将会丢失。

LDAP master(LDAP 主服务)

On the master, you have to modify the database section of the /etc/ldap/slapd.conf to add a replica instruction. The following example shows a replica on ldap-2.example.com with the Manager user with secret as password. The replication logfile is the place modifications are stored before they are send to the LDAP slave.
在主服务器上,您必须修改 /etc/ldap/slapd.conf 中的数据库这一节去增加一个 replica 语句。下面的示例显示了在ldap-2.example.com 服务器中使用 secret 做为密码的 Manager 用户的复制。在它们被发往 LDAP 从服务器之前,记录修改的复制日志文件将被保存。

replica uri=ldap://ldap-2.example.com:389 binddn="cn=Manager,dc=example,dc=com" bindmethod=simple credentials=secret
replogfile      /var/lib/ldap/replog

Restart your LDAP server.
重启您的 LDAP 服务器。

LDAP slave(LDAP 从属服务)

On the slave, you have to authorize your master to update LDAP database. Add the following lines to your /etc/ldap/slapd.conf file in the database section:
在从属服务器上,您必须授权您的主服务器更新 LDAP 数据库。添加下列行到您的 /etc/ldap/slapd.conf 文件中的数据库这一节:

updatedn        cn=Manager,dc=example,dc=com
updateref       ldap://ldap-1.example.com

Restart your LDAP server.
重启您的 LDAP 服务。

Links(相关链接)