OpenIndiana LDAP server 安裝記錄

首先先確定你的server 是否能夠上網. DNS 是否正確. 通常剛裝的server 其DNS 並不會被設定. DNS的設定方法如下

mv /etc/nsswitch.con /etc/nsswitch.conf.bak
cp /etc/nsswitch.dns /etc/nsswitch.conf
echo "nameserver 168.95.1.1" > /etc/resolv.conf

設定此server之domainname

server# domainname haostudio.net
server# domainname > /etc/defaultdomain

查看是否openldap的package 可以安裝

server# pkg search openldap
INDEX           ACTION VALUE                               PACKAGE
description     set    OpenLDAP Software                   pkg:/library/openldap@2.4.21-0.151.1.2
pkg.description set    OpenLDAP 2.4.21                     pkg:/library/openldap@2.4.21-0.151.1.2
pkg.summary     set    OpenLDAP Software                   pkg:/library/openldap@2.4.21-0.151.1.2
basename        dir    etc/openldap                        pkg:/library/openldap@2.4.21-0.151.1.2
basename        dir    usr/include/openldap                pkg:/library/openldap@2.4.21-0.151.1.2
basename        dir    usr/lib/openldap                    pkg:/library/openldap@2.4.21-0.151.1.2
basename        dir    usr/share/doc/openldap              pkg:/library/openldap@2.4.21-0.151.1.2
basename        dir    var/openldap                        pkg:/library/openldap@2.4.21-0.151.1.2
basename        dir    usr/sfw/lib/webmin/caldera/openldap pkg:/system/management/webmin@1.510-0.151.1.2
basename        file   etc/security/exec_attr.d/openldap   pkg:/library/openldap@2.4.21-0.151.1.2
basename        file   etc/security/prof_attr.d/openldap   pkg:/library/openldap@2.4.21-0.151.1.2
name            group  openldap                            pkg:/library/openldap@2.4.21-0.151.1.2
pkg.fmri        set    openindiana.org/library/openldap    pkg:/library/openldap@2.4.21-0.151.1.2
name            user   openldap                            pkg:/library/openldap@2.4.21-0.151.1.2

安裝OpenLDAP

server# pkg install openldap
            Packages to install:     3
            Create boot environment: No
            Services to restart:     1
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  3/3     233/233      6.3/6.3

PHASE                                        ACTIONS
Install Phase                                586/586 

PHASE                                          ITEMS
Package State Update Phase                       3/3 
Image State Update Phase                         2/2 

為了讓samba 可以使用LDAP server, 所以需要建立samba.schema, 並且將其拷貝到/etc/openldap/schema目錄中.
至於samba.schema來自何處?? 找一台linux電腦, 安裝samba後, 到/usr/share/doc/samba-x.xx.xx 目錄去挖吧.

server# cp samba.schema /etc/openldap/schema

修改 /etc/openldap/sldap.conf如下

# slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath    %MODULEDIR%
# moduleload    back_bdb.la
# moduleload    back_hdb.la
# moduleload    back_ldap.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=haostudio,dc=net"
rootdn          "cn=Manager,dc=haostudio,dc=net"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw         secret
rootpw          {SSHA}EKQY4UbJ1TLzHiNB3v+9+VgrulkqXB03
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/openldap
# Indices to maintain
index   objectClass     eq
#
# Added by <>
#
index     cn,uid        eq
index     uidNumber     eq
index     gidNumber     eq
#######################################################################
# Legal user can access the database, but can't access other's passowrd
#######################################################################
 access to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword
        by self write
        by anonymous auth
        by dn.base="cn=Manager,dc=haostudio,dc=net" write
        by * none
#######################################################################
# For nss_ldap, must enable read for anonymous, but set the limitation for IP address
#######################################################################
 access to *
        by self write
        by users read
        by anonymous peername.IP=127.0.0.1 read
        by anonymous peername.IP=192.168.0.0%255.255.0.0 read
        by dn.base="cn=Manager,dc=haostudio,dc=net" write
        by * none

password-hash   {SSHA}

其中rootpw 為管理者密碼, 請使用slappasswd來產生

server# slappasswd
New password: 
Re-enter new password: 
{SSHA}EKQY4UbJ1TLzHiNB3v+9+VgrulkqXB03

拷貝DB_CONFIG.example 到/var/openldap目錄中

server# cp /etc/openldap/DB_CONFIG.example /var/openldap/DB_CONFIG

修改 /etc/openldap/ldap.conf如下

dap.conf

# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

BASE    dc=haostudio,dc=net
URI     ldap://192.168.7.5

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

匯入ldif檔

server# slapadd -f /etc/openldap/slapd.conf -l xxx.ldif

!!!注意事項!!!! 做完上述步驟後, 記得到/var/openldap目錄下, 將所有檔案的owner及group改為openldap.
不然的話, 其他的軟體適無法透過ldapadd來修改欄位的(切身之痛).

server# cd /var/openldap
server# chown openldap *
server# chgrp openldap *    

啟動LDAP server, 大功告成

server# svcadm ldap/server

OpenIndian LDAP client 安裝方式.

首先如同serveer的安裝方式一樣, 先安裝openldap的package.

server# pkg install openldap

然後執行下列命令, 視情況修改下列部分參數.

server# ldapclient -v manual \
-a credentialLevel=anonymous \
-a enableShadowUpdate=false \
-a defaultSearchBase=ou=NIS,dc=haostudio,dc=net \
-a defaultServerList=192.168.9.9:389 \
-a serviceSearchDescriptor=passwd:ou=People,ou=NIS,dc=haostudio,dc=net \
-a serviceSearchDescriptor=group:ou=Group,ou=NIS,dc=haostudio,dc=net 

然後修改/etc/nsswitch.conf, 將下列欄位的值修改如下

passwd:     files ldap
group:      files ldap
netgroup:   files ldap

最後啟動ldap client, 搞定.

server# svcadm enable network/ldap/client

參考資料:

1. OpenSolaris LDAP Client to Linux OpenLDAP Server
2. OpenLDAP-匯出及匯入 LDIF 檔
3. 甚麼是 Linux-PAM？
4. LDAP Authentication